Significance
The Computer Misuse and Cybersecurity (Amendment) Bill was introduced in the Singapore Parliament on 9 March 2017. The Bill seeks to amend the Computer Misuse and Cybersecurity Act (Cap. 50A) to introduce new criminal offences on computer offences and cybercrimes. This is especially pertinent given the rising number and extent of cybercrimes today. Just last month (February 2017), the Ministry of Defence (MINDEF) system was hacked into and the personal data of many SAF service personnel were stolen: see reports on Today Online, Channel NewsAsia, Straits Times. Do note that the Personal Data Protection Act (PDPA) does not apply to MINDEF as it is a public body.
Personal Information Obtained by Computer Crime
A new section 8A of the Computer Misuse and Cybersecurity Act criminalises any act of obtaining, retaining, supplying, offering to supply, transmitting or making available personal information of individuals which the person knows or has reason to believe has been obtained by committing a computer crime.
It is not an offence:
- in obtaining or retaining such information however if the act was for a legitimate purpose;
- as regards other acts, if the person did the act for a legitimate purpose and did not know or have reason to believe that the information will be, or is likely to be used, to commit or facilitate the commission of an offence.
Examples given are:
A person comes across a list of credit card numbers of customers of XYZ company on the Internet which he had reason to believe was obtained by hacking into XYZ company. The person downloads the list and sends it to XYZ company to inform them of the leaked credit card numbers. The person does not commit an offence.
An employee of XYZ company receives the list from the aforesaid person and then sends it on to another employee to investigate this. The employee does not commit an offence.
It is provided in section 8A(6) of the Computer Misuse and Cybersecurity Act that the prosecution is not required to prove the particulars of the original computer crime, e.g. who carried out the crime and when it took place.
Items Designed, Adapted, Capable of Being Used to Commit Computer Crime
A new section 8B of the Computer Misuse and Cybersecurity Act criminalises various acts done in relation to an item that is designed, adapted, or is capable of being used to commit a computer crime, or by which a computer or part of a computer is capable of being accessed.
In other words, obtaining, retaining, making, supplying, offering to supply or make available, any hacking tools, malware, spyware, viruses, port scanners, key loggers, etc., are offences if the intention behind the act is criminal.
Extraterritorial Scope of Offences
Section 11 of the Computer Misuse and Cybersecurity Act is amended to expand the scope of computer offences to have extraterritorial application, provided that the act causes or creates a significant risk of harm in Singapore. Previously, only if the accused or the computer, program or data was in Singapore would the Act be applicable.
So if a person was overseas and targeted an overseas computer (e.g. server based overseas) but such an act resulted in serious harm or significant risk of such harm in Singapore, previously it might not have been caught under the Act, but with the proposed amendment, it will be.
Serious harm is defined to include, among other things, illness, injury or death, disruptions to essential services, disruption of the carrying out of governmental duties and functions, e.g. national security and Singapore’s foreign relations.
Multiple Unauthorised Acts
A new section 11A of the Computer Misuse and Cybersecurity Act provides that the prosecution may amalgamate as a single charge rather than separate charges, offences involving 2 or more acts that are the same computer offence, committed over a 12-month period or shorter time in relation to the same computer.
For example, a hacker may carry out multiple unauthorised acts on a computer over time to prepare for an actual attack. E.g. a distributed denial-of-service (DDoS) attack, i.e. multiple systems used to flood the bandwidth or resources of a targeted system, usually one or more web servers. Examples of data breaches.