Laws passed in Singapore to criminalise use of stolen personal data
Lawmakers also call for laws requiring companies to report cyber attacks
By Tan Weizhen
Laws were passed in Singapore to, among other things, make it illegal for individuals and businesses to make use of illicitly obtained personal data — including credit card or bank account information — as several Members of Parliament (MPs) raised concerns about the robustness of firms’ cybersecurity measures.
The MPs suggested making it mandatory for companies to report cyber attacks, and called for greater support for businesses to beef up their capabilities in dealing with such incidents. More individuals in both the public and private sectors should also be trained in cybersecurity, they said.
Among the changes, the Computer Misuse and Cybersecurity Act was amended to stipulate that cyber criminals who launch attacks from abroad that cause “serious harm” to Singapore — such as disrupting essential services — will be dealt with. The act of obtaining, making or supplying hacking tools such as physical devices or software was also made illegal.
Prior to the passing of the Bill, Senior Minister of State (Home Affairs) Desmond Lee noted that the laws previously prosecuted culprits who illegally obtained personal data. However, “there may be other ‘middlemen’ individuals, who may trade in such personal information, but who are not directly involved in the hacking or cheating offences”, Mr Lee said. For example, criminals may run a website buying and selling hacked credit card information online. He stressed that it would not be an offence if people use such information for legitimate purposes, or did not have cause to believe it was obtained through illegal means.
Nominated Member of Parliament (NMP) Thomas Chua called on businesses to be vigilant and “to avoid being made use of unwittingly”.
Calling for more training to be made available to businesses, he said: “In the area of cyber usage and security, government agencies have already accumulated a wealth of experience. In comparison, businesses’ risk awareness and digital capability (are) obviously lacking. But in the cyber world, enterprises can also become the target of cyber attacks.”
Agreeing, fellow NMP K Thanaletchimi added: “How well are these companies protected? Do these companies see the importance of it and invest adequately in cyber security? Will there be support and assistance for companies in instituting a holistic approach to protecting their cyber security system from cyber crime?”
She also asked if key infrastructure operators such as those in the energy, finance and transport sectors would be required to report cyber breaches when they occur.
In response, Mr Lee noted that the Cybersecurity Bill, which is expected to be tabled later this year, will ensure that owners and operators of “critical information infrastructure” take proactive steps to secure their systems and networks, and report incidents.
Meanwhile, the Government has been running an awareness campaign which brings the public and private sectors together to promote the adoption of essential cyber security practices. The Singapore Computer Emergency Response Team also provides advisory to businesses to pre-empt and prevent cyber attacks, he said.
By the third quarter of this year, businesses will be able to get in-person help at the new SME Digital Tech Hub, which will provide technical advice to small and medium enterprises with more advanced digital needs, including cyber security, Mr Lee added.