sign in sign up
<<
Home , Bundesdatenschutzgesetz, Cyberstalking

ICLG The International Comparative Legal Guide to: Cybersecurity 2018 1st Edition

A practical cross-border insight into cybersecurity work

Published by Global Legal Group, with contributions from:

Allen & Overy Josh and Mak International Angara Abello Concepcion Regala & King & Wood Mallesons Cruz Law Offices Lee, Tsai & Partners Attorneys-at-Law Baker McKenzie Maples and Calder Boga & Associates MinterEllison BTG Legal Mori Hamada & Matsumoto Christopher & Lee Ong Niederer Kraft & Frey Ltd. Creel, García-Cuéllar, Aiza y Enríquez, S.C. R&T Asia (Thailand) Limited ENSafrica Rajah & Tann Singapore LLP Erkelens Law Shibolet & Co. Eversheds Sutherland Simmons & Simmons LLP Holland & Hart LLP Udo Udoma & Belo-Osagie JIPYONG The International Comparative Legal Guide to: Cybersecurity 2018

General Chapters:

1 Would the Standard of Cybersecurity be Improved by the Introduction of Mandatory Cybersecurity Controls? – Nigel Parker & Alex Shandro, Allen & Overy LLP 1

2 Enemy at the Gates? The Cybersecurity Threat Posed by Outsourcing, Partnering and Professional Advisors – Robert Allen & Paul Baker, Simmons & Simmons LLP 6 Contributing Editors 3 Directors and Officers Liability for Data Breach – Liz Harding, Holland & Hart LLP 12 Nigel Parker & Alex Shandro, Allen & Overy LLP Country Question and Answer Chapters: Sales Director Florjan Osmani 4 Albania Boga & Associates: Renata Leka & Eno Muja 16 Account Director Oliver Smith 5 MinterEllison: Paul Kallenbach & Leah Mooney 21 Sales Support Manager Toni Hayward 6 Belgium Erkelens Law: Johan Vandendriessche & Isaure de Villenfagne 28

Sub Editor 7 Canada Baker McKenzie: Dean Dolan & Theo Ling 35 Oliver Chang Senior Editors 8 China King & Wood Mallesons: Susan Ning & Han Wu 43 Suzie Levy, Rachel Williams Chief Operating Officer 9 England & Wales Allen & Overy LLP: Nigel Parker & Alex Shandro 50 Dror Levy 10 Germany Eversheds Sutherland: Dr. Alexander Niethammer & Steffen Morawietz 58 Group Consulting Editor Alan Falach 11 India BTG Legal: Prashant Mara & Devina Deshpande 64 Publisher Rory Smith 12 Ireland Maples and Calder: Kevin Harnett & Victor Timon 72 Published by Global Legal Group Ltd. 13 Israel Shibolet & Co.: Nir Feinberg 80 59 Tanner Street London SE1 3PL, UK 14 Japan Mori Hamada & Matsumoto: Hiromi Hayashi 87 Tel: +44 20 7367 0720 Fax: +44 20 7407 5255 Email: [email protected] 15 Korea JIPYONG: Seung Soo Choi & Seungmin Jasmine Jung 95 URL: www.glgroup.co.uk 16 Kosovo Boga & Associates: Sokol Elmazaj & Delvina Nallbani 101 GLG Cover Design F&F Studio Design 17 Malaysia Christopher & Lee Ong: Deepak Pillai 107 GLG Cover Image Source iStockphoto 18 Mexico Creel, García-Cuéllar, Aiza y Enríquez, S.C.: Begoña Cancino & Printed by Oscar Arias 116 Ashford Colour Press Ltd. October 2017 19 Nigeria Udo Udoma & Belo-Osagie: Olajumoke Lambo & Godson Ogheneochuko 122 Copyright © 2017 Global Legal Group Ltd. 20 Pakistan Josh and Mak International: Aemen Zulfikar Maluka 128 All rights reserved No photocopying 21 Angara Abello Concepcion Regala & Cruz Law Offices: Leland R. Villadolid Jr. & Arianne T. Ferrer 133 ISBN 978-1-911367-77-2 ISSN 2515-4206 22 Poland Allen & Overy A. Pędzich sp.k.: Krystyna Szczepanowska-Kozłowska & Justyna Ostrowska 141 Strategic Partners 23 Singapore Rajah & Tann Singapore LLP: Rajesh Sreenivasan & Michael Chen 148

24 South Africa ENSafrica: Suad Jacobs & Theo Buchler 156

25 Switzerland Niederer Kraft & Frey Ltd.: Dr. András Gurovits & Clara-Ann Gordon 164

26 Taiwan Lee, Tsai & Partners Attorneys-at-Law: Sean Yu-Shao Liu & Sophia Tsai 171

27 Thailand R&T Asia (Thailand) Limited: Saroj Jongsaritwang & Sui Lin Teoh 178

28 USA Allen & Overy LLP: Laura R. Hall & Kurt Wolfe 184

Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720

Disclaimer This publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice. Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication. This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified professional when dealing with specific situations.

WWW.ICLG.COM Chapter 1

Would the Standard of Cybersecurity be Improved by Nigel Parker the Introduction of Mandatory Cybersecurity Controls?

Allen & Overy LLP Alex Shandro

“My medical friends tell me that it is possible to drastically in responding to cyber attacks, and more than 10% have no reduce deadly hospital infections if doctors wash their hands plan in place to respond to a cyber incident. Together with the for two minutes before operating. And yet only half of them regular stream of cyber incidents making the headlines recently, do. These are doctors, they know the facts, real people are this suggests that many organisations may not have appropriate 1 dying, and still they don’t comply”. cybersecurity controls in place. These were the words of SWIFT CEO, Gottfried Leibbrandt, As demonstrated by this guide, in many jurisdictions the legal when announcing the company’s plan to introduce mandatory framework applicable to cybersecurity is fragmented. Against an cybersecurity requirements for users of the SWIFT money transfer ever-growing threat landscape, on the face of it the argument for platform. He was speaking in the wake of the so-called Bangladesh introducing mandatory regulatory standards (and robust enforcement Bank Heist in February 2016, when attackers issued dozens of of those standards) is compelling. Organisations in a wide range of fraudulent money requests to the Federal Reserve Bank of sectors are now increasingly connected and hold increasing amounts using SWIFT credentials of Bangladesh Central Bank employees. of data. The consequences of a cyber attack are severe, from The attackers were successful in obtaining $81 million, and a further business interruption and other economic losses, to loss of or damage $851 million in money transfer instructions were blocked. to data and damage to reputation, among others. The value of robust Reports continue to emerge that other banks had also been targeted cybersecurity may be more readily apparent to organisations that in the attack. Some of the attacks failed. For example, Leibbrandt provide a critical service, that rely on networks and IT systems to revealed that one target: “… had the latest antivirus and had updated carry on their business, or that hold valuable intellectual property the latest security patch on our software, and in that case alerts from and data (or in SWIFT’s case, all of the above). Some organisations, the antivirus and from the latest security patch triggered alerts that however, may be reluctant to invest significant costs in cybersecurity prevented further fraud happening there as well.” measures, as this does not show any immediate or easily measurable SWIFT itself was not the target of the attack, and nor were SWIFT benefit (at least until an attack occurs). The introduction of mandatory systems or networks compromised in the attack. Rather, the systems security controls would at least set a minimum threshold. and networks of banks using the SWIFT platform (within the However, as businesses, technology and the threat landscape particular bank’s ICT environment) were targeted. continue to evolve, it is difficult to see how a meaningful set of SWIFT’s response has been to introduce a set of mandatory security umbrella security controls could be applied in practice. Mandatory controls for SWIFT’s customers.2 These requirements were security controls may result in weaker, rather than stronger, likened by Leibbrandt to “basic hygiene”, based on a combination cybersecurity because organisations may decide to invest to meet of technical, logical and physical controls and incident response those standards and no more. As the spate of high-profile attacks this planning and staff training. By the end of December 2017, all users year demonstrates, cybersecurity is not a finite problem that can be of the SWIFT platform will be required to have certified (together solved. It is a constant and evolving challenge for organisations, as with supporting data) that they comply with those requirements. cyber threat actors will continue to find cracks in any defences. The consequence of mandatory security controls could be a ‘compliance’ The SWIFT platform is used by banking institutions throughout the mindset, which fails to take account of the shifting context of the world and processes approximately 25 million money transfers each particular business, systems, vulnerabilities and threats. In the UK, day. It is a critical component of the financial services ecosystem for instance, the Government’s focus is not on additional regulation, and users of the platform are a prime target for cyber threat actors. but on better education and improved information-sharing among SWIFT’s decision to impose cybersecurity standards on its customers businesses and the Government. is borne out of a concern that, notwithstanding the apparent risks, its customers do not have basic cyber hygiene in place. The diverse range of cyber threats means that it will never be possible to be completely immune. Equally, it means that regulatory SWIFT’s approach raises broader questions. In the absence of standards alone are unlikely to present a workable risk management mandatory controls, are organisations sufficiently incentivised solution for organisations facing those threats. to invest in cybersecurity measures? Would the standard of cybersecurity be improved by the introduction of mandatory controls? There is a Diverse Range of Cyber Threats In the UK, a recent government survey of the largest public companies by market capitalisation, found that in more than As our lives become increasingly connected, the range of threats two-thirds of those companies the directors have no training increases and it becomes harder to protect against them. According

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 1 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP Mandatory Cybersecurity Controls

to the National Cyber Security Centre (NCSC), the UK authority measures must accordingly be multi-faceted, spanning technical with responsibility for protecting critical services from cyber attacks security measures, staff training, management reporting, technology and managing major cyber incidents, critical services in the UK procurement processes and more. These measures would require were hit by 188 “high-level” attacks and “countless lower ones” in organisations to incur significant costs. Where the risks are the last three months of 2016 alone.3 Cyber incidents are caused by hypothetical (albeit potentially severe, as explored further below), a wide range of threats and threat actors, from highly sophisticated mandatory regulatory standards (plus enforcement of those criminals deploying bespoke malware to high-volume and more standards) may well serve to incentivise that investment. However, opportunistic attacks using ‘off the shelf’ malware. it is difficult to envisage a set of security controls covering each of Recent high-profile attacks, such as the Bangladesh Bank Heist, the these areas in a meaningful and effective way for organisations of attacks on the US Democratic National Party and the hack on Ukraine’s different sizes, business models and industries. power grid (the first confirmed hack to take down a power grid) were carried out by highly skilled threat actors according to carefully The Risks of a Cyber Incident are Equally planned assaults. So too was the global Wannacry ransomware attack in May 2017, which Europol considers to be unprecedented in scale. Diverse The attackers exploited a vulnerability in the Microsoft Windows A cyber incident may result in economic losses, including business operating system to encrypt a computer’s data and demand payment interruption, internal costs (i.e. time involved to identify, remedy of Bitcoin ransom payments. The infection spread to computers on and manage the fall-out of the incident), out-of-pocket expenses the same network and to random computers on the , resulting (e.g. legal advice and forensic investigators), regulatory fines, in overall economic losses estimated to be in the hundreds of millions. damages awards in civil actions, and damage to market reputation In another example of the complexities of the cyber risk landscape, it and goodwill. An incident may also result in the theft or deletion has since been revealed that the US National Security Agency knew of data and intellectual property. Threat actors may also tamper of the vulnerability but did not inform Microsoft, preferring to use the with the integrity of an organisation’s data. This is particularly knowledge for its own cyber warfare offensive purposes. dangerous because the victim may not be aware that its data has been Alongside the attacks that hit the headlines are hundreds of compromised. For instance, at the end of 2016, the cybersecurity thousands of lower-level attacks, which are arguably of more consultants Security Research Labs demonstrated how security concern to organisations from a risk management perspective, as vulnerabilities in travel booking systems used by major airlines little or no technical expertise is necessary. Malicious software can could enable attackers to tamper with passenger records used to be downloaded from the Internet for free by almost anyone, and store reservations and thereby steal flights, divert air miles, or use then used to launch an attack and wreak havoc on ICT-depending the passenger information in more targeted phishing attacks. infrastructure. These so-called ‘commodity threats’ are increasingly The severity and range of risks of a cyber incident were well used by organised criminals as a relatively risk free method to steal demonstrated in an attack on UK telecoms firm TalkTalk in October information and exhort money. 2015 that resulted in the theft of the data of more than 157,000 Although external cyber attacks may receive the majority of customers, including bank account details. The day after the attack, the media publicity, a recent IBM survey found that most cyber the value of TalkTalk shares fell by 10%, and a further 20% the 4 incidents originate from within an organisation. Disgruntled week after the attack. TalkTalk revealed recently that its costs employees may steal information and disclose it to competitors, or have since run to over £45 million and that it had lost an estimated may leave a ‘back door’ open in a system that can be exploited by 101,000 subscribers in the wake of the attack. In October 2016, others. Indeed, a US Government audit report in August 2017 on TalkTalk was fined £400,000 by the UK data protection regulator, the Office of Personnel Management identified a high turnover of the Information Commissioner’s Office (ICO), for failing to take the staff in key positions as a key cause of cybersecurity weaknesses in basic security steps that, according to the ICO, would have prevented 5 the US Government. the attack. Echoing the words of SWIFT CEO Leibbrandt, the The proliferation of connected devices – the Internet of Things – Information Commissioner, Elizabeth Denham, said: “TalkTalk’s has also contributed to the growing threat. Connected consumer failure to implement the most basic cyber security measures allowed devices (from home appliances to cars) are being produced rapidly hackers to penetrate TalkTalk’s systems with ease.” The attack on a mass-market scale and are typically poorly secured. Any targeted database software holding customer data inherited from a network of connected devices is vulnerable to attack through any of 2009 takeover of a rival firm, Tiscali, and the software had not been the devices in the network, and each device is a potential entry point updated since. The ICO found that TalkTalk was unaware of the for cyber attackers. For instance, ‘Mirai’ malware turns devices problem, which could have been solved easily, despite being victim running Linux software (such as cameras and home routers) into of two cyber attacks earlier in the same year that should have alerted ‘bots’ that are capable of being remotely controlled. In September TalkTalk to the issue. and October 2016, Mirai was used to carry out denial-of-service In some cases the potential risk is not economic but physical. In attacks on several high-profile websites, including , Reddit 2016, a pair of white hat hackers demonstrated an exploit that and Airbnb. The malware exploited the typically weak password allowed them to control the air conditioning, audio system, protection requirements of connected devices, and successfully windshield wipers and brakes of a Jeep, causing the vehicle to stop logged into hundreds of thousands of devices by applying the most on the road. Had the exploit been in the hands of malicious threat common factory default passwords. Those devices were effectively actors, there would have been potential for considerable physical conscripted into a botnet and used to flood the targeted websites harm. Separately, Johnson & Johnson revealed in October 2016 with traffic, thereby disrupting services. The US Government, that one of its insulin pumps for diabetics was vulnerable to being among others, is now considering legislation mandating specific hacked, thereby causing an overdose. security requirements for Internet of Things devices procured by the Surgical robots are already being used in hospitals to carry out keyhole US Government.6 surgery and other procedures. As robotics (operated by artificial To mitigate (albeit not eliminate) the risks of such a wide array of intelligence technology) become increasingly prevalent in the health threats and threat actors – both internal and external – cybersecurity and many other industries, the risks become much greater, especially

2 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP Mandatory Cybersecurity Controls

if the robot is not secure (for instance, if a robo-surgeon is hacked and ‘digital service providers’ to put in place reliable security while in the operating theatre). Cyber consultancy firm IOActive measures for its network and information systems, so as to prevent predict that robots may be turned against their employers by criminals and minimise the impact of cyber incidents. As with the GDPR, or competitors, being used to spy or disrupt production lines.7 this is principles-based. There are no standards set out in the NIS Directive, and the text contemplates that the EU Agency for Network and Information Security (ENISA) will work with Member States to The Legal Framework for Dealing with develop more detailed guidance on specific technical areas. On 14 Cyber Risks is Dispersed and High Level September 2017, the European Commission issued draft guidance on security measures to be taken into account by digital service Set against the scale and diversity of the threats, and the potential providers. These include technical security measures, incident severity of the risks, is a relatively fragmented legal landscape. In handling procedures, business continuity management, auditing the US, for instance, various federal and state laws and regulations and ongoing monitoring measures. The Commission intends to govern cybersecurity incidents, with the applicability of each release equivalent guidance for operators of essential services later dependent on the sector and geographic operations of the relevant in 2017. The NIS Directive’s effectiveness will therefore depend organisation. on how the requirements are passed into national law of Member In fining TalkTalk in October 2016, the Information Commissioner, States and subsequently enforced by national regulators. The terms Elizabeth Denham, concluded that: “Companies must be diligent ‘operator of essential services’ and ‘digital service providers’ are not and vigilant. They must do this not only because they have a specifically defined in the NIS Directive, with Member States being duty under law, but because they have a duty to their customers.” tasked with identifying the entities falling under these categories. This reference to legal duties was notable, because in the UK, as With much of the detailed application of the NIS Directive left to in the vast majority of other jurisdictions surveyed in this guide the national implementing laws of Member States, there is a risk of (including Australia, Belgium, Canada, Switzerland, the US and fragmentation. Entities caught by the NIS Directive may have to Taiwan, among others), there are few laws mandating cybersecurity comply with different standards in different Member States. measures and those that do exist are based on high-level principles Where cybersecurity requirements are principles-based, or otherwise apply in limited cases (e.g. to specific sectors or in a organisations will have to determine the steps that are required to government procurement context). comply. Some may elect to take a view on existing (and perhaps The UK legal framework applicable to cybersecurity is dispersed inadequate) cyber measures if it enables them to save significant across statutes, common law doctrines and sector-specific costs. After all, the risks of a cyber incident are hypothetical until regulatory guidance, as summarised in the England & Wales chapter one occurs. However, it is questionable whether more prescriptive of this guide. Among them are high-level security requirements security standards are the solution. If an organisation is prepared with which certain organisations must comply. For instance, UK to take a view on existing (and perhaps inadequate) cyber measures data protection legislation requires all organisations that control today, it is possible that they will continue to do so in a world with to implement technical and organisational measures more granular mandatory security controls. Rather, the issue would to safeguard that personal data, which may involve implementing appear to lie in the underlying perception that cyber risks are not cybersecurity controls. worth investing in. From 25 May 2018, the EU General Data Protection Regulation (the GDPR) will take effect and will bolster the security requirements Cyber Law Must Remain Flexible and with which controllers of personal data must comply (albeit still Encourage a Culture of Cyber Hygiene within a principles-based approach). Among other things, the GDPR requires controllers of personal data to carry out Businesses and technology are constantly evolving, whether impact assessments in relation to certain ‘high risk processing’, through M&A activity, adoption of new technology or deployment to employ data protection officers and to notify data breaches to of new devices. As businesses and technology evolve, so too does regulatory authorities and data subjects within prescribed time the nature of the cyber threat. It would seem to follow that cyber periods. These requirements are accompanied by a much tougher law must remain sufficiently flexible. There is unlikely to be a ‘one sanctions regime, including potential fines of up to 4% of annual size fits all’ regulatory standard that could be applied. worldwide turnover for certain breaches. This was at the crux of the UK Government’s cybersecurity review The UK Government regards implementation of the GDPR as an in December 2016, which concluded that no additional cybersecurity opportunity to improve cybersecurity risk management and has regulation was needed beyond the principles set out in the GDPR stated that they “…will ensure that cyber security is at the centre of and NIS Directive.9 This review concluded that additional the way we promote and implement the GDPR”.8 This statement was cybersecurity regulation could lead to a mere tick box exercise and made in a UK Government cybersecurity review in December 2016 “encourage a ‘compliance’ culture rather than proactive cyber risk which concluded that, beyond the GDPR, additional cybersecurity management”.10 regulatory standards were not justified, for the reasons explored further below. The UK Government considers that the GDPR will provide the necessary incentive to improve cyber risk management, particularly For its part, the EU has indicated its support for harmonised when coupled with the implementation of the NIS Directive for cybersecurity standards. The Cyber Security Strategy of the those organisations that operate essential services. This conclusion European Union, issued in 2013, states that: “There need to be was based on a belief that the principles applying to personal data appropriate cyber security performance requirements implemented in the GDPR would help to protect other categories of data held across the whole value chain for ICT products used in Europe.” by organisations, with the overall result that security awareness A key pillar of this strategy is the Network and Information Systems would increase across the business. If this belief is borne out in Directive (the NIS Directive), which is required to be implemented practice, the same may apply in other EU Member States and non- into national legislation by EU Member States by 9 May 2018. EU jurisdictions with principles-based data privacy legislation Among other things, it requires ‘operators of essential services’ (including Australia, Canada, Israel and Switzerland, among others).

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 3 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP Mandatory Cybersecurity Controls

It remains to be seen whether the UK Government is relying cybersecurity should be based on developing the right processes too heavily on the data privacy principles in the GDPR. The to identify, mitigate and respond to vulnerabilities. For example, a requirement to notify data breaches, and the resultant negative high-profile hacking attack of an organisation may prompt CEOs to publicity, may well act as an incentive to improve cyber hygiene increase investment on their ICT infrastructure to ward off external within an organisation. However, in the longer term, if data breach threats. However, in doing so, they may be diverting resources notifications become more commonplace, it is possible that the away from internal threats (e.g. employees falling victim to phishing amount of publicity (and corresponding incentive to comply) will attacks) that, as noted by the IBM report referred to above, may be wane, albeit that the potential for significant fines will remain. just as damaging. Rather, the UK Government’s ambitious strategy to make the UK It is a complex picture, and one that seems unlikely to be improved the safest place in the world to go online is intended to be delivered by the introduction of additional regulatory standards alone. In through non-binding best practice guidance that underlines practice, greater awareness of the threats, risks and best practice the importance of the culture of cyber hygiene, together with security controls is essential. This could be achieved by ensuring government initiatives to ensure that organisations in the UK are that cyber incidents are well-publicised and any breaches of existing kept aware of the latest cybersecurity threats (and therefore where laws and standards are enforced robustly. In addition, steps could they can best focus their security efforts). be taken to improve information-sharing and cooperation among In the absence of specific legal requirements, many organisations businesses and regulatory bodies. In the wake of the Wannacry currently seek to comply with best practice industry standards (such incident, for instance, a bipartisan bill was put forward to the US as ISO / IEC 27001 or PAS 555), as they provide a helpful reference Congress, seeking to limit the ability of US intelligence agencies point for good security and are useful to demonstrate to regulators to horde vulnerabilities and, in certain circumstances, require that steps have been taken to protect information. To this end, the notification of the vulnerability to the manufacturer. As laws such NCSC has issued multiple layers of cybersecurity controls, from a as the GDPR come into force, more information on data breaches set of basic controls designed to show organisations how to protect will become available to regulators, and that information could themselves against low-level threats (the ‘Cyber Essentials’ scheme) be shared with other regulators around the world with a view to to more sophisticated controls (the ‘10 Steps to Cyber Security’). ensuring greater awareness of threat information and developing These are presented not as prescriptive controls, but as categories consistent good practice. This in turn should improve the ability of steps that should be kept under constant review in the specific of organisations to manage their cyber risks and develop informed business context. The UK Government has confirmed that it does investment strategies. not recommend mandatory compliance with these standards,11 although all suppliers bidding for certain Government contracts are Endnotes required to comply with the ‘Cyber Essentials’ controls. 1. https://www.sibos.com/media/news/united-fight-against- Encouraging the Right Strategy Appears Key cyber-attacks. 2. https://www.swift.com/myswift/customer-security- The UK Government’s approach recognises that an organisation programme-csp/security-controls. can never be completely immune from a cyber incident, and good 3. https://www.ncsc.gov.uk/content/files/protected_files/ cybersecurity is instead a question of risk management spanning news_files/The%20Cyber%20Threat%20to%20UK%20 the organisation’s technology, people and processes. In principle, Business%20%28b%29.pdf. this appears to be a pragmatic approach to the ever-evolving threat 4. 2017 IBM X-Force Threat Intelligence Index, https://www. landscape. ibm.com/security/data-breach/threat-intelligence-index.html. 5. www.gao.gov/assets/690/686400.pdf. However, the August 2017 survey of the FTSE 350 companies (which, among other issues, revealed that more than half of the 6. Internet of Things Cybersecurity Improvement Act 2017. UK’s largest public companies have not taken recommended action 7. www.ioactive.com/pdfs/hacking-robots-before-skynet.pdf. to identify cyber risks) suggests that there is still significant progress 8. HM Government, Cyber Security Regulation and Incentives to be made. Absent government intervention, organisations need Review, December 2016, https://www.gov.uk/government/ to be sufficiently incentivised to adopt appropriate cyber risk uploads/system/uploads/attachment_data/file/579442/ management measures. Board engagement appears to be essential Cyber_Security_Regulation_and_Incentives_Review.pdf. to this process. In the UK, for instance, the NCSC intends to work 9. HM Government, Cyber Security Regulation and Incentives with organisations such as the Financial Reporting Council and Review, December 2016, https://www.gov.uk/government/ Investment Association to educate boards and investors about cyber uploads/system/uploads/attachment_data/file/579442/ risk and the risk management steps that boards should be taking.12 Cyber_Security_Regulation_and_Incentives_Review.pdf. It then becomes not only a question of cost, but how those costs 10. Ibid., p. 3. are invested. No matter how strong an organisation’s cybersecurity 11. Ibid., para. 5.7. may be, motivated hackers will find cracks. It follows that good 12. Ibid., para. 5.6.

4 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP Mandatory Cybersecurity Controls

Nigel Parker Alex Shandro Allen & Overy LLP Allen & Overy LLP One Bishops Square One Bishops Square London E1 6AD London E1 6AD United Kingdom

Tel: +44 203 088 3136 Tel: +44 203 088 4594 Email: [email protected] Email: [email protected] URL: www.allenovery.com URL: www.allenovery.com

Nigel is a partner specialising in intellectual property, data protection Alex is a senior associate specialising in commercial contracts, intellectual and privacy, commercial contracts and IT law. He is a member of property, cybersecurity and data protection law. Alex advises clients the firm’s Cyber Security Group and has advised clients on strategies in technology and data-rich sectors on their most complex commercial for managing legal risk in relation to cybersecurity, including the arrangements, including outsourcings, licensing, collaborations and deployment of a variety of risk management tools, on the response IP / data exploitation. A member of the firm’s Cyber Security Group, to attacks and dealing with regulatory authorities, and on taking pro- Alex has advised regularly on risk management strategies in relation to active steps in response to attacks. cybersecurity, including contractual arrangements with vendors. Chambers 2015 cites Nigel as an expert in the fields of data privacy and outsourcing, describing him as “technically faultless” as well as “very practical and very good at finding solutions”.

Allen & Overy is a full-service global elite law firm headquartered in London. Our commitment to help our clients deliver their global strategies has seen us build a truly global network now spanning 44 offices in 31 countries. We have also developed strong ties with relationship law firms in more than 100 countries where we do not have a presence. We have a strong cybersecurity practice comprising a core team of 15 partners with diverse backgrounds in data protection, bank regulation, antitrust, securities laws, technology, IT, litigation, employment, IP and corporate. This spread is crucial because cybersecurity incidents frequently span a wide range of traditional legal practice areas. There is an important legal component to cybersecurity and our integrated team of diverse practitioners reflects this requirement. As a full-service global elite law firm, we are able to advise clients on all legal issues concerning cybersecurity.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 5 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 2

Enemy at the Gates? The Cybersecurity Threat Posed by Outsourcing, Partnering and Robert Allen Professional Advisors

Simmons & Simmons LLP Paul Baker

The cybersecurity threat posed by outsourcing, partnering and professional advisors – companies are well-informed of the need 2 Scope of the ‘Third Party Threat’ to buttress their own cybersecurity defences, but what about third Year on year, the aggregate of data created and captured grows parties that hold their data or with whom they share access to exponentially. In 2025, the IDC forecasts that the global ‘datasphere’ systems? will grow to 163 zettabytes, 10 times the data generated in 2016.6 As data capture increases – fuelled by embedded systems, data 1 Introduction analytics, technological advances and even regulation7 – businesses are forecast to manage even more data (from 30% in 2015 to nearly In 2017, no business can plead ignorance of the cybersecurity risks 60% in 2025);8 data which, in many instances, they are obliged to inherent in a digitally connected global marketplace. The headlines protect. expose and denounce the corporate victims of cyberattacks1 and reel However, notwithstanding the commercial value and regulatory off the latest statistics about the rise of .2 Businesses are, importance of data, businesses increasingly do not hold their own. accordingly, well-informed that they must buttress their cybersecurity Data growth has driven – and continues to drive – heightened reliance defences or become one of the statistics.3 Yet, it is often at this level on third parties for IT infrastructure (often collectively described as of awareness that the conversation about cybersecurity ends. And, to Managed Service Providers or MSPs). For instance, data retention is the extent that businesses are focused on cybersecurity, that focus is routinely outsourced by firms to cloud service providers to lessen the concentrated only on the business’s own defences. burden of data storage. MSPs present particularly desirable targets That focus is naïve. No business operates in isolation. Each contract for malicious cyberattacks, in light of their disproportionate access with suppliers seeks advice or services from professional services to valuable information held by multiple businesses. Recently, the firms, and outsources to (for example) payment services, complaints detection of ongoing targeted attacks against global MSPs by a handlers and data custodians. This network of third parties holds hostile actor has prompted the UK’s National Cybersecurity Centre the business’s data and may share access to the business’s systems to publish advice for enterprises regarding their security assessments (often across numerous jurisdictions), forming a crucial part of the and monitoring of MSPs.9 first line of defence against cybersecurity breaches. As recently as Moreover, data may be frequently shared by a business with August 2017, TalkTalk Telecom Group was fined £100,000 by the other third-party professional services firms such as law firms, Information Commissioner in the UK, when customers’ personal accountants and management consultants for analysis, audit and data were compromised via one of its providers of network coverage advice. These firms, given the nature of their work, are likely to be solutions and complaints resolution.4 The questions therefore for repositories of a business’s most sensitive and valuable data – and each business must be: what does it know about these third parties therefore a prime target for cyber attackers. The recent compromise and their security (if anything); and what steps does it take to ensure of DLA Piper’s systems provides an obvious example. In June that such security is maintained to the appropriate standard? 2017, the international ‘Petya’ ransomware attack rapidly infected The magnitude of the risk posed by third parties is often overlooked the entire DLA Piper network, requiring employees globally to turn in a business’s assessment of cybersecurity. In the UK, for example, off their computers and to avoid use of any element of the firm’s only 13% of businesses require their suppliers to adhere to specific IT infrastructure. While DLA Piper has not seen any evidence of cybersecurity standards or good practice.5 In this article, we examine theft of client data,10 some IT systems were still inoperable up to the scope of the threat arising out of third-party relationships, the two weeks later. degree to which third-party security risk is currently regulated, the Therefore, while support from MSPs and professional firms may potential enforcement and litigation consequences of a cybersecurity be critical for reasons of cost, efficiency or specialism, it must be breach at a third party, and some practical guidance to help to recognised internally by businesses that the outsourcing and/or identify and assess the risks they create and (if necessary) remediate sharing of data to a network of third parties displaces and indeed the harm caused by a breach. magnifies the cybersecurity risk. This should raise particular alarm Our aim in this article is to highlight to businesses (and their advisers) bells where third parties operate in jurisdictions that offer a lower that their trusted suppliers, custodians and advisors may in fact be cost base but present a heightened cybersecurity risk, whether as unwitting ‘enemies at the gate’ when it comes to cybersecurity. a result of weaker regulation, corruption risks, or higher rates of cybercrime.

6 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Simmons & Simmons LLP Enemy at the Gates?

Stakeholders, regulators and the public generally do not take kindly serious breach will substantially increase with the introduction of to a business seeking to pass blame to a third party which it selected the GDPR in May 2018, in the UK and across EU Member States. and the business’s reputation is intrinsically linked to the outsourced Materially, for businesses that provide information including providers it engages. A business is, therefore, as vulnerable to attack personal data to third parties, they will have an obligation only and damage to reputation as its weakest third-party service provider. to use those data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure processing meets the requirements of the GDPR.21 Data 3 Regulation processor activities must be governed by a binding contract between controller and processor,22 which must make specific provision In light of the pernicious and expanding threat to cybersecurity for (among other things) instructions, sub-processing (which is posed by third parties, it is unsurprising that the global regulatory prohibited without the authorisation of the controller23), compliance landscape has developed to compel businesses to protect their data and confidentiality. against cybersecurity attacks on vulnerable third-party defences. In terms of security, processors and controllers will be obliged to From a UK perspective, the businesses that are most heavily implement measures that are appropriate, taking into account factors regulated are data controllers as defined under the Data Protection such as the type of data, the nature and purpose of processing, the Act 1998 (DPA), and firms regulated by the Financial Conduct risks to individual rights associated with any security breach and Authority (FCA). However, current data protection obligations, the costs of implementation.24 Regular testing and evaluation and the associated sanctions for breach, will be appreciably of the effectiveness of any security measures is also required if bolstered with the introduction of the General Data Protection appropriate.25 From the perspective of businesses outsourcing data Regulation (GDPR) in May 2018 (to be implemented into UK retention and organisation, additional comfort can soon be taken law notwithstanding Brexit).11 Below we consider the current and from these new security obligations and additional requirements prospective legislative impetus to protect oneself against the ‘third on processors to maintain records of personal data processing party threat’. activities.26 The GDPR also substantially increases the enforcement and Data Protection Act 1998 litigation risk profile in the event of a security breach involving personal data.27 Such breaches must be notified by data processors to 12 In the UK, the DPA requires data controllers to comply with eight data controllers, and by data controllers to the relevant supervisory 13 data protection principles with respect to personal data; a broad authority (in the UK, the ICO) without undue delay.28 At present, concept that encompasses any information which can be used to such reporting only represents good practice,29 and the compulsion 14 identify an individual. Relevantly, the seventh data protection of such reporting may lead to more frequent enforcement by the 15 principle requires the following security obligations: ICO (and, as a consequence, civil lawsuits, which are discussed “appropriate technical and organisational measures … further below). Second, where enforcement is pursued, the possible against unauthorised or unlawful processing of personal data sanction – fines of up to 4% of global annual turnover30 – is severe. and against accidental loss or destruction of, or damage to, personal data.” NIS Directive The DPA envisages that data controllers will provide access to personal data to third parties for a multitude of reasons. Indeed, the data controller is under a mandatory duty to notify the Information In addition to the GDPR, it should not be forgotten that the Commissioner’s Office (ICO) of its disclosure to third parties and Network and Information Systems (NIS) Directive is also due to is prohibited from doing so without such registration.16 These third be implemented by EU Member States in May 2018, which will parties may be data processors (entities whose activities are limited subject operators of key essential services (including banks and to data storage, retrieval, organisation, disclosure or erasure) or other credit institutions) and key digital service providers (including themselves data controllers. cloud computing services and online marketplaces) to additional risk management and reporting requirements. This Directive can The DPA requires a data controller to ensure that any third-party be expected to raise security standards on digital service providers, data processors provide guarantees with respect to their security which will be especially important for businesses reliant on cloud measures and to take reasonable steps to ensure compliance by third computing. However, like the GDPR, it may increase the likelihood parties with those security measures.17 More specifically, the DPA of enforcement or litigation when data breaches occur and are mandates that any processing by a data processor must be carried required to be reported. out pursuant to a contract made or evidenced in writing and that the data processor may act only on the data controller’s instructions and in doing so comply with equivalent security obligations to the Principles for Business and SYSC Rules data controller.18 No action can be taken against a data processor itself so these measures place responsibility squarely on the data In addition to ICO enforcement, financial services providers controller to mitigate against vulnerable security standards in data regulated by the FCA are subject to additional security obligations processing.19 that encompass cybersecurity risks. The FCA handbook provides In circumstances of serious breach of this principle by the data a number of rules where failure to properly engage with and controller, of a kind likely to cause substantial damage or distress understand the issue of cybersecurity would constitute a breach. and where the breach was deliberate or reckless, the ICO may Principle 3 (PRIN 2.1.1, FCA Handbook) is the most obvious, and impose a fine of up to £500,000.20 was invoked by the FCA in its censure of Royal Bank of Scotland Plc, National Westminster Bank Plc and Ulster Bank Ltd following their major IT systems failure in June 2012. This Principle requires General Data Protection Regulation a firm to “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management The data protection obligations on businesses and the sanctions for systems”.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 7 © Published and reproduced with kind permission by Global Legal Group Ltd, London Simmons & Simmons LLP Enemy at the Gates?

The Senior Management Arrangements, Systems and Controls from a heating and air conditioning subcontractor to access Target’s rules (SYSC) are also relevant. Two of the SYSC rules specifically gateway server and steal customer details. reference financial , which is inextricably linked with cyberattacks. SYSC 6.1.1 is particularly wide-ranging: FCA enforcement “a firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of In the financial services industry, weak cybersecurity controls of third- the firm including its managers, employees and appointed representatives, with its obligations under the regulatory party service providers (whether or not the subject of a cyberattack) system and for countering the risk that the firm might be used also routinely capture the attention of FCA enforcement. While the to further financial crime.” greatest financial penalty imposed for inadequate IT systems and controls remains the £42,000,000 fine on Royal Bank of Scotland In July 2016, the FCA produced guidance for regulated firms when Plc, National Westminster Bank Plc and Ulster Bank Ltd (arising outsourcing to the cloud and other third-party IT services in the from software failings in the updating of systems), significant fines context of the existing UK and EU framework.31 This guidance have also been levied on financial institutions in respect of the poor is designed to assist regulated firms to discharge their oversight cybersecurity controls of their third-party service providers. obligations and avoid enforcement action pursuant to the SYSC rules or otherwise for poor risk management (examples of which are In October 2016, Aviva Pension Trustees UK Limited and Aviva provided further below). Wrap UK Limited (together Aviva) were fined £8,246,800 for failings in oversight of outsourced providers in relation to the protection of client assets between 2013 and 2015. In this period, Aviva did not 4 Liability have in place appropriate controls over Third Party Administrators (TPAs) to which they had outsourced the administration of client In the event of a data breach at a third party, whether an accountant, money and external reconciliations in relation to custody assets, 32 website builder or cloud service provider, it will be essential to in breach of Principle 3. While client money was at risk in this assess and understand where liability for such breaches may lie. instance, there was no actual cybersecurity breach by the TPAs. Similarly, Zurich Insurance plc paid a penalty of £2,275,000 following a data loss incident in which the subcontractor of another ICO enforcement Zurich Group entity, Zurich Insurance Company South Africa Limited (ZICSA), lost an unencrypted back-up tape with data If the security of personal data is compromised as a result of a relating to 46,000 customers. As a result, the FSA found that Zurich cyberattack on a third-party service provider, the business which Insurance plc had failed to take reasonable care with respect to its outsourced such services may face enforcement action by the ICO. management of risks associated with securing customer information Pursuant to its powers under the DPA, the ICO can and has often in breach of Principle 3, SYSC 3.1.1R and SYSC 3.2.6R. issued fines to data controllers for breaches of the seventh data protection principle (often in connection with other principles) in situations where their third-party data processor has lost or left Civil litigation unsecure the personal data in its possession. For example, in February 2017, the ICO fined private health Civil claims may be brought against businesses as a result of company HCA International Ltd (HCA) £200,000 for failing to keep a cyberattack against one of its third-party service providers, fertility patients’ confidential personal information secure. The ICO regardless of whether there has been any regulatory enforcement found that HCA had, since 2009, routinely sent unencrypted audio action. recordings of interviews with fertility patients by email to a company In the UK, section 13 of the DPA provides a route for individuals in India for transcribing services. HCA had no guarantee that the to claim, where they can demonstrate that the data controller has company would use a secure FTP server to store the recordings or breached the DPA (which includes failure to ensure compliance erase them after transcription, failed to monitor the company in with the DPA by third parties) and has suffered damage as a result. relation to any security measures and did not have a DPA compliant Whilst pecuniary loss was previously a prerequisite for ‘damage’, contact with the company in relation to the processing. The the Court of Appeal in Vidal-Hall et al v Google33 confirmed that contraventions came to light only in 2015 when a patient informed ‘damage’ could include emotional distress only. HCA that transcripts could be found online via a search engine. Alternatively, under English law, claims may be brought against On 4 November 2015, the Crown Prosecution Service (CPS) was business on the basis of: fined £200,000 after three laptops containing videos of police (A) the tort for misuse of private information; and/or interviews were stolen from the owner of a private film studio in a burglary. The CPS had engaged the owner in 2002 to edit the (B) an action for breach of confidence. interviews for use in criminal proceedings. The ICO found the CPS Contracts may also provide a basis for further liability in the event in contravention of the seventh data protection principle, observing that the third party’s cybersecurity systems are compromised. that it had no guarantees from the owner in relation to storage, return A business may well expect to terminate or pursue an action in or secure destruction at the end of the case; that it failed to monitor contract damages against the third party pursuant to data protection the owner in relation to any security measures taken by him; and clauses that have been breached. But the business itself should that it did not have a DPA-compliant contract in relation to the anticipate contractual claims being made against it if it has made processing. representations about the robustness of its cybersecurity systems While some deterrent for lax monitoring of third parties, these to customers or other third parties. Such statements may appear, penalties pale in comparison to the sanctions soon to be available for example, in response to RFPs, or in prospectuses or marketing under the GDPR and, indeed, the regulatory settlements entered materials, and could result in misrepresentation claims by investors, for data breach in the . In May 2017, Target paid shareholders, suppliers or customers. $18,500,000 to settle state enforcement action arising out of its In short, the delegation of data processing to third parties provides 2013 data breach, which involved attackers stealing credentials no shield against litigation following a cyberattack. Indeed, in the

8 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Simmons & Simmons LLP Enemy at the Gates?

UK, group litigation orders enable the joint management of claims (A) Basic security provisions; for example: physical security which give rise to common or related issues of fact or law and requirements of the third-party premises; any vetting expand the spectre of corporate liability irrespective of the nature requirements for third-party staff members (and their third- of the claim. These orders have proved particularly useful for party contractors); and the use of agreed, manufacturer- individuals to pursue claims arising out of data breaches, including supported, password-protected operating systems. over 5,000 employees of Morrisons whose bank, salary and national (B) Specific provisions that set out requirements insurance details were leaked online by a rogue employee of the about the use and storage of data; for example: how will data supermarket chain.34 be given to the third party? Should it be encrypted? Should it be backed up and by whom? For how long should it be stored? How and under what circumstances should it be 5 Practicalities destroyed or returned? (C) Cooperation provisions, for example: information requirements As well as the framework of legislation and rules, and mechanisms to allow businesses to obtain all necessary information to by which a business may seek compensation after the event of a ensure compliance with data protection provisions; cooperation provisions to ensure data security audits are effective; review cyberattack, there are various practical steps that can be considered. and security testing requirements; and staff training provisions. To conclude, we set out below a check list outlining suggested steps (D) Breach provisions; for example: notification requirements to mitigate the third party threat, divided into four categories: risk in the event of a breach; further cooperation provisions to assessment; contract; oversight; and incident management. ensure breaches are investigated and managed effectively; It is worth focussing briefly on the contract category in particular and business continuity provisions. because, if well-drafted, relevant agreements will provide a (E) Indemnity and limitation of liability clauses: as the GDPR clear picture of the parties’ rights and obligations when it comes provides for higher fines than under current domestic to cybersecurity, and help clarify the risks specific to the third- legislation, it may be prudent to modify these clauses party relationship. In contemplating the contractual obligations accordingly. concerning cybersecurity the following should be considered:

Checklist: The Third Party Threat

Have you mapped out who holds or has access to your data? Have you considered the business rationale for and appropriateness of providing data to each third party service provider? Have you conducted recent and reliable due diligence on each third party?

Risk Assessment Have you conducted (and documented) a security assessment of your risks specific to each third party? Does your contract require the third party to comply with international standards? Does your contract make specific provisions for the security of data throughout transfer, use, storage and deletion? Does your contract also provide for security with respect to physical premises and people? Contract Does your contract preclude the use of sub-contractors without authorisation? Do your third parties provide regular reports to you regarding security testing, risks and status updates? Do you regularly audit third party service providers for security risk? Do you have effective access to the data held by the third party? Oversight Do you have records of the data processing activities conducted by third parties? Are your third party service providers contractually or otherwise obliged to report data breach and/or loss to you? Does your cyber incident response plan consider data breach at a third party? Can you cooperate with regulators’ requests for information and/or access to data? Incident Response Do you have and can you enforce indemnity clauses for data breach in the jurisdictions in which you operate?

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 9 © Published and reproduced with kind permission by Global Legal Group Ltd, London Simmons & Simmons LLP Enemy at the Gates?

13. DPA, section 4(4). Endnotes 14. DPA, section 1(1). 1. For example, see: “DLA Piper hack could cost ‘millions’, 15. DPA, Schedule 1, Part 1, paragraph 7. brokers say”, Legal Week (7 July 2017); “Tesco Bank 16. DPA, section 17. suspends ‘all transactions’ as 20,000 customers lose money 17. DPA, Schedule 1, Part 2, paragraph 11. after hack attack”, Independent (7 November 2016); and “TalkTalk hit with record fine over cyber attack”, Financial 18. DPA, Schedule 1, Part 2, paragraph 12. Times (5 October 2016). 19. See further Information Commissioner’s Office “Data controllers and data processors: what the difference is 2. “Cybercrime costs the global economy $450 billion” and what the governance implications are”, available at according to CNBC (7 February 2017) available at https:// https://ico.org.uk/media/for-organisations/documents/1546/ www.cnbc.com/2017/02/07/cybercrime-costs-the-global- data-controllers-and-data-processors-dp-guidance.pdf. economy-450-billion-ceo.html. In the UK, the BBC has This guidance notes that the ICO “may decide not to take reported on the “estimated 3.6 million cases of fraud and two enforcement action against a controller if it believes it has million computer misuse offences in a year” in “Cyber Crime done all it can to protect the personal data it is responsible and fraud scale revealed in annual figures” (19 January for and to ensure the reliability of its processor, for example 2017), available at http://www.bbc.co.uk/news/uk-38675683. through a written contract”. 3. In the UK, three-quarters (74%) of businesses say that 20. DPA, section 55A; Data Protection (Monetary Penalties) cybersecurity is a high priority for their senior management. (Maximum Penalty and Notices) Regulations 2010. Dr Rebecca Klahr et al., “Cybersecurity breaches survey 21. GDPR, Article 28(1). 2017 Main report” (April 2017) at 1. 22. GDPR, Article 28(3). 4. ICO Press Release, “Personal data belonging to up to 21,000 TalkTalk customers could have been used for scams 23. GDPR, Article 28(2). and fraud” (10 August 2017), available at https://ico.org. 24. GDPR, Article 32(1). uk/about-the-ico/news-and-events/news-and-/2017/08/ 25. GDPR, Article 32(1)(d). personal-data-belonging-to-up-to-21-000-talktalk- 26. GDPR, Article 30(2). customers-could-have-been-used-for-scams-and-fraud/. 27. Article 4 GDPR defines a personal data breach as “a breach 5. This percentage is higher in the finance and insurance sectors of security leading to the accidental or unlawful destruction, (30%) and among education, health or social care firms loss, alteration, unauthorised disclosure of, or access to, (22%). Dr Rebecca Klahr et al., “Cybersecurity breaches personal data transmitted, stored or otherwise processed”. survey 2017 Main report” (April 2017) at 35. 28. GDPR, Article 33. 6. David Reinsel, John Gantz and John Rydning, “Data Age 2025: The Evolution of Data to Life-Critical” (April 2017) 29. Currently, in the UK there is no legal obligation under the at 3, available at http://www.seagate.com/www-content/our- DPA to report personal data breaches to anyone. However, story/trends/files/Seagate-WP-DataAge2025-March-2017. the ICO guidance recommends that serious breaches should pdf. be brought to its attention. 7. By way of example, MiFID 2, which comes into force on 30. For some breaches of the Regulation (including failing to 3 January 2018, significantly expands the transaction record comply with the conditions for processing) data controllers keeping obligations for investment firms within EU Member can receive a fine of up to the greater of 4% of global States, including the introduction of extensive rules on phone annual turnover for the preceding year (for undertakings) or taping and electronic communications. €20,000,000. For other breaches (e.g. failing to keep records or complying with security obligations), the fine can be up to 8. David Reinsel, John Gantz and John Rydning, “Data Age the greater of 2% of global annual turnover (for undertakings) 2025: The Evolution of Data to Life-Critical” (April 2017) at or €10,000,000. 21. 31. FCA, “FG 16/5 – Guidance for firms outsourcing to the 9. National Cybersecurity Centre, “Global targeting of ‘cloud’ and other third-party IT services” (July 2016), enterprises via managed service providers” (3 April 2017), available at https://www.fca.org.uk/publication/finalised-gui available at https://www.ncsc.gov.uk/information/global-targ dance/fg16-5.pdf. eting-enterprises-managed-service-providers. 32. Principle 3 (Management and Control) states that a firm 10. DLA Piper, “Malware Attack Update” (10 July 2017), available at www.dlapiper.com/en/sweden/focus/dla-piper- must take reasonable care to organise and control its affairs malware-attack-update/. responsibly and effectively, with adequate risk management systems. 11. The UK Minister of State for Digital and Culture, Matt Hancock MP, has confirmed that the UK will implement the 33. [2015] EWCA Civ 311. GDPR in full. 34. Dataiq, “5,000 join action against Morrisons over data 12. Which implements the Data Protection Directive (95/46/EC) leak” (3 March 2016), available at http://www.dataiq.co.uk/ into UK law. news/5000-join-action-against-morrisons-over-data-leak.

10 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Simmons & Simmons LLP Enemy at the Gates?

Robert Allen Paul Baker Simmons & Simmons LLP Simmons & Simmons LLP CityPoint CityPoint One Ropemaker Street One Ropemaker Street London EC2Y 9SS London EC2Y 9SS United Kingdom United Kingdom

Tel: +44 20 7825 4852 Tel: +44 20 7825 4580 Email: [email protected] Email: [email protected] URL: www.simmons-simmons.com URL: www.simmons-simmons.com

Robert is a partner in the Financial Markets Litigation group in Paul is a partner in the Financial Markets Litigation group in Simmons Simmons & Simmons LLP’s London office. He specialises in retail & Simmons LLP’s London office, specialising in complex financial and consumer finance litigation, including cybersecurity issues, disputes and investigations, with a particular focus on contentious investigations, general banking disputes and contentious regulatory asset management work. Paul is a member of the firm’s Cybersecurity matters. Robert is a member of the firm’s Cybersecurity group and group and leads the firm’s reputation management practice. Paul advice to clients in this field includes defending a major financial has advised clients on various aspects regarding cybersecurity, institution against threatened claims by a client of the bank following including incident response planning, the investigation of breaches a cyber-attack on the client’s account. Robert also advises clients and reputational issues arising from such breaches. Paul is a regular on data protection considerations, particularly in relation to litigation presenter on cybersecurity topics and was highlighted by Legal and other contentious situations. He is a member of the firm’s Data Business in its 2015 Disputes Yearbook as of one the next generation Protection and Privacy group. Robert was named in Legal Week’s of leading disputes partners. 2016 list of Rising Litigation Stars in London.

Simmons & Simmons LLP is a leading international law firm with fully integrated teams working through 21 locations in Europe, the Middle East and Asia, and have 1,500 staff worldwide, including more than 240 partners and a total legal staff of over 1,000. The firm’s strategy is designed to ensure it provides its clients with high-quality advice and delivers value through new and innovative ways of working. Their current client base includes a significant number of the current FTSE 100 and Fortune Global 500 companies. A key commercial advantage is their focus on specific sectors, which include Asset Management & Investment Funds, Financial Institutions, Life Sciences and Telecoms, Media & Technology (TMT). Simmons & Simmons LLP acts regularly on the most innovative cases, deals and transactions in its chosen areas of specialism and receives recognition for the quality of its work from clients and others within these industry sectors.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 11 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 3

Directors and Officers Liability for Data Breach

Holland & Hart LLP Liz Harding

Over the past couple of decades the definition of risk in the context requiring that it investigate, address and remedy the harm inflicted of cybersecurity and privacy has changed dramatically. Where, 20 as a result of the data breaches. The board ultimately decided not years ago, the concept of regulatory fines was remote at best, today to comply with these demands, on the basis that they were all but businesses operate in an environment where it is not a question of if identical to the demands received from an earlier shareholder. The but when a cyber breach will occur and the prospect of class actions, derivative shareholder action swiftly followed, with the board regulatory fines, remediation costs and reputational damage are all at members winning a subsequent motion to dismiss. At the heart of least in the consciousness of executive-level management. What is the decision was whether or not the board, in making its decision less front of mind, despite the shift in risk landscape, is the concept not to accede to the plaintiff’s demands, had exercised its good faith of shareholder derivative lawsuit brought against a corporation’s business judgment. The court, finding in favour of the board, found officers and directors. that the board undertook appropriate due diligence in considering the plaintiff’s demands and was able to demonstrate that the issue of cybersecurity was being proactively addressed. What is a Shareholder Derivative Lawsuit?

A shareholder derivative lawsuit is a claim brought by a shareholder Target (or group of shareholders) on behalf of a corporation. Usually, the defendant(s) are executive officers or directors of the company, Following the massive 2013 Target data breach which resulted in and the purpose of the claim is to enforce a corporate right that the the theft of credit card and other information relating to as many company itself has not enforced. as 70 million customers, Target’s shareholders filed several (later Corporate directors and officers have fiduciary duties with respect consolidated) derivative shareholder actions against the Target to the corporations they serve, these being the duties of care and board. The claims included allegations that Target had failed to take due loyalty. If shareholders believe that either of these duties have reasonable steps to maintain its customers’ personal and financial been breached, and the company has suffered harm as a result, a information and had failed to implement internal controls designed shareholder derivative suit is the available remedy. These actions to detect and prevent such a data breach. have somewhat unique and complex procedural requirements, but Target’s board, in response to the claims, put together a Special for the purposes of this chapter we will focus on recent case law in Litigation Committee (as provided for under Minnesota law). The the field of director and officer liability, together with practical steps Special Litigation Committee investigated the derivative claim over to be taken to limit risk. a period of almost two years and, following extensive document review, witness interviews and expert consultation, concluded that it would not be in Target’s best interests to pursue the derivative US Case Law shareholder claims against its board. At the same time, the Special Litigation Committee filed a motion to dismiss the derivative Since 2014, several US companies that had been the subject claims, which was successful on the basis that the court’s role, of high-profile data breaches have been served with cybersecurity- under Minnesota law, is not to second guess the conclusions of a related director and officer claims. Special Litigation Committee but instead is to determine whether its members are independent and whether its decision was the product Wyndham of a good faith investigation.

In February 2014, the board of Wyndham Worldwide became Home Depot the subject of the first major shareholder derivative action, claiming that Wyndham’s directors and officers had breached their Home Depot’s retail payment systems were hacked in September fiduciary duties by failing to take sufficient actions to safeguard 2014, and as a result some 56 million customer credit card numbers customers’ personal and financial information. A series of data were compromised. Following a number of consumer civil actions, breaches between 2008 and 2010 resulted in the theft of personal in August 2015 a number of shareholder derivative actions were information of almost 620,000 Wyndham customers and led to a filed against certain current and prior directors and officers of Home subsequent, successful, suit by the Federal Trade Commission for Depot. The derivative action alleged that the defendants breached misrepresentation of security practices. In June 2013, the plaintiff their fiduciary duty of loyalty by failing to institute internal data in the derivative suit sent a demand letter to the Wyndham board

12 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Holland & Hart LLP Directors and Officers Liability for Data Breach

breach risk controls and disbanding a board of directors committee tasked with overseeing those risks. The defendants successfully Claims Analysis filed a motion to dismiss the case in November 2016, based on the To date, the claimant’s success rate in shareholder derivative actions fact that the claimant failed to make a pre-suit demand on the board, arising out of data breaches has been low. The dismissal of the but the claimants subsequently appealed the judge’s decision. The Home Depot derivative suit followed the trend set in Wyndham and parties subsequently agreed to a settlement and, in April 2017, the Target, where such suits have failed to overcome motion to dismiss plaintiffs filed an unopposed motion for preliminary settlement proceedings, as a result of either initial proceeding or procedural of the claim. The settlement included payment of the plaintiff’s issues (which ultimately tie back to the reluctance of the courts to legal fees and a requirement to adopt certain cybersecurity-related second guess the business judgment of directors and officers, and corporate governance reforms, which include documenting the the generally high hurdle required for plaintiffs to show breach of responsibilities of Home Depot’s CISO, maintaining a data security fiduciary duty). At the time of publication, a motion to dismiss, executive committee, and providing regular reports on Home based upon the pleadings, has also been filed in the Wendy’s case. Depot’s IT and cybersecurity budget. Despite the poor plaintiff track record in these suits to date, the Home Depot settlement is interesting, and is indicative of at least a Wendy’s concern on the part of the defendants that their position of no breach of fiduciary duty may not have been sustainable. It will be interesting In December 2016, Wendy’s shareholders filed a derivative claim to see things play out in the context of the Yahoo and Equifax cases, against the fast food giant, arising from a 2015–2016 data breach and whether these claims subsequently open the way for a reversal which affected over 1,000 franchise locations. As of the date of in plaintiffs’ fortunes in this type of litigation. In the case of Yahoo, publication, this litigation remains pending. the shareholder derivative claims provide an alternative approach, being based upon (i) the fact that Yahoo’s stock price was inflated as Yahoo a result of the non-disclosure of the data breaches, and (ii) the sale price with respect to the pending merger with Verizon was reduced Yahoo’s failure to disclose various data breaches between 2013 and by $350million as a result of such data breaches. 2016, in which hackers stole the records of over 1.5 billion users, At the time of writing, both the Equifax breach and the claims that has lead to the filing of a number of shareholder class action claims, have quickly followed it are relatively new. At least one of the including securities claims (which allege that, as a result of Yahoo’s claims includes allegations that Equifax’s disclosures related to its failure to disclose the breaches, the defendants made material public cybersecurity and data protection policies and procedures were false, misrepresentations or failed to disclose material facts (related to the and specifically references the fact that the company made public occurrence, and nature, of the data breaches), which would induce statements as to the effectiveness of its protections knowing that a reasonable investor to misjudge the value of Yahoo’s shares), and there were, in fact, significant system weaknesses as evidenced by breach of fiduciary duty claims (related to Yahoo’s failure to notify the breach. An additional factor which may also impact the strength shareholders of the data breaches until after they had voted in favour of the claim is the fact that, between the date of discovery of the of (i) Yahoo’s sale to Verizon, and (ii) golden parachute payments breach and date of disclosure, several of the company’s executives to be paid to certain individuals, including certain individual (including the CFO) sold shares. Whether these additional factors defendants, if the transaction was approved). As of the date of will be sufficient to get over the extremely high hurdle required for publication, these claims remain pending. such an action will remain to be seen.

Equifax Impact on the C-Suite

In September 2017, just before this chapter was written, credit Notwithstanding the failure of prior claims to proceed, the monitoring and reporting giant Equifax announced that it had emergence of new derivative suits in the cases of Yahoo and Equifax been the subject of a data breach involving some 143 million US is evidence that, as data breaches become more and more prevalent, customers. Predictably, a wave of consumer class action lawsuits the culpability of directors and officers of affected corporations will followed along with, as of the date of publication, at least one continue to be subject to increasing scrutiny. To date, the high bar shareholder class action lawsuit against certain executives and to proving breach of fiduciary duty has provided a protective barrier directors. The current complaint alleges that, between February to board-level liability, but the continued push by the plaintiff bar to 25, 2016 and September 7, 2017, (i) Equifax issued materially false seek redress in the case of data breach does not look as if it will cease. and/or misleading statements, (ii) Equifax failed to disclose that Cybersecurity questions, such as what constitutes reasonable efforts the company failed to maintain proper security systems, controls to secure sensitive information and address system vulnerabilities, and monitoring systems in place to protect its data systems and have long been the domain of the IT professional. However, as detect security breaches, and (iii) upon release of the affected director and officer liability increasingly becomes part of the data, (which included names, SSNs, birth dates, addresses and larger post-breach litigation landscape, board- and executive-level driver’s licence numbers), Equifax’s stock price fell materially, involvement in cyber risk management practices is likely to become which caused investors harm. The claim purports to be filed on more prevalent. Investors are also becoming more informed, and behalf of all shareholders who purchased Equifax shares between with the seemingly constant flow of breaches hitting the press, are the dates referenced above, and references a number of allegedly beginning to ask pointed questions regarding management of cyber false statements made by Equifax during such period relating to the risk by those companies in which they invest. In light of the current quality of its data protection and security measures. As of the date cyber landscape, boards should focus their attentions on the risk of publication, this litigation is ongoing. Other claims are likely to both to the companies they oversee and to their personal liability follow as further details of the breach emerge. and should prioritise actions and protections that mitigate risk and evidence their operation under a reasonable standard of care and business judgment.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 13 © Published and reproduced with kind permission by Global Legal Group Ltd, London Holland & Hart LLP Directors and Officers Liability for Data Breach

Practical steps for directors and officers to put in place to avoid risk management, with critical third-party providers. Understanding cybersecurity liability include: vendor risk is a key part of the security chain, and companies should Board-level Cyber Expertise and Responsibility. Corporations may apply robust diligence and audit measures to those third parties consider the creation of board-level cyber chair positions, whose entrusted with sensitive information, along with ensuring proper responsibilities include cyber committee oversight, an understanding contractual flow down of responsibilities and liabilities. of the cyber risk on a holistic, corporation-wide basis, cyber policy Insurance. The question of whether cyber insurance is required formulation and management and breach response oversight. by a corporation should be discussed between the board and Boards should also ensure that adequate time is reserved at board management. Many companies operate under the misconception meetings for the discussion of cyber-related issues. that their standard commercial insurance policy will provide CISO Reporting. Roles such as Chief Information Security Officer coverage for the unauthorised access to, or use of, data. Typical (CISO) are not new within corporations, but as data breaches director’s and officer’s insurance policies provide broad coverage become more prevalent, the traditional CISO reporting structure is for director acts, errors and omissions, which could include showing signs of changing. Traditionally, the CISO has reported cyber-related matters. Insureds should, however, check carefully in to the corporations’ Chief (CIO), but these to ensure that there is no cyber exclusion, which would result in roles often focus on competing priorities. CIOs are tasked with insurance cover not being available for a cyber incident. As data launching new applications, maintaining service level agreements breach liabilities increase, insurance companies may seek to limit, and ensuring consistent availability of IT services and resources. or at least condition, this type of cover and, accordingly, as part The CISO is generally more risk focused, with one of his or her of their underwriting assessment, insurance companies are also key job descriptions being to reduce security vulnerabilities which starting to ask more questions regarding the state of corporations’ can lead to data breach. This can, and often does, lead to conflict cyber risk management strategies. between security and deployment priorities and as a result there is A Culture of Security. Board knowledge of cyber risk and an increasing argument for CISOs to operate on a more autonomous preparedness is important, but corporations need to ensure that the level from the CIO, with some corporations going as far as to have responsibility for protecting sensitive information is fully integrated the CISO report directly to the Chief Executive Officer. across all levels of the company. Specific employee training aimed at Data Breach Detection, Management and Response. Corporations common data breach causes such as social engineering, malicious or should develop appropriate mechanisms to allow them to detect ‘spear phishing’ emails, Wi-Fi access risks and password protection data breaches as soon as reasonably possible. Once detected, is a critical part of a company’s security management programme. data breaches should be managed through the organisation’s risk Employee policies which clearly specify the how, when and where management process. Too many corporations fail to implement of data access and use are also important. By developing a culture a robust data breach response and notification plan in advance of of security within an organisation, employees are empowered to be an incident, and are left to improvise in the immediate aftermath the stewards of the data for which they are responsible. of a crisis. Not only does this increase cost, in terms of potential The lawsuits discussed in this chapter underscore a new type of legal and other professional services spend, but it can lead to delays liability associated with data breach for corporate directors and in notification and poor public relations handling, all of which are officers whose action, or lack of action, can leave them opento factors in recent direct and officer liability claims. accusations of being asleep at the wheel of cyber risk. The fact that Data Mapping and IT Strategy. In order to understand the cyber risks to date these actions have not proceeded past the motion to dismiss faced by a company, directors and officers need to understand the stage should provide some comfort, but with no letup in the pace nature of the data collected, processed and stored by the corporation, of claims being filed, the day may soon come when one of these and the critical IT systems through which such activities take place. cases proceeds to actual arguments on its merits. Directors and Discussion of cyber risk should go hand in hand with discussion of officers should ignore cyber risk at their peril, but should also take IT strategy. Boards should consider what is appropriate in terms some comfort in the fact that their fiduciary duties can be fulfilled of cyber risk reporting, and how security measures are being built with the adoption of clear and practical policies and procedures, into software and service offerings. Another critical area for risk such as those discussed above. The risk of shareholder litigation management is an understanding of where, and how, data flows both cannot be completely eradicated, but by understanding the cyber within the organisation and externally. risk landscape and taking sensible steps to minimise vulnerabilities, directors and officers can significantly reduce the likelihood of being Vendor Management. It is impractical for the board to have held accountable in data breach lawsuits against their companies. knowledge of every third-party vendor which touches an organisation’s data, but directors should be familiar, in the context of

14 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Holland & Hart LLP Directors and Officers Liability for Data Breach

Liz Harding Holland & Hart LLP One Boulder Plaza 1800 Broadway Boulder, CO 80302 USA

Tel: +1 303 473 2863 Email: [email protected] URL: www.hollandhart.com

Liz Harding is a partner in our Intellectual Property department. Her practice focuses on three key areas: Privacy and Data Security: Liz counsels clients on data privacy compliance, domestic US and international privacy strategies, and the development of worldwide privacy and data protection policies and procedures. She is a dual-qualified lawyer in the US (Colorado) and UK, having practised in the UK for over 10 years before moving to the US. She brings significant experience within EU , which provides her with a unique perspective on the compliance issues faced by US companies doing business in Europe. Advertising and Media Sales: Liz’s experience includes drafting and negotiating advertising sales representation agreements for both regular television and online advertising, barter and trade agreements, and advertising sales terms and conditions. Licensing and Technology: She also drafts and negotiates agreements related to software and hardware development, licensing, and support.

Founded in 1947, Holland & Hart is a full-service, national law firm that today has approximately 500 lawyers across eight states and in Washington, D.C. We deliver integrated legal solutions to regional, national, and international clients of all sizes across a diverse range of industries, including technology, communications, media, energy and resources, healthcare, real estate, financial services, and food and beverage, among others. Data Privacy and Cybersecurity Our multidisciplinary privacy and cybersecurity attorneys counsel clients across the data lifecycle. Our team provides practical legal risk management and compliance guidance relating to the challenges of using both established and emerging technologies with regulated and sensitive data. We combine comprehensive knowledge of the most recent developments in the rapidly expanding area of data privacy and cybersecurity law with pragmatic understanding of how information technology actually works within a company or organisation, both in the United States and abroad. We have helped organisations from emerging start-ups to established Fortune 100 companies resolve more than 200 data breach incidents. And, if litigation or enforcement actions result from a breach, we provide experienced, vigorous defence.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 15 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 4

Albania Renata Leka

Boga & Associates Eno Muja

damage, deformation, change or unauthorised deletion of computer 1 Criminal Activity data is punishable by imprisonment from six months to three years. According to the Final Report of the General Prosecutor on the state 1.1 Would any of the following activities constitute a of criminality for the year 2016, 64 cases have been recorded by the criminal offence in your jurisdiction? If so, please Prosecution body, three of which have ended with the sentencing of provide details of the offence, the maximum penalties the accused, but no details are given on the cases. available, and any examples of prosecutions in your Possession or use of hardware, software or other tools used to jurisdiction: commit cybercrime (e.g. hacking tools)

The “Criminal Code of the Republic of Albania” does not explicitly Article 293/ç of the “Criminal Code of the Republic of Albania” provide a literal denomination of the criminal offences listed in the provides that manufacturing, keeping, selling, giving for use, following, but, nevertheless, the content of these offences can be distribution or any other action to place at disposal an equipment, found in various articles of the Criminal Code as stated below. including a computer program, computer password, access code or any other similar data, created or adapted for breaching a computer Hacking (i.e. unauthorised access) system or a part of it, with the aim of committing a criminal act, as Hacking constitutes a criminal offence in the Albanian jurisdiction. provided in articles 192/b, 293/a, 293/b and 293/c of the “Criminal Article 192/b/1 of the “Criminal Code of the Republic of Albania” Code of the Republic of Albania”, is punishable by imprisonment provides that unauthorised access or excess of authorisation to from six months to five years. According to the Final Report of the a computer system or part of it, through violation of security General Prosecutor on the state of criminality for the year 2016, one measures, is punishable by a fine or imprisonment of up to three case has been recorded by the Prosecution body. years. According to the Final Report of the General Prosecutor or identity fraud (e.g. in connection with access on the state of criminality for the year 2016, four cases have been devices) recorded by the Prosecution body, but no further details are given. Even though the “Criminal Code of Albania” does not explicitly Denial-of-service attacks mention or provide an article dedicated to identity theft, article 186/a Article 293/c/1 of the “Criminal Code of the Republic of Albania” states that modifying, deleting, or omitting computer data, without provides that the creation of serious and unauthorised obstacles the right to do so, in order to create false data, with the intention of to harm the function of a computer system, through insertion, presenting and using them as authentic, even though the created data is damage, deformation, change or deletion of data, is punishable with directly readable or understandable, are all punishable by imprisonment imprisonment from three to seven years. According to the Final from six months to six years. According to the Final Report of the Report of the General Prosecutor on the state of criminality for the General Prosecutor on the state of criminality for the year 2016, 23 year 2016, three cases have been recorded by the Prosecution body, cases have been recorded by the Prosecution body, one of which has but no details are given on the cases. ended with the sentencing of the accused, but no details are given. Phishing Electronic theft (e.g. breach of confidence by a current or former Article 143/b of the “Criminal Code of the Republic of Albania” states employee, or criminal copyright infringement) that adding, modifying or deleting computer data or interfering in Article 186/a/2 of the “Criminal Code of the Republic of Albania” the functioning of a computer system, with the intention of ensuring provides that when the aforementioned criminal act, as described for oneself or for third parties, through fraud, unfair economic in the provision of identity theft above, is done by the person benefits or causing a third party reduction of wealth, is punishable responsible for safekeeping and administering the computer by imprisonment from six months to six years and punishable by data in cooperation, more than once, or has brought forth grave a fine from 60,000 Leke to 600,000 Leke. According to the Final consequences for the public interest, is punishable by imprisonment Report of the General Prosecutor on the state of criminality for the from three to 10 years. year 2016, 51 cases have been recorded by the Prosecution body, Any other activity that adversely affects or threatens the seven of which have ended with the sentencing of the accused, but security, confidentiality, integrity or availability of any IT no further details are given. system, infrastructure, communications network, device or data Infection of IT systems with malware (including ransomware, Article 293/b/2 of the “Criminal Code of the Republic of Albania” spyware, worms, trojans and viruses) provides that damage, deformation, change or unauthorised deletion Article 293/b of the “Criminal Code of Albania” provides that of computer data, when done on military computer data, national

16 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Albania

security, public order, civil protection, and healthcare or in any of the “Criminal Code of the Republic of Albania” states that offering other computer data with public importance is punishable by or distributing to the public through computer systems materials with imprisonment from three to 10 years. racist or xenophobic content constitutes an administrative violation Failure by an organisation to implement cybersecurity measures and is punishable by a fine or imprisonment of up to two years. Article 119/b of the “Criminal Code of the Republic of Albania” provides that In virtue of Law No.2/2017, “On cybersecurity”, failure by an a public insult involving ethnic belonging, nationality, race or religion organisation to implement cybersecurity measures does not constitute through a computer system constitutes an administrative violation and a criminal offence. Article 21 of the Law “On cybersecurity” provides is punishable by a fine or imprisonment of up to two years. that failure to implement cybersecurity measures is considered an administrative violation and is punishable by a fine.

2 Applicable Laws Albania 1.2 Do any of the above-mentioned offences have extraterritorial application? 2.1 Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable The Convention “On cyber crime”, ratified in Albania on 25.04.2002 to the monitoring, detection, prevention, mitigation through Law No.8888, provides, in article 22, that Member States of the and management of Incidents. This may include, Convention, must determine the jurisdiction in cases when a cyber crime for example, laws of data protection, intellectual is committed in their territory or by a citizen of that state. Article 6/2 of property, breach of confidence, privacy of electronic the “Criminal Code of the Republic of Albania” provides that Albanian communications, information security, and import / export controls, among others. law is also applicable to Albanian citizens who commit a crime in the territory of another state, when the crime is at the same time punishable 1. The Convention “On cyber crime” ratified in Albania on and as long as there is not any final decision by any foreign court for 25.04.2002 with Law No.8888. that crime. Also, article 7/a of the “Criminal Code of the Republic of Albania” states that the criminal law of the Republic of Albania is 2. Law No.7895, dated 27.01.1995, “Criminal Code of the Republic of Albania”, as amended. also applicable to foreign citizens who have committed a criminal act outside the territory of the Republic of Albania for which special laws or 3. Law No.2/2017 “On cybersecurity”. international agreements, of which the Republic of Albania is a part of, 4. Law No.9918, dated 19.05.2008, “On electronic determine the application of the Albanian criminal legislation. communications in the Republic of Albania”, as amended. 5. Law No.9887, dated 10.03.2008, “On protection of personal data”, as amended. 1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an 6. Law No.8457, dated 11.02.1999, “On classified information exception to any of the above-mentioned offences? ‘Secret of State’”. 7. Law No.9880, dated 25.02.2008, “On electronic signature”, Article 48 of the “Criminal Code of the Republic of Albania” provides as amended. mitigating circumstances for any penalty. These circumstances include, 8. The Decision of Council of Ministers No.141, dated but are not limited to: a) when the criminal act is driven by motives 22.02.2017, “On organising and functioning of national of positive moral and social value; b) when the criminal act is done authority for electronic certification and cybersecurity”. under the influence of psychic shock caused by provocation or unfair actions of the victim or any other person; c) when the criminal act is 2.2 Are there any cybersecurity requirements under done under the influence or unfair instruction of a superior; ç) when the Applicable Laws applicable to critical infrastructure person responsible for the criminal act shows deep repentance; d) when in your jurisdiction? For EU countries only, how the person has replaced the damage caused by the criminal act or has (and according to what timetable) is your jurisdiction actively helped to erase or minimise the consequences of the criminal expected to implement the Network and Information Systems Directive? Please include details of any act; dh) when the person presents him/herself at the competent bodies instances where the implementing legislation in your after committing the criminal act; and e) when the relations between jurisdiction is anticipated to exceed the requirements the person who has committed the criminal act and the person who has of the Directive. suffered the consequences of the criminal act have returned to normal. Article 8 of the Law “On cybersecurity” specifies that operators 1.4 Are there any other criminal offences (not specific of critical infrastructure of information are obliged to implement to cybersecurity) in your jurisdiction that may arise the requirements of safety measures, and to also document their in relation to cybersecurity or the occurrence of an implementation. Article 9/3 of the Law “On cybersecurity” Incident (e.g. terrorism offences)? Please cite any provides that the Responsible Authority for Electronic Certification specific examples of prosecutions of these offences and Cybersecurity (herein the “Authority”) determines, through in a cybersecurity context. a regulation, the content and method of documenting the safety measures. To the best of our knowledge, no such regulation exists. Article 74/a of the “Criminal Code of the Republic of Albania” states that distributing or offering to the public through computer systems materials that deny, minimise, or significantly approve or justify acts 2.3 Are organisations required under Applicable Laws, which constitute genocide or against humanity is punishable or otherwise expected by a regulatory or other authority, to take measures to monitor, detect, prevent by imprisonment from three to six years. Also, article 84/a of the or mitigate Incidents? If so, please describe what “Criminal Code of the Republic of Albania” provides that serious measures are required to be taken. intimidation to kill or seriously injure a person through computer systems because of ethnic belonging, nationality, race or religion is Article 9 of the Law “On cybersecurity” provides a list of safety punishable by a fine or imprisonment of up to three years. Article 119/a measures and divides them into two groups: organisational measures;

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 17 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Albania

and technical measures. As specified above, the Authority determines, through a regulation, the content and method of documenting the 2.8 Do the responses to questions 2.5 to 2.7 change if the safety measures. To date, no such regulation exists. information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email address from which a phishing email originates); (d) 2.4 In relation to any requirements identified in question personally identifiable information of cyber threat 2.3 above, might any conflict of laws issues actors; and (e) personally identifiable information of arise? For example, conflicts with laws relating individuals who have been inadvertently involved in to the unauthorised interception of electronic an Incident? communications or import / export controls of encryption software and hardware. The responses to questions 2.5 to 2.7 do not change regardless of the Albania information included. To the best of our knowledge, no such conflict of laws issues arise.

2.9 Please provide details of the regulator(s) responsible 2.5 Are organisations required under Applicable Laws, or for enforcing the requirements identified under otherwise expected by a regulatory or other authority, questions 2.3 to 2.7. to report information related to Incidents or potential Incidents to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the Article 8 of the Law “On cybersecurity” provides that Operators of circumstance in which this reporting obligation is Critical Infrastructure of Information and Operators of Important triggered; (b) the regulatory or other authority to Infrastructure of Information are obliged to implement the safety which the information is required to be reported; (c) the nature and scope of information that is required measures and also document their implementation. Furthermore, to be reported (e.g. malware signatures, network the aforementioned Operators are obliged to implement the vulnerabilities and other technical characteristics requirements of the safety measures during the establishment of identifying an Incident or cyber attack methodology); infrastructure. and (d) whether any defences or exemptions exist by which the organisation might prevent publication of that information. 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? Article 11 of the Law “On cybersecurity” provides that operators of critical infrastructure of information and operators of important Article 22 of the Law “On cybersecurity” states that in case of non- infrastructure of information are obliged to report immediately compliance with the requirements specified in the law, the Authority to the Authority after they discover any Incidents. The Authority issues fines from 20,000 Leke to 800,000 Leke. determines, through a specific regulation, the types and categories of Incidents regarding cybersecurity. In the case of Incidents towards constitutional institutions (for example, those of security and 2.11 Please cite any specific examples of enforcement defence), the Authority reports immediately to the directors of these action taken in cases of non-compliance with the above-mentioned requirements. institutions. In addition, article 12 provides the type of information which is kept and administered in the electronic register of the Authority: data regarding the incident report; data on identification The Law “On cybersecurity” is relatively new, and to the best of our of the system in which the Incident happened; data on the source of knowledge there are not any examples of enforcement action taken the Incident; and the procedure for solving the Incident and its result. in cases of non-compliance with the abovementioned requirements. Article 14 states that the Authority shall maintain full confidentiality of the data collected during the process of solving the Incident. 3 Specific Sectors

2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information 3.1 Does market practice with respect to information related to Incidents or potential Incidents with: (a) security (e.g. measures to prevent, detect, mitigate a regulatory or other authority in your jurisdiction; and respond to Incidents) vary across different (b) a regulatory or other authority outside your business sectors in your jurisdiction? Please include jurisdiction; or (c) other private sector organisations details of any common deviations from the strict legal or trade associations in or outside your jurisdiction? requirements under Applicable Laws.

Organisations are required to share information related to Incidents There is not any difference as regards the variety of measures or potential Incidents, with contact points determined by the taken across different business sectors, because the Law “On Operators of Critical Infrastructure of Information or the Operators cybersecurity” is applied the same regardless of the business sector. of Important Infrastructure of Information. The Authority has also provided a standard form to be completed in case of Incidents. 3.2 Are there any specific legal requirements in relation to cybersecurity applicable to organisations 2.7 Are organisations required under Applicable Laws, or in: (a) the financial services sector; and (b) the otherwise expected by a regulatory or other authority, telecommunications sector? to report information related to Incidents or potential Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this The Law “On cybersecurity” is the only one governing as regards to reporting obligation is triggered; and (b) the nature and cybersecurity for all organisations, private or public, in the Republic scope of information that is required to be reported. of Albania.

To the best of our knowledge and after carefully reviewing the legislation, there are not any provisions as regards this situation.

18 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Albania

4 Corporate Governance 5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident?

4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, The Law “On cybersecurity” does not provide any specifications mitigate, manage or respond to an Incident amount to in this regard, but there is potential liability in tort in relation to an a breach of directors’ duties in your jurisdiction? Incident, in virtue of the “Civil Code of the Republic of Albania”, as specified above in question 5.1. The Law “On cybersecurity” does not elaborate on this point, but nevertheless this is a matter of regulation inside the company.

6 Insurance Albania

4.2 Are companies (whether listed or private) required under Applicable Laws to: (a) designate a CISO; 6.1 Are organisations permitted to take out insurance (b) establish a written Incident response plan or against Incidents in your jurisdiction? policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform To the best of our knowledge, organisations are not prohibited to penetration tests or vulnerability assessments? take out insurance against Incidents.

To the best of our knowledge, there is not any obligation to fulfil these requirements. The Authority shall draft, approve and publish 6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as the necessary regulations to complete the legislation frame on business interruption, system failures, cyber extortion cybersecurity in 12 months from the date of the law’s approval. or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover? 4.3 Are companies (whether listed or private) subject to any specific disclosure requirements in relation There are not any regulatory limitations to insurance coverage to cybersecurity risks or Incidents (e.g. to listing against specific types of loss, such as business interruption, etc. authorities, the market or otherwise in their annual reports)? 7 Employees The Law “On cybersecurity”, even though it does not clearly mention companies, provides the obligation to report to the 7.1 Are there any specific requirements under Applicable competent authorities. But, the “Code of Criminal Procedure of the Law regarding: (a) the monitoring of employees for Republic of Albania” demands disclosure when legally asked by the the purposes of preventing, detection, mitigating and Prosecution; be it through an order or a court decision. responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents by employees to their employer? 4.4 Are companies (whether public or listed) subject to any other specific requirements under Applicable Laws in relation to cybersecurity? Article 9 of the Law “On cybersecurity” states that responsible bodies should take the necessary measures to manage and monitor the safety of human resources and peoples’ access. To the best of our knowledge, companies are not subject to any other specific requirements under Applicable Laws in relation to cybersecurity. 7.2 Are there any Applicable Laws (e.g. whistle-blowing laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents 5 Litigation by an employee?

To the best of our knowledge and after carefully reviewing the 5.1 Please provide details of any civil actions that may be current Albanian legislation on the matter, there are not any brought in relation to any Incident and the elements of prohibitions in this regard. that action that would need to be met.

For a civil action to be brought in relation to any Incident, it is 8 Investigatory and Police Powers necessary to provide the element of damage caused by a person committing an illegal action and evidence the causality of this action. It is also necessary to identify the source or the person 8.1 Please provide details of any investigatory powers of responsible for the Incident. law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident. 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to Structures for cyber crime at the County Directory Police and Incidents. General County Directory Police are responsible for investigating any crimes related to cybersecurity. In addition, the State Police To the best of our knowledge, there are not any specific examples of has made available to the public: www.asp.gov.al/denonco_kk, an cases brought in relation to Incidents. internet site, where every person can report in real-time any criminal act related to cyber crimes. The Authority is also responsible for investigating any reported crimes related to cybersecurity.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 19 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Albania

8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide law enforcement authorities with encryption keys?

To the best of our knowledge, there are not any requirements under Applicable Laws that organisations are to implement backdoors in their IT systems. Albania Renata Leka Eno Muja Boga & Associates Boga & Associates Ibrahim Rugova Str. Ibrahim Rugova Str. Green Park, Tower I Green Park, Tower I Tirana Tirana Albania Albania

Tel: +355 4 225 1050 Tel: +355 4 225 1050 Email: [email protected] Email: [email protected] URL: www.bogalaw.com URL: www.bogalaw.com

Renata is a Partner at Boga & Associates, which she joined in Eno is an Associate at Boga & Associates. 1998. She is an authorised trademark agent and has ample His main areas of practice include IP Law, Data Protection, Labour experience in trademark filing strategy, portfolio management and Law, as well as assistance to clients on different business law aspects. trademark prosecution, and handles a range of international matters He has previously worked as a private practice lawyer. involving IPR issues. She manages anti-piracy and anti-counterfeit programmes regarding violation of copyright in Albania and assists Eno graduated in Law at the University of Tirana and obtained a Master international clients in all aspects of the IPR. She is also head of the of Science degree focused on Private Law in 2014. He has been a IPR Committee of the American Chamber of Commerce in Albania and member of the Albanian National Chamber of Advocates since 2016. is active in all its activities vis-à-vis public authorities in matters of IPR Eno is fluent in English, Italian, and French and speaks moderate in Albania. German. For years, Renata has been recognised as a “Leading Individual” in “Intellectual Property” in Chambers and Partners and Chambers Europe – “Europe’s Leading Lawyers for Business” (2010, 2011, 2012, 2013, 2016, 2017). According to Chambers Europe, Renata continues to be highly active, and assists a number of international corporations with trademark protection. She is also contributing to World Trademark Review magazine for Albania. Renata graduated in Law at the University of Tirana in 1996 and also holds a Practice Diploma in International Intellectual Property Law (2006) and a Practice Diploma in Anti-Trust Law (2009) from the College of Law of England and Wales, UK. Renata is fluent in English and Italian.

Boga & Associates, established in 1994, has emerged as one of the premier law firms in Albania, earning a reputation for providing the highest quality of legal, tax and accounting services to its clients. The firm also operates in Kosovo (Pristina) offering a full range of services. Until May 2007, the firm was a member firm of KPMG International and the Senior Partner/Managing Partner, Mr. Genc Boga, was also the Senior Partner/Managing Partner of KPMG Albania. The firm’s particularity is linked to the multidisciplinary services it provides to its clients, through an uncompromising commitment to excellence. Apart from the widely consolidated legal practice, the firm also offers the highest standards of expertise in tax and accounting services, with keen sensitivity to the rapid changes in the Albanian and Kosovo business environment. The firm delivers services to leading clients in major industries, banks and financial institutions, as well as to companies engaged in insurance, construction, energy and utilities, entertainment and media, mining, oil and gas, professional services, real estate, technology, telecommunications, tourism, transport, infrastructure and consumer goods. The firm is continuously ranked as a “top tier firm” by The Legal 500, by Chambers and Partners for Corporate/Commercial, Dispute Resolution, Projects, Intellectual Property, Real Estate, as well as by IFLR in Financial and Corporate Law. The firm is praised by clients and peers as a “law firm with high-calibre expertise”, “the market-leading practice”, “a unique legal know-how”, distinguished “among the elite in Albania” and described as “accessible, responsive and wise”.

20 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 5

Australia Paul Kallenbach

MinterEllison Leah Mooney

■ s477.1 (unauthorised access, modification or impairment with 1 Criminal Activity the intent to commit a serious offence), which applies when the primary offence (for example, fraud or terrorism) carries a penalty of five years or more or life imprisonment. The 1.1 Would any of the following activities constitute a penalty cannot exceed the penalty applicable to the primary criminal offence in your jurisdiction? If so, please offence. provide details of the offence, the maximum penalties available, and any examples of prosecutions in your Denial-of-service attacks jurisdiction: Denial-of-service attacks may fall under s477.3 of the Criminal Code (unauthorised impairment of electronic communications), In Australia, the term ‘cybercrime’ is used by the Commonwealth carrying a maximum penalty of 10 years’ imprisonment. Attorney-General’s Department to describe both: Alternatively, a person may be charged with an offence under s477.2 ■ crimes directed at computers or other information and of the Criminal Code (unauthorised modification of data to cause communications technologies (ICTs) (such as hacking and impairment), carrying a maximum penalty of 10 years’ imprisonment. denial-of-service attacks); and Phishing ■ crimes where computers or ICTs are an integral part of an offence (such as online fraud, identity theft and the Phishing emails are regulated by the Spam Act 2003 (Cth) (the Spam distribution of child exploitation material). Act) which is enforced by the Australian Communications and The Commonwealth and the States and Territories are involved in Media Authority (ACMA). The Spam Act prohibits the sending of responding to different aspects of cybercrime in Australia. While unsolicited commercial electronic messages with an Australian link the States and Territories have primary responsibility for cybercrime (i.e. where the message originated or was commissioned in Australia that targets individuals, businesses and Government systems in their or was sent to an address in Australia). The maximum civil penalty jurisdictions, the Commonwealth has primary responsibility for under the Spam Act is 10,000 penalty units equating to AU$2.1m. cybercrime directed at critical infrastructure, systems of national Phishing may also be caught by the unauthorised criminal access interest and Commonwealth Government systems. offences in the Criminal Code, discussed above in the context of In 2013, the Commonwealth Government released its National Plan hacking. to Combat Cybercrime (the National Plan) which recognised the Infection of IT systems with malware (including ransomware, need for a coordinated national response to the rise of cybercrime. spyware, worms, trojans and viruses) The National Plan outlined six priority areas, including partnering Malware infections may fall under s477.2 of the Criminal Code with industry and improving international engagement on cybercrime, (unauthorised modification of data to cause impairment), carrying a where the Australian Government intends to focus its efforts in the maximum penalty of 10 years’ imprisonment. short to medium term. Key initiatives introduced as a direct result of Where the malware infection is undertaken with an intent to commit the National Plan included the establishment of the Australian Cyber a serious offence, s477.1 of the Criminal Code may also apply (with Security Centre (bringing together the Australian Government’s most the penalty not to exceed the penalty applicable to the primary sophisticated cybersecurity capabilities into a single facility) and offence). the establishment of the Australian Cybercrime Online Reporting Network (intended to simplify the process of reporting cybercrime). Possession or use of hardware, software or other tools used to commit cybercrime (e.g. hacking tools) The Commonwealth created offences in Parts 10.6 and 10.7 of the Criminal Code Act 1995 (Cth) (the Criminal Code) to address The possession of such a tool may fall under s478.3 of the Criminal cybercrime (consistent with those set out in the Council of Europe Code (possession or control of data with the intent to commit a Convention on Cybercrime). The Commonwealth offences are computer offence), giving rise to a maximum penalty of three years’ supplemented by State and Territory laws that criminalise the imprisonment. misuse of data and computer systems. Identity theft or identity fraud (e.g. in connection with access Hacking (i.e. unauthorised access) devices) Hacking may fall under the following offences in the Criminal Code: Online fraud generally falls within the jurisdiction of Australian ■ s478.1 (unauthorised access to, or modification of, restricted States and Territories unless the victim is a Commonwealth data), with a maximum penalty of two years’ imprisonment; Government department or a Commonwealth Authority. The scope and of the offence and the applicable penalty depends on the jurisdiction.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 21 © Published and reproduced with kind permission by Global Legal Group Ltd, London MinterEllison Australia

Electronic theft (e.g. breach of confidence by a current or former ■ all private sector and not-for-profit organisations with an employee, or criminal copyright infringement) annual turnover of more than AU$3m; Electronic theft may be caught by the unauthorised access offences ■ all private health service providers; in the Criminal Code, discussed above in the context of hacking. ■ credit providers and reporting bodies; Any other activity that adversely affects or threatens the ■ organisations holding tax file numbers; and security, confidentiality, integrity or availability of any IT ■ some small businesses (collectively, APP Entities). system, infrastructure, communications network, device or data Most Australian States and Territories also have laws that regulate There are also additional offences in the Criminal Code relating to the handling of personal information. In some cases, the operation of unauthorised impairment of electronic communications and data these laws is limited to State and Territory Government departments

Australia giving rise to a maximum penalty of 10 years’ imprisonment. and agencies. In other cases, the laws extend to the private sector Failure by an organisation to implement cybersecurity measures (for example, the Victorian Health Records Act 2001). This is not applicable in our jurisdiction. 2.2 Are there any cybersecurity requirements under Applicable Laws applicable to critical infrastructure 1.2 Do any of the above-mentioned offences have in your jurisdiction? For EU countries only, how extraterritorial application? (and according to what timetable) is your jurisdiction expected to implement the Network and Information Australian law enforcement authorities generally only have Systems Directive? Please include details of any jurisdiction to act where the perpetrator is an Australian citizen or instances where the implementing legislation in your resides in Australia, or where the affected computer server is located jurisdiction is anticipated to exceed the requirements within Australia. of the Directive.

This is not applicable in our jurisdiction. 1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an exception to any of the above-mentioned offences? 2.3 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other No, general sentencing principles apply. authority, to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what measures are required to be taken. 1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise The Office of the Australian Information Commissioner (OAIC) in relation to cybersecurity or the occurrence of an regulates compliance with the . The OAIC encourages Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences APP Entities to conduct privacy impact assessments, information in a cybersecurity context. security risk assessments and regular reviews of the company’s personal information security controls in its non-binding Guide to The Criminal Code contains a range of offences relating to terrorist securing personal information, dated January 2015. acts, terrorist organisations and financing terrorism that could Following the passage of the Privacy Amendment (Notification potentially extend to the activities of cybercriminals. of Serious Data Breaches) Bill 2015 (Cth) earlier this year, APP Entities that have reasonable grounds to suspect an eligible data breach will, from 22 February 2018, have a positive duty to carry 2 Applicable Laws out an assessment to determine whether an eligible data breach has occurred. 2.1 Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable 2.4 In relation to any requirements identified in question to the monitoring, detection, prevention, mitigation 2.3 above, might any conflict of laws issues and management of Incidents. This may include, arise? For example, conflicts with laws relating for example, laws of data protection, intellectual to the unauthorised interception of electronic property, breach of confidence, privacy of electronic communications or import / export controls of communications, information security, and import / encryption software and hardware. export controls, among others.

While the position is currently untested in Australia, it seems The Privacy Act 1988 (Cth) (the Privacy Act) regulates how unlikely that the measures APP Entities are obliged or encouraged personal information is handled in Australia and is the primary to take under the Privacy Act will overlap or conflict with, for legislation addressing these issues. Personal information is defined example, laws restricting activities. For example, the as “information or an opinion, whether true or not, and whether Privacy Act has specific exceptions in relation to compliance with recorded in material form or not, about an identified individual, or Australian and overseas laws. an individual who is reasonably identifiable”. The Australian Privacy Principles (APPs), in schedule 1 of the Privacy Act, outline how the following organisations must handle, use and manage personal information: ■ most Commonwealth Government agencies (and parties to Government contracts);

22 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London MinterEllison Australia

The OAIC, in its non-binding Data breach notification guide, 2.5 Are organisations required under Applicable Laws, or encourages APP Entities to voluntarily notify affected individuals otherwise expected by a regulatory or other authority, if a data breach creates a real risk of serious harm to the individual. to report information related to Incidents or potential Incidents to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the 2.8 Do the responses to questions 2.5 to 2.7 change if the circumstance in which this reporting obligation is information includes: (a) price sensitive information; triggered; (b) the regulatory or other authority to (b) IP addresses; (c) email addresses (e.g. an email which the information is required to be reported; (c) address from which a phishing email originates); (d) the nature and scope of information that is required personally identifiable information of cyber threat to be reported (e.g. malware signatures, network actors; and (e) personally identifiable information of vulnerabilities and other technical characteristics

individuals who have been inadvertently involved in Australia identifying an Incident or cyber attack methodology); an Incident? and (d) whether any defences or exemptions exist by which the organisation might prevent publication of that information. Price sensitive information may be subject to contractual confidentiality obligations. IP addresses are also caught bythe Telecommunications (Interception and Access) Act 1979 (Cth) (the From 22 February 2018, APP Entities will be obliged to notify Telecoms Act) which requires telecommunications entities to retain eligible data breaches to the OAIC. An eligible data breach is a particular set of telecommunications data (primarily, metadata) for an unauthorised access to, or disclosure of, or loss of, personal at least two years. The remaining examples are all forms of personal information that a reasonable person would conclude is likely information which fall within the ambit of the Privacy Act discussed to result in serious harm to any of the individuals to whom the above. information relates. The notification to the OAIC must include: 2.9 Please provide details of the regulator(s) responsible ■ the identity and contact details of the APP Entity; for enforcing the requirements identified under ■ a description of the eligible data breach that the APP Entity questions 2.3 to 2.7. has reasonable grounds to believe occurred; ■ the kind/s of information concerned; and The Office of the Australian Information Commissioner OAIC( ). ■ recommendations about the steps individuals should take in response to the eligible data breach. 2.10 What are the penalties for not complying with the There are a number of exemptions from notification, including requirements identified under questions 2.3 to 2.8? where an APP Entity takes remedial action, where another entity has already made the notification, or where notification is likely to The OAIC has wide-ranging powers to: prejudice law enforcement activities. ■ conduct an investigation; ■ make a determination on a privacy complaint, including in 2.6 If not a requirement, are organisations permitted by relation to compensation; Applicable Laws to voluntarily share information ■ seek an enforceable undertaking; and related to Incidents or potential Incidents with: (a) a regulatory or other authority in your jurisdiction; ■ in the case of a serious or repeated interference with the (b) a regulatory or other authority outside your privacy of an individual, seek a civil penalty order from the jurisdiction; or (c) other private sector organisations court of up to AU$420,000 for an individual and AU$2.1m or trade associations in or outside your jurisdiction? for a company.

The OAIC in its non-binding Data breach notification guide: A 2.11 Please cite any specific examples of enforcement guide to handling personal information security breaches (Data action taken in cases of non-compliance with the breach notification guide) strongly encourages APP Entities to above-mentioned requirements. voluntarily notify the OAIC of serious data breaches. In the same guide, the OAIC also encourages notification to the To date, the OAIC has displayed a preference for seeking enforceable police, insurers, credit card companies, financial institutions, credit undertakings and making determinations (including awarding low reporting agencies, professional or other regulatory bodies and other levels of compensation) in its approach to enforcement. internal and external parties in certain specified circumstances. 3 Specific Sectors 2.7 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential 3.1 Does market practice with respect to information Incidents to any affected individuals? If so, please security (e.g. measures to prevent, detect, mitigate provide details of: (a) the circumstance in which this and respond to Incidents) vary across different reporting obligation is triggered; and (b) the nature and business sectors in your jurisdiction? Please include scope of information that is required to be reported. details of any common deviations from the strict legal requirements under Applicable Laws. From 22 February 2018, once an APP Entity is aware that there are reasonable grounds to believe there has been an eligible data breach, Health information and credit reporting information are regarded as the APP Entity must notify affected individuals. However, if it is among the most sensitive forms of personal information, and the not practical to notify those individuals, APP Entities are permitted Privacy Act imposes additional obligations on private organisations to publish the notification on the entity’s website or take other that handle such information. Some Australian States and Territories reasonable steps to publicise the contents of the statement. have also enacted specific legislation relating to the protection

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 23 © Published and reproduced with kind permission by Global Legal Group Ltd, London MinterEllison Australia

of health information. These various legislative regimes are not consistent in approach. 4.3 Are companies (whether listed or private) subject to any specific disclosure requirements in relation to cybersecurity risks or Incidents (e.g. to listing 3.2 Are there any specific legal requirements in relation authorities, the market or otherwise in their annual to cybersecurity applicable to organisations reports)? in: (a) the financial services sector; and (b) the telecommunications sector? Australian companies (depending on the size and type of company) may have reporting obligations with respect to data breaches and (a) In addition to the requirements discussed below in section 4, the other cybersecurity risks. Such obligations may arise, for example: Australian Prudential Regulation Authority (APRA) imposes ■ in relation to its annual report, in which details may be Australia regulatory obligations on the financial services sector participants that it regulates in relation to risk management and business required of (among other things) liabilities of the company continuity management that are relevant to cybersecurity. in its financial statements, the operations of the company and any significant changes in the company’s state of affairs (see (b) The Telecoms Act imposes additional privacy-related Part 2M.3 of the Corps Act); obligations, and requires telecommunications entities to retain a particular set of telecommunications data (primarily ■ during fundraising, where obligations arise to disclose all metadata) for at least two years. information required to enable investors to make an informed assessment of the company making the public offer. Cyber risks must be adequately disclosed during this process (for 4 Corporate Governance example, see s710 (content of prospectus) and s715 (content of offer information statement) of the Corps Act); ■ for an entity which has periodic and continuous disclosure 4.1 In what circumstances, if any, might a failure by obligations (which may be pursuant to the Corps Act and a company (whether listed or private) to prevent, the rules of a securities exchange on which the entity is mitigate, manage or respond to an Incident amount to listed, such as the Australian Securities Exchange (ASX)), a breach of directors’ duties in your jurisdiction? where the occurrence or details of the Incident is market- sensitive information. In the event of an Incident, a prompt Australia’s corporate, markets and financial services regulator, the determination must be made by a company regarding Australian Securities & Investments Commission (ASIC), released whether to disclose information in relation to the Incident, Report 429 – Cyber resilience: Health check, highlighting the what to disclose, when to disclose the information, in what form to disclose it and whether any exceptions apply (for importance of cyber resilience. Through the release of the report example, see s674 (continuous disclosure) of the Corps Act, and related communications, ASIC has sent a clear message that it Chapters 3 and 4 of the ASX Listing Rules and ASX Guidance expects a high standard of cyber risk management from the entities Note 8). Incidents may also be relevant in relation to ASX it regulates and that directors must consider how cyber risks affect listed entities’ obligations to disclose the extent to which they companies and their directors’ duties. comply with the recommendations of the ASX Corporate A failure on the part of a director to consider cyber risks in the Governance Council, which relates to (among other things) context of corporate governance and risk management practices may internal controls for risk management and oversight (see ASX Listing Rule 4.10.3); or breach the director’s duty to act with reasonable care and diligence under s180(1) (care and diligence) of the Corporations Act 2001 ■ for Australian financial services licensees (AFS licensees), where they are required to report a significant breach (or (Cth) (the Corps Act). A director may be found personally liable likely significant breach) of specified obligations to ASIC. for a breach of s180, and civil penalties may apply. AFS licensees must identify whether an Incident impinges on its ability to provide financial services in accordance with its 4.2 Are companies (whether listed or private) required licence, thereby constituting a breach (or likely breach) of its under Applicable Laws to: (a) designate a CISO; obligations under s912A of the Corps Act (see s912D (breach (b) establish a written Incident response plan or reporting) of the Corps Act). policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform penetration tests or vulnerability assessments? 4.4 Are companies (whether public or listed) subject to any other specific requirements under Applicable Laws in relation to cybersecurity? Australian companies are encouraged by regulators to take steps to improve cyber resilience, which include some of the steps identified In addition to the Corps Act, the Privacy Act and exchange above. rules such as the ASX Listing Rules addressed above, Australian The OAIC encourages companies that are subject to the Privacy Act companies may also be subject to other Applicable Laws imposing to: requirements or guidance in relation to cybersecurity, including: ■ develop a data breach response plan; ■ The ASX Corporate Governance Council’s Corporate ■ conduct privacy impact assessments, information security risk governance principles and recommendations, 3rd edition, assessments and regular reviews of the company’s personal ASX, 2014, requiring ASX-listed entities to make timely and information security controls (which may include penetration balanced disclosures and recognise and manage risks. or vulnerability testing to discover security weaknesses); and ■ The ASIC Derivative Trade Repository Rules 2013, requiring ■ conduct appropriate due diligence on third-party vendors. ADTR licensees to have comprehensive governance and management arrangements in place. ASIC also encourages companies to assess and improve their cyber resilience by reference to the standards of the NIST Cybersecurity ■ The National Consumer Credit Protection Act 2009 (Cth), Framework or similar cyber risk management frameworks, in order imposing general licensing obligations on credit licensees including risk management requirements. to identify critical assets and develop and implement procedures to protect those assets.

24 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London MinterEllison Australia

■ ePayments Codes, obliging subscribers to: 6 Insurance ■ compensate consumers for losses in certain circumstances; and ■ report information about unauthorised transactions to 6.1 Are organisations permitted to take out insurance ASIC. against Incidents in your jurisdiction? ■ The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Financial Transaction Yes. In fact, there is an upward trend in the appetite for Reports Act 1988 (Cth), requiring Australian Transaction cybersecurity and privacy insurance among Australian organisations. Reports and Analysis Centre (AUSTRAC) reporting entities MinterEllison’s cybersecurity survey Perspectives on Cyber Risk to make suspicious matter reports to AUSTRAC in certain Report 2017 found that 39% of respondents had purchased some form circumstances. of cyber insurance, an increase from 24% in the previous year. Australia ■ Australian organisations that handle cardholder data (such as Australian policies are generally hybrid products providing cover credit card or bank account numbers) may be contractually required to comply with the PCI DSS. This is a set of for first-party losses such as data breach response costs and business comprehensive requirements in relation to data security that interruption losses, regulatory cover for fines and penalties and are intended to reflect industry best practice for the storage, liability covers including data breach and privacy liability, media processing and transmission of cardholder data. liability and network security liability. Cover is also available for Australian companies may also be subject to additional regulatory cyber extortion and value-adds such as credit monitoring and call guidance, specific Commonwealth, State or Territory laws or centre costs. relevant international standards, particularly in relation to specific industry sectors. 6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as business interruption, system failures, cyber extortion 5 Litigation or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover?

5.1 Please provide details of any civil actions that may be We are not aware of any regulatory limitations to insurance brought in relation to any Incident and the elements of coverage against business interruption, system failures or digital that action that would need to be met. asset restoration cover. While insurance cover for cyber extortion is widely available, the position with respect to the payment of While the position in Australia with respect to civil actions that ransoms in this context is complicated. may be brought in relation to any Incident is largely untested, it is anticipated that such actions will be brought in contract (for The payment of a ransom to a terrorist organisation may contravene example, for breach of a services agreement or confidentiality Australia’s counter-terrorism laws. Further, the payment of a ransom agreement) or under the Australian Consumer Law in schedule 2 to an entity or individual named in the consolidated sanctions list of the Competition and Consumer Act 2010 (Cth) (for example, for maintained by the Commonwealth Department of Foreign Affairs misleading and deceptive conduct). and Trade may contravene the United Nations Security Council sanction regime or Australia’s autonomous sanction regime. While there is no existing precedent for derivative actions arising from Incidents, this is becoming a realistic prospect in Australia In the context of cyber extortion insurance cover in Australia, this with the growth of litigation funding opportunities. issue has been reconciled by providing cover for cyber extortion losses, but limiting the scope of the cover through the imposition of conditions (such as the requirements that the threat be credible 5.2 Please cite any specific examples of cases that and for the prior written consent of the insurer) and exclusions have been brought in your jurisdiction in relation to (for conduct that is criminal or in violation of economic or trade Incidents. sanctions).

Specific examples are not available. In practical terms, insureds should take steps to reasonably satisfy themselves that the individual or organisation extorting payment of the ransom is not listed in the consolidated sanctions list or the 5.3 Is there any potential liability in tort or equivalent terrorist organisations list. A cautious approach to the payment legal theory in relation to an Incident? of ransoms is recommended, as a criminal offence may still be committed in Australia if the payment is made recklessly. It is anticipated that, as the common law in Australia presently stands, claimants would experience difficulty in attempting to formulate a claim in negligence arising from an Incident. For 7 Employees example, Australian tort law does not currently provide a remedy for intentional infliction of emotional distress which does not amount to 7.1 Are there any specific requirements under Applicable recognisable psychiatric illness. In addition, while the Australian Law regarding: (a) the monitoring of employees for courts do recognise claims for pure economic loss, this is only done the purposes of preventing, detection, mitigating and in limited circumstances where additional requirements must be met responding to Incidents; and (b) the reporting of cyber for a duty of care to arise. risks, security flaws, Incidents or potential Incidents In an attempt to address these issues, the Australian Law Reform by employees to their employer? Commission has in recent years recommended the introduction of a statutory cause of action for breach of privacy. (a) Employers will generally develop policies relating to employees’ use of email, the internet, telephone and other resources, setting out the circumstances in which employee activities will be monitored. Provided that employees have

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 25 © Published and reproduced with kind permission by Global Legal Group Ltd, London MinterEllison Australia

been advised of the employer’s intention to monitor activity ■ disclosure of “official secrets”, which include “a prescribed for the purposes of preventing, detecting, mitigating or sketch, plan, photograph, model, cipher, note, document or responding to Incidents, it will generally be allowed in the article, or prescribed information”, attracting a penalty of up absence of legislation to the contrary. to seven years’ imprisonment (s79 of the Crimes Act). The Privacy Act does not specifically cover the issue of workplace surveillance, and the handling of employee records in the Australian private sector is exempted from the Privacy 8 Investigatory and Police Powers Act. However, where the monitoring of employees leads to the retention of personal information (such as a CCTV video recording of an identifiable individual or a record of emails 8.1 Please provide details of any investigatory powers of that does not relate to the employee’s employment), then an law enforcement or other authorities under Applicable Australia employer organisation that is subject to the Privacy Act may Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident. be obliged to comply with the APPs. Further, the Telecoms Act prohibits an employer from Potentially relevant investigatory powers include: listening to or recording communications passing over a telecommunications system without the consent or ■ the Australian Security Intelligence Organisation Act 1979 knowledge of the parties to the communication. (Cth), which empowers the Australian Security Intelligence Organisation (ASIO) to obtain warrants for the purpose Some Australian States and Territories have also introduced of undertaking surveillance, and to detain and question a laws addressing workplace surveillance, the monitoring and person who may have information important to gathering recording of conversations and the installation and use of intelligence in relation to terrorist activities; CCTV. ■ the Crimes Act, which deals with the powers of authorities to (b) No, unless a particular employer has contractually imposed investigate crimes including sabotage and the disclosure of an obligation upon the employee to do so (for example, by information; developing a policy to that effect and requiring compliance with that policy). ■ the Surveillance Devices Act 2004 (Cth), which establishes procedures for officers to obtain warrants, emergency authorisations and authorisations for the installation and use 7.2 Are there any Applicable Laws (e.g. whistle-blowing of surveillance devices; and laws) that may prohibit or limit the reporting of cyber ■ the Telecoms Act, which permits ASIO to intercept risks, security flaws, Incidents or potential Incidents telecommunications under warrant for intelligence-gathering by an employee? purposes, including in relation to threats of terrorism and other serious offences. Employees may be subject to confidentiality agreements or other contractual obligations prohibiting or limiting the circumstances in which they report cyber risks, security flaws, Incidents or potential 8.2 Are there any requirements under Applicable Laws Incidents. for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide Commonwealth officers are also subject to whistleblowing law enforcement authorities with encryption keys? legislation, creating the following offences which may also prohibit or limit reporting by employees: At present, there is no mandatory obligation in Australia to provide ■ disclosure of “any fact or document” in their knowledge backdoor access or release decryption keys. The Australian or possession “by virtue of having been a Commonwealth Government has proposed the introduction of legislation that officer”, attracting a penalty of up to two years’ imprisonment would allow authorities to compel decryption, based on the UK’s (s70 of the Crimes Act 1914 (Cth) (Crimes Act)); and Investigatory Powers Act.

26 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London MinterEllison Australia

Paul Kallenbach Leah Mooney MinterEllison MinterEllison Level 23 Rialto Towers Level 22 Waterfront Place 525 Collins Street 1 Eagle Street Melbourne Brisbane Victoria 3000 Queensland, 4000 Australia Australia

Tel: +61 3 8608 2622 Tel: +61 7 3119 6230 Email: [email protected] Email: [email protected] URL: www.minterellison.com URL: www.minterellison.com

Paul is MinterEllison’s Head of Cyber Law and Data Protection Leah has over 15 years’ experience in general risk advisory Australia and one of Australia’s foremost technology law specialists. Paul and litigation. She is a recognised expert in the emerging area advises leading Australian and international clients on a wide range of cybersecurity and privacy, and assists clients to identify and of technology-related issues, including technology contracting and understand cyber risk and how to embed cyber resilience planning licensing, outsourcing and procurement, tendering and sourcing, within their organisations. privacy and data protection, internet, social media and e-commerce Leah has coached clients affected by data breaches through the law, copyright, trade marks and other intellectual property rights, and strategic management of the legal, technical and regulatory issues telecommunications law. arising from data breaches. She was named one of the National In 2015, Paul launched MinterEllison’s cybersecurity survey, Law Journal’s cybersecurity and data privacy trailblazers of 2015, Perspectives on Cyber Risk. The survey assesses trends in Australian and is the only Australian lawyer honoured by the journal. Leah also organisations’ cyber resilience, from the perspective of both users and regularly presents to industry groups on cybersecurity and privacy buyers of technology. As one of the most critical business issues developments, and contributes to news and industry publications on facing organisations, Paul is frequently invited to present on cyber these issues. risk at industry and government forums. Paul was a co-founder of More broadly, Leah’s practice encompasses corporate risk advisory Exari, a leading global provider of document automation technology, and complex dispute management. is on the advisory board of MinterEllison’s technology consulting arm, ITNewcom, and is a director of MinterEllison’s software companies, Safetrac and Boardtrac.

MinterEllison is one of Asia Pacific’s leading full-service law firms. Established in Sydney in 1827, today the firm operates in Australia, Hong Kong, mainland China, Mongolia, New Zealand and the United Kingdom through a network of integrated offices and associated offices. With about 200 partners and 700 legal staff worldwide, we understand the challenges faced by businesses operating in a globalised marketplace and offer clients services that are multi-disciplinary and industry facing. Most recently, we have expanded our market-leading legal technology practice with the acquisition of ITNewcom, a top-tier technology consultancy. MinterEllison’s large and diverse client base includes blue-chip public and private companies, leading multinationals, global financial institutions, government and state-owned entities. Our lawyers have been independently recognised amongst the world’s best for their strong technical skills and ability to deliver commercially practical solutions that assist clients to achieve their business objectives.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 27 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 6

Belgium Johan Vandendriessche

Erkelens Law Isaure de Villenfagne

Disseminating or using data obtained as a result of hacking is 1 Criminal Activity punishable by a term of imprisonment between six months and three years and/or a fine between 26 EUR and 100,000 EUR. 1.1 Would any of the following activities constitute a The penalties are increased in the presence of aggravating criminal offence in your jurisdiction? If so, please circumstances or repeated offences related to cybercrime. Examples provide details of the offence, the maximum penalties of aggravating circumstances are stealing data, damaging an IT available, and any examples of prosecutions in your system or taking over an IT system to hack another IT system. jurisdiction: Denial-of-service attacks Belgian cybercrime provisions criminalise hacking, computer Denial-of-service attacks are criminalised as computer sabotage, sabotage, computer fraud and computer forgery. In addition to these i.e. “knowingly and without authorization, directly or indirectly criminal offences, specific provisions criminalise other activities, introducing, altering or deleting data in an IT system, or changing such as the violation of the secrecy of communications. Most of by any other technological means the normal use of any data in an the activities mentioned below would normally constitute a criminal IT system” (article 550ter, §1 of the Belgian Criminal Code). offence under Belgian law. By committing a denial-of-service attack, the normal use of data in It should be noted that criminal fines are subject to frequent an IT system is changed: the denial-of-service attack disrupts the revaluation by applying a multiplier. As of 1 January 2017, all functioning of an IT system. criminal fines are multiplied by eight. All amounts mentioned The penalties for this criminal offence (or any attempt thereto) are a below are amounts prior to revaluation. Consequently, a fine of term of imprisonment between six months and three years and/or a 100,000 EUR should be read as a fine of 800,000 EUR. fine between 26 EUR and 25,000 EUR. Hacking (i.e. unauthorised access) If, as a result of the denial-of-service attack, data in an IT system “The unauthorized intrusion in or maintenance of access to an IT is damaged, the penalties are increased to a term of imprisonment system” (“hacking”) is a criminal offence under article 550bis of the between six months and five years and/or a fine between 26 EUR Belgian Criminal Code. and 75,000 EUR. It is important to note that there is no requirement of breach or The penalties are doubled in case of repeated offences in relation to circumvention of security measures. Unauthorised access to an cybercrime. unprotected IT system is still hacking. Phishing A distinction is made between external hacking and internal hacking: The criminal offence applicable to phishing depends on the modus ■ External hacking: operandi and the purpose of the perpetrators. As explained in more External hacking happens when a person who does not detail below, identity theft is not directly criminalised under Belgian possess any access rights knowingly intrudes in or maintains law. access to an IT system. Phishing is usually committed as a precursor to another criminal The penalties consist of a term of imprisonment between offence, e.g. theft, fraud, computer fraud, hacking, computer three months and one year and/or a fine between 26 EUR and sabotage, committed by using the stolen identity. These are criminal 25,000 EUR. offences. ■ Internal hacking: Phishing may be punishable as a criminal offence under the criminal Internal hacking happens when a person who has access provisions of the Act of 13 June 2005 on electronic communications rights, exceeds those rights, with a fraudulent purpose or with (“Electronic Communications Act”). Article 145, §3, 1° of the the purpose to cause damage. Electronic Communications Act prohibits the fraudulent initiation The penalties consist of a term of imprisonment between six of electronic communications by means of an electronic months and two years and/or a fine between 26 EUR and communications network with the intent to obtain an illegitimate 25,000 EUR. economic advantage (for oneself or for another). This criminal A hacking attempt is punishable by the same penalties as hacking. offence is punishable by a term of imprisonment between one year Instructing or commissioning a third party to commit hacking is and four years and/or a fine between 500 EUR and 50,000 EUR. punishable by a term of imprisonment between six months and five years and/or a fine between 100 EUR and 200,000 EUR.

28 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Erkelens Law Belgium

Infection of IT systems with malware (including ransomware, confidentiality, integrity or availability of any IT system, spyware, worms, trojans and viruses) infrastructure, communications network, device or data are likely to The infection of IT systems with malware is an act of computer qualify as hacking, computer sabotage, computer fraud or computer sabotage, i.e. “knowingly and without authorization, directly or forgery. They will then be punishable in accordance with the indirectly introducing, altering or deleting data in an IT system, or provisions of these criminal offences. changing by any other technological means the normal use of any In addition, article 124 of the Electronic Communications Act data in an IT system” (article 550ter, §1 of the Belgian Criminal prohibits the access to any information communicated by electronic Code). communications. The penalty is a fine between 50 EUR and 50,000 The same criminal penalties apply as those applicable to denial-of- EUR (article 145, §1 of the Electronic Communications Act).

service attacks. Article 259bis, §1 (civil servants and police officers) and article Belgium Possession or use of hardware, software or other tools used to 314bis (all other persons) of the Belgian Criminal Code prohibit the commit cybercrime (e.g. hacking tools) interception of electronic communications and the dissemination of intercepted communication. Violation of article 259bis, §1 of the It is a criminal offence on its own to illegitimately possess, produce, Belgian Criminal Code is punishable by a term of imprisonment sell, procure for use, import, distribute, disseminate or otherwise between six months and two years and/or a fine between 500 EUR make available any instrument, including computer data, designed and 20,000 EUR. In case of violation of article 314bis of the or adapted to enable hacking (article 550bis, §5 of the Belgian Belgian Criminal Code, lower penalties apply because the criminal Criminal Code) or computer sabotage (article 550ter, §4 of the offence is not committed by a person representing a public authority. Belgian Criminal Code). Possessing, producing, selling, procuring for use, importing, The penalties are a term of imprisonment between six months and distributing, disseminating or otherwise making available, without three years and/or a fine between 26 EUR and 100,000 EUR. the right to, any instrument that is chiefly designed to enable the Identity theft or identity fraud (e.g. in connection with access interception of electronic communications is also a criminal offence devices) (article 259bis, §2bis and article 314bis, §2bis of the Belgian Belgian criminal law normally does not directly criminalise identity Criminal Code). theft. This might be different if the identity theft corresponds with Failure by an organisation to implement cybersecurity measures another criminal offence, e.g. identity theft because of the theft of an Failure by an organisation to implement cybersecurity measures is electronic identity card. In this case, the criminal offence is the theft normally not a criminal offence. of the physical identity card. Specific provisions may criminalise the failure to implement Identity theft is often a precursor to another criminal offence, cybersecurity measures: e.g. theft, fraud, computer fraud, hacking, computer sabotage, committed by using the stolen identity. ■ The data controller and the data processor have an obligation to implement adequate security measures in relation to Identity fraud may be a criminal offence under Belgian criminal law the processing of personal data (article 16 of the Act of 8 if the fraud relates to the appropriation of the capacity of a civil December 1992 on privacy protection in relation to the servant or military functions, nobility titles, the title of attorney-at- processing of personal data) (“Data Protection Act”). This law or the public use of a false family name (articles 227–231 of the obligation normally includes an obligation to implement Belgian Criminal Code). Penalties are usually limited to fines (up cybersecurity measures. Failure by the data controller to to 1,000 EUR). implement adequate security is a criminal offence punishable with a fine between 2.50 EUR and 500 EUR. In case of Electronic theft (e.g. breach of confidence by a current or former repeated offence, a term of imprisonment between three employee, or criminal copyright infringement) months and two years and/or a fine between 2.50 EUR and Depending on the nature of the electronic theft, several criminal 2,500 EUR will apply. offences may apply. The security obligation is confirmed on behalf of the The most straightforward criminal offence is computer fraud, data controller and the data processor in article 32 of the Regulation (EU) 2016/679 of the European Parliament and i.e. “the procurement without right, with intent to defraud, of an of the Council of 27 April 2016 on the protection of natural economic advantage (for oneself or for another) by inputting, persons with regard to the processing of personal data and altering or deleting any data that is stored, processed or transmitted on the free movement of such data, and repealing Directive by a computer system, or by changing by any other technological 95/46/EC (General Data Protection Regulation) (“GDPR”). means the normal use of data in a computer system” (article The GDPR will supersede the Data Protection Act as of 504quater of the Belgian Criminal Code). 25 May 2018. It would be safe to assume that the Belgian Computer fraud is punished by a term of imprisonment between six legislator will maintain the criminal offence, as the security months and five years and/or a fine between 26 EUR and 100,000 obligation is one of the main obligations of the data controller. EUR. In case of attempted computer fraud, the maximum term of ■ In relation to critical infrastructures, article 26, §1 of the imprisonment is reduced to three years and the maximum fine is Act of 1 July 2011 concerning the security and protection of critical infrastructures (“Critical Infrastructures Act”) reduced to 50,000 EUR. In case of a repeated offence in relation to imposes a term of imprisonment between eight days and one cybercrime, penalties are doubled. year and/or a fine between 26 EUR and 10,000 EUR in case Electronic theft often relates to materials protected by intellectual of breach of any obligation under this act. These obligations property rights. Most infringements of intellectual property rights include the establishment and execution of a security plan are criminal offences, even though enforcement usually takes place (which may include cybersecurity measures). by means of civil actions. Any other activity that adversely affects or threatens the 1.2 Do any of the above-mentioned offences have security, confidentiality, integrity or availability of any IT extraterritorial application? system, infrastructure, communications network, device or data Other activities that adversely affect or threaten the security, Usually, there is no extraterritorial application of Belgian laws.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 29 © Published and reproduced with kind permission by Global Legal Group Ltd, London Erkelens Law Belgium

Article 3 of the Belgian Code of Criminal Law provides that the Cybercrime: criminal courts shall be competent for all crimes on Belgian ■ Belgian Criminal Code, as amended by the Act of 28 territory. To localise a criminal offence, Belgium applies the November 2000 on cybercrime and the Act of 15 May 2006 ubiquity doctrine, which provides that a criminal offence is situated on cybercrime. in all places where there is a constitutive element of the offence. ■ Belgian Code of Criminal Proceedings. This theory is supplemented with the principle of indivisibility, Data protection: which allows courts to take into consideration all elements that are ■ Article 22 of the Belgian Constitution. indivisibly connected with a criminal offence located in Belgium. The principle of indivisibility thus allows a Belgian court to declare ■ Act of 8 December 1992 on privacy protection in relation to itself competent with regards to a co-perpetrator located in a foreign the processing of personal data. Belgium country. ■ Royal Decree of 13 February 2001, which lays down further rules to the Act of 8 December 1992. In the context of specific criminal offences, the Belgian criminal law provisions apply extraterritorially, e.g. in case of terrorism. ■ As of 25 May 2018, Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the The Data Protection Act applies to data controllers located outside processing of personal data and on the free movement of the European Economic Area if they use means located on Belgian such data, and repealing Directive 95/46/EC (General Data territory to process personal data (article 3bis). The criminal offences Protection Regulation). of this act may thus apply extraterritorially. In order to facilitate Electronic communications, security of electronic communications the enforcement, a data controller established outside the European and secrecy of electronic communications: Economic Area must designate a representative established in ■ Article 22 of the Belgian Constitution. Belgium (article 3bis, 2° of the Data Protection Act). The GDPR ■ Act of 13 June 2005 concerning electronic communications. also applies extraterritorially, but the criteria are different (article 3.2 of the GDPR). ■ Articles 259bis and 314bis of the Belgian Criminal Code. Trust services and electronic signatures: 1.3 Are there any actions (e.g. notification) that might ■ Regulation (EU) 910/2014 of the European Parliament and mitigate any penalty or otherwise constitute an of the Council of 23 July 2014 on electronic identification exception to any of the above-mentioned offences? and trust services for electronic transactions in the internal market, and repealing Directive 1999/93/EC (“eIDAS Regulation”). No, although a court may consider the behaviour of the perpetrator in determining the criminal sanctions. A pro-active notification or ■ Title 2 of Book XII of the Belgian Code of Economic Law. a declaration or plea of guilt may induce a court to impose lower Intellectual property rights: penalties. ■ Book XI of the Belgian Code of Economic Law. Employee surveillance and BYOD: 1.4 Are there any other criminal offences (not specific ■ Article 22 of the Belgian Constitution. to cybersecurity) in your jurisdiction that may arise ■ Act of 13 June 2005 concerning electronic communication. in relation to cybersecurity or the occurrence of an Incident (e.g. terrorism offences)? Please cite any ■ Articles 259bis and 314bis of the Criminal Code. specific examples of prosecutions of these offences ■ Collective Bargaining Agreement No. 68 on employee in a cybersecurity context. camera surveillance. ■ Collective Bargaining Agreement No. 81 on the protection of See the answers above. employees in relation to the surveillance of electronic online communication data. 2 Applicable Laws Professional secrecy: ■ Article 458 of the Belgian Criminal Code. Due diligence and due care: 2.1 Please cite any Applicable Laws in your jurisdiction ■ Articles 1382 and 1383 of the Belgian Civil Code. applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, 2.2 Are there any cybersecurity requirements under for example, laws of data protection, intellectual Applicable Laws applicable to critical infrastructure property, breach of confidence, privacy of electronic in your jurisdiction? For EU countries only, how communications, information security, and import / (and according to what timetable) is your jurisdiction export controls, among others. expected to implement the Network and Information Systems Directive? Please include details of any Belgian law does not provide a consolidated approach to instances where the implementing legislation in your cybersecurity. The following acts relate directly or indirectly to jurisdiction is anticipated to exceed the requirements cybersecurity: of the Directive. Critical infrastructures: Critical infrastructures are governed by the Critical Infrastructures ■ Act of 1 July 2011 on the security and protection of critical Act. The personal scope of this act is larger than that of Directive infrastructures. 2008/114/EC, which it implements in Belgian law. The Critical ■ To be implemented by 9 May 2018, Directive (EU) 2016/1148 Infrastructures Act not only covers the energy sector and the of the European Parliament and of the Council of 6 July 2016 transportation sector (both interpreted in a broad manner), but also concerning measures for a high common level of security of the financial sector and the electronic communications sector. network and information systems across the Union.

30 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Erkelens Law Belgium

There are no specific cybersecurity provisions in the Critical Infrastructures Act. It applies to all risks that may disrupt or destroy 2.5 Are organisations required under Applicable Laws, or critical infrastructures, including cyber risks. Critical infrastructures otherwise expected by a regulatory or other authority, must establish and execute a security plan, which may include, to report information related to Incidents or potential Incidents to a regulatory or other authority in your depending on the threats, cybersecurity measures. jurisdiction? If so, please provide details of: (a) the On 20 July 2017, the Belgian government has approved a pre-draft circumstance in which this reporting obligation is of the act that is set to implement the Network and Information triggered; (b) the regulatory or other authority to Systems Directive. It is not anticipated that Belgium will exceed which the information is required to be reported; (c) the requirements of the NIS Directive. the nature and scope of information that is required to be reported (e.g. malware signatures, network

vulnerabilities and other technical characteristics Belgium 2.3 Are organisations required under Applicable Laws, identifying an Incident or cyber attack methodology); or otherwise expected by a regulatory or other and (d) whether any defences or exemptions exist by authority, to take measures to monitor, detect, prevent which the organisation might prevent publication of or mitigate Incidents? If so, please describe what that information. measures are required to be taken. There are no generally applicable legal or regulatory obligations There are no generally applicable obligations to take measures to to report information related to (potential) Incidents. There are, monitor, detect, prevent or mitigate Incidents. However, there are however, some reporting obligations that apply depending on some sector-based obligations and/or expectations: the nature of the Incident or the sector of the organisation that is ■ Critical infrastructures: experiencing the Incident: Critical infrastructures must establish and implement a ■ Voluntary personal data breach notification under the Data security plan (article 13 of the Critical Infrastructures Act). Protection Act in relation to the processing of personal data. This obligation implicitly includes Incident prevention and The Belgian Data Protection Commission encourages the handling. voluntary notification of personal data breaches through an ■ Electronic communications: electronic form it has made available. Providers of electronic communications services or ■ As of 25 May 2018, a mandatory personal data breach electronic communications networks must implement notification. adequate measures to manage the security risks in relation to Under the GDPR, a mandatory notification exists in relation their services or networks, including measures to mitigate the to personal data breaches. The notification will have to be impact of security Incidents in relation to the end-users and submitted with the Belgian Data Protection Commission. other connected networks (article 114, §1 of the Electronic Communications Act). The notification must include the following information: ■ Processing of personal data: ■ the nature of the personal data breach, including, where possible, the categories and approximate number of data Data controllers and data processors have to implement subjects concerned and the categories and approximate adequate security in relation to the data processing activity number of personal data records concerned; (article 16 of the Data Protection Act). The Belgian Data Protection Commission has issued guidance in relation to ■ the name and contact details of the DPO or other contact the measures that are recommended in relation to Incident point; prevention and handling. ■ the likely consequences of the personal data breach; and ■ General principle of due diligence and due care: ■ the measures taken or proposed to be taken to address The general principle of due diligence and due care will in the personal data breach, including, where appropriate, all likelihood induce organisations to implement measures to measures to mitigate its possible adverse effects. prevent and handle Incidents in order to avoid or limit claims ■ Personal data breach notification and security breach for damages. It does, however, not explicitly impose Incident notification in the electronic communications sector. prevention and handling. Providers of electronic communications services or electronic communications networks are subject to a binding personal data breach notification with the Belgian Data Protection 2.4 In relation to any requirements identified in question 2.3 above, might any conflict of laws issues Commission and, if impacted, the end-user, unless the arise? For example, conflicts with laws relating provider has implemented mitigation measures (article 114/1, to the unauthorised interception of electronic §3 of the Electronic Communications Act). communications or import / export controls of In addition to this notification, they also have to notify the encryption software and hardware. Belgian Institute for Post and Telecommunications and the end-users about special security risks (article 114/1, §1 of the Yes, conflict of laws issues almost invariably arise. The measures Electronic Communications Act). This notification should to monitor, detect, prevent or mitigate Incidents must always be include measures to mitigate the risk. Security Incidents implemented in a manner that complies with the Applicable Laws: also have to be notified to the Belgian Institute for Post and Telecommunications, who may in turn inform the general ■ The Data Protection Act in relation to the processing of public (article 114/1, §2 of the Electronic Communications personal data (as of 25 May 2018, the Data Protection Act Act). will be superseded by the GDPR) if personal data is being processed. ■ Security breach notification applicable to trust service providers. ■ Article 124 of the Electronic Communications Act and article 314bis of the Belgian Criminal Code in case electronic Trust service providers must notify the Belgian Ministry of communications are involved. Economic Affairs about any breach of security or loss of integrity that has a significant impact on the trust service ■ Collective Bargaining Agreement No. 68 (camera surveillance) (article 19 of the eIDAS Regulation). and No. 81 (surveillance of online communications) in case of surveillance of employees.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 31 © Published and reproduced with kind permission by Global Legal Group Ltd, London Erkelens Law Belgium

■ Incident notification obligation applicable to critical infrastructures. 2.9 Please provide details of the regulator(s) responsible Critical infrastructures must notify any Incident that for enforcing the requirements identified under questions 2.3 to 2.7. imperils the security of the critical infrastructure to the Communication and Information Centre (article 14, §1 of the Critical Infrastructures Act). The following regulators are responsible for enforcement (excluding criminal actions): ■ Data protection: the Belgian Data Protection Commission. 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information ■ Electronic communications: the Belgian Institute for Post and related to Incidents or potential Incidents with: (a) Telecommunications. Belgium a regulatory or other authority in your jurisdiction; ■ Trust services: the Ministry of Economic Affairs. (b) a regulatory or other authority outside your ■ Critical infrastructures: the Ministry of Interior Affairs. jurisdiction; or (c) other private sector organisations or trade associations in or outside your jurisdiction? 2.10 What are the penalties for not complying with the Yes, organisations are normally permitted to voluntarily share requirements identified under questions 2.3 to 2.8? information related to (potential) Incidents. Limitations may apply as a result of contractual confidentiality obligations or privacy and The following penalties apply: data protection law. ■ Data protection: criminal penalties under the Data Protection Critical infrastructures are subject to a specific obligation of Act, also administrative fines under the GDPR. professional secrecy in relation to their designation, information ■ Electronic communications: criminal penalties. communicated to them by various public authorities and the contents ■ Trust services: administrative penalties. of the security plan that they must establish (article 23 of the Critical ■ Critical infrastructures: criminal penalties. Infrastructures Act). A breach of this obligation is a criminal offence pursuant to article 458 of the Belgian Criminal Code. This secrecy obligation is sufficiently narrow to enable critical infrastructures to 2.11 Please cite any specific examples of enforcement share information about (potential) Incidents. action taken in cases of non-compliance with the above-mentioned requirements.

2.7 Are organisations required under Applicable Laws, or No specific information on enforcement is available. otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents to any affected individuals? If so, please 3 Specific Sectors provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the nature and scope of information that is required to be 3.1 Does market practice with respect to information reported. security (e.g. measures to prevent, detect, mitigate and respond to Incidents) vary across different There are several instances where the affected individuals must be business sectors in your jurisdiction? Please include informed, typically when the affected individuals are harmed in a details of any common deviations from the strict legal substantial manner: requirements under Applicable Laws. ■ Voluntary personal data breach notification under the Data Protection Act in relation to the processing of personal data. Yes, the market practice in relation to Incident handling varies ■ As of 25 May 2018, a mandatory personal data breach greatly depending on the sector and the nature of the activities. notification. Typically, the financial sector has implemented strict information security measures. ■ Security breach notification to the Belgian supervisory authority for the electronic communications sector. ■ Security breach notification applicable to trust service 3.2 Are there any specific legal requirements in relation providers. to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the The nature and scope of information is different for each notification telecommunications sector? duty. Yes, the telecommunications sector is subject to specific obligations 2.8 Do the responses to questions 2.5 to 2.7 change if the under the Electronic Communications Act (article 114/1 of the information includes: (a) price sensitive information; Electronic Communications Act). (b) IP addresses; (c) email addresses (e.g. an email address from which a phishing email originates); (d) Although these are technically not legal requirements, the financial personally identifiable information of cyber threat services sector is subject to specific cybersecurity obligations in actors; and (e) personally identifiable information of the context of the prudential supervision by the National Bank of individuals who have been inadvertently involved in Belgium. an Incident? In addition to this, the financial service sector and the telecommunications sector are governed by the Critical No, it being understood, however, that where personal data is Infrastructures Act, which imposes security obligations (and thus involved, the sharing of information will have to be organised in also cybersecurity obligations, even though they are not explicitly such a manner as to comply with the Data Protection Act (or, as of mentioned). 25 May 2018, the GDPR).

32 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Erkelens Law Belgium

4 Corporate Governance 5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident?

4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, Yes, see question 5.1. mitigate, manage or respond to an Incident amount to a breach of directors’ duties in your jurisdiction? 6 Insurance There are no specific rules in relation to Incidents. A director may be held liable for a breach of his duties as a director if he failed to 6.1 Are organisations permitted to take out insurance act with due care and due diligence. against Incidents in your jurisdiction? Belgium

4.2 Are companies (whether listed or private) required Yes, cyber insurance is permitted and even encouraged in Belgium. under Applicable Laws to: (a) designate a CISO; The number of Incidents has even lead to a greater general awareness (b) establish a written Incident response plan or and demand for insurance against Incidents. policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform penetration tests or vulnerability assessments? 6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as business interruption, system failures, cyber extortion There are no such obligations, but the Code Buysse or digital asset restoration? If so, are there any legal (recommendations in relation to corporate governance) requires risk limits placed on what the insurance policy can cover? management measures, which may include the measures described under (c) and (d). There are generally no legal or regulatory limitations in relation to insurance coverage, except the possibility for insurance against 4.3 Are companies (whether listed or private) subject criminal penalties. Administrative fines may, however, be covered to any specific disclosure requirements in relation by insurance. to cybersecurity risks or Incidents (e.g. to listing authorities, the market or otherwise in their annual reports)? 7 Employees

There are no specific disclosure requirements in relation to cybersecurity risks or Incidents. If cybersecurity risks or Incidents 7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for have a major financial impact, there is a disclosure requirement in the purposes of preventing, detection, mitigating and relation to the financial impact (e.g. in the annual report). responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents by employees to their employer? 4.4 Are companies (whether public or listed) subject to any other specific requirements under Applicable Laws in relation to cybersecurity? The monitoring of employees must be done in a manner that is compliant with the principle of privacy in the work space, which No, companies are not subject to any other specific requirements. includes compliance with: ■ The Data Protection Act (and, as of 25 May 2018, the GDPR), if personal data is being processed. 5 Litigation ■ The secrecy of electronic communication (article 124 of the Electronic Communications Act and the Collective Bargaining Agreement No. 81). 5.1 Please provide details of any civil actions that may be brought in relation to any Incident and the elements of ■ In case of employee surveillance by cameras, Collective that action that would need to be met. Bargain Agreement No. 68. There are no explicit legal provisions in relation to the reporting of If the Incident is the result of negligence, any persons suffering risks, flaws or (potential) Incidents by employees to their employer. damage may file an action to obtain compensation. Such a claim Article 17 of the Act of 3 July 1978 on employment contracts would require that party to adduce evidence of the existence of imposes an obligation on the employee to work carefully, honestly negligence (which may be adduced by evidencing a breach of and accurately. This may be construed as a good faith obligation Applicable Laws), the damages suffered and the causal link between to disclose risks, flaws and Incidents to the employer, although this the negligence and the damage. conduct is usually described in a more explicit security policy. If the Incident is the result of an unfair market practice or a breach of data protection law, cease-and-desist proceedings are possible. 7.2 Are there any Applicable Laws (e.g. whistle-blowing laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents 5.2 Please cite any specific examples of cases that by an employee? have been brought in your jurisdiction in relation to Incidents. Not generally, but whistle-blowing and reporting must be organised in a manner compliant with data protection laws. Although there have been several Incidents, there have recently been no noteworthy cases in relation to Incidents. Employees are bound by a confidentiality obligation in relation to know-how, trade secrets and personal and confidential matters

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 33 © Published and reproduced with kind permission by Global Legal Group Ltd, London Erkelens Law Belgium

(article 17, 3° of the Act of 3 July 1978 concerning employment ■ intercepting, localising and accessing electronic contracts), which may limit the possibility for an employee to report communications; to third parties the existence of risks, flaws or (potential) Incidents. ■ imposing technical cooperation from persons with knowledge about the relevant IT systems; and ■ under very specific circumstances, hacking and computer 8 Investigatory and Police Powers sabotage, as well as decryption.

8.1 Please provide details of any investigatory powers of 8.2 Are there any requirements under Applicable Laws law enforcement or other authorities under Applicable for organisations to implement backdoors in their IT Laws in your jurisdiction (e.g. antiterrorism laws) that systems for law enforcement authorities or to provide Belgium may be relied upon to investigate an Incident. law enforcement authorities with encryption keys?

Law enforcement authorities have a variety of investigatory powers Organisations are not required to implement backdoors. However, at their disposal, including: law enforcement authorities may require any person with the ■ conducting (international) network searches; relevant knowledge to provide them with encryption keys. ■ the right to copy, block or seize electronic data;

Johan Vandendriessche Isaure de Villenfagne Erkelens Law Erkelens Law Rue des Chevaliers 24 Rue des Chevaliers 24 1050 Brussels 1050 Brussels Belgium Belgium

Tel: +32 2 274 50 53 Tel: +32 2 274 50 52 Email: [email protected] Email: [email protected] URL: www.erkelenslaw.com URL: www.erkelenslaw.com

Johan Vandendriessche is a partner at Erkelens Law. His practice Isaure de Villenfagne is an associate at Erkelens Law. She specialises covers ICT law, data protection and privacy law, as well as intellectual in ICT law, data protection and privacy law, as well as intellectual property law. He combines a broad technology sector approach with property law. Her main activity consists in advisory work, as well as an in-depth experience in ICT projects and procurement, outsourcing, drafting and negotiating technology-related contracts. data protection and compliance. The focus of his practice is advisory After obtaining a Master’s Degree in Law at the Universités Catholique work, as well as drafting and negotiating technology-related contracts. de Louvain-la-Neuve (2012), Isaure completed an LL.M. in Intellectual Johan combines his law practice with several academic activities. He Property Law at King’s College University London (2013). Isaure then is, amongst others, Visiting Professor in ICT law at the University of gained practical experience whilst working at international law firms in Ghent and Visiting Professor in ICT and Data Protection Law at the Paris and London, prior to joining the Brussels Bar in 2016. Howest University of Applied Science. He regularly publishes articles on ICT law and data protection law related topics. He is a frequent speaker at national and international conferences and seminars.

Erkelens Law is a niche law firm focusing on aviation law on the one hand and technology, data protection and privacy law on the other hand. Erkelens Law is based in Brussels and offers national, European and international services to its clients. The technology, data protection and privacy law practice is managed by Catherine Erkelens and Johan Vandendriessche. The team consists of six specialised lawyers that have international experience and have been ranked in several directories.

34 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 7

Canada Dean Dolan

Baker McKenzie Theo Ling

CASL makes it unlawful for anyone in the course of a commercial 1 Criminal Activity activity, regardless of an expectation of profit, to install or cause to be installed a computer program on any other person’s computer 1.1 Would any of the following activities constitute a system without that person’s express consent. It is also an offence, criminal offence in your jurisdiction? If so, please having done so, to cause an electronic message to be sent from that provide details of the offence, the maximum penalties computer system. available, and any examples of prosecutions in your Possession or use of hardware, software or other tools used to jurisdiction: commit cybercrime (e.g. hacking tools)

Hacking (i.e. unauthorised access) Yes, the Criminal Code prohibits the possession, selling, offering for sale, importing, obtaining for use, distributing or making available Yes. Under the Criminal Code, it is an offence to fraudulently a device that is designed or adapted primarily to commit an offence obtain, access or intercept computer systems or functions thereof. through unauthorised access or the infection of IT systems. Anyone This includes listening to or recording functions of a computer who does any of these things under circumstances that give rise to system, even if the person does not use their unauthorised access to a reasonable inference that the device has been used or is or was do any further damage. It is also an offence to use, possess, traffic in intended to be used to commit such an offence will be liable to or permit another person to have access to a computer password that imprisonment for up to two years. would enable them to commit an offence under this provision. This offence carries a maximum penalty of 10 years of imprisonment. Identity theft or identity fraud (e.g. in connection with access devices) In R. v. Charania (2012 ONCJ 637), the defendant, a former employee of a nursing home, was prosecuted after he used the password of his Yes, the Criminal Code creates an offence punishable by human resources coordinator to access her e-mail account remotely. imprisonment for up to five years for anyone who knowingly obtains The defendant was found guilty for use of a computer system with or possesses another person’s identity information in circumstances the intent to commit the offence of mischief in relation to data, and giving rise to a reasonable inference that the information is intended for committing mischief by wilfully obstructing, interrupting and to be used to commit an indictable offence that includes fraud, deceit interfering with the lawful use of data. or falsehood as an element of the offence. The code does not limit the offence to any medium (e.g., online or through access devices). Denial-of-service attacks Electronic theft (e.g. breach of confidence by a current or former Yes, the Criminal Code also makes it an offence to obstruct, interrupt employee, or criminal copyright infringement) or interfere with a person in the lawful use of computer data or to deny access to computer data to a person who is entitled to access it, Electronic theft is not directly covered under the Criminal Code. and an offender is liable to imprisonment for up to 10 years. However, unlawful infringement of copyrighted material can attract criminal charges. The Copyright Act establishes criminal offences Phishing for copyright infringement and the distribution or trafficking Although not a criminal offence, Canada’s anti-spam legislation of infringing works. These penalties also apply to anyone who (“CASL”) prohibits the sending of unsolicited commercial electronic circumvents a technological protection measure designed to control messages. Any person who contravenes CASL is subject to an access to copyrighted works or offers such services to the public. administrative monetary penalty of up to $1,000,000 in the case of Electronic theft of non-tangible property, other than identity theft, an individual and $10,000,000 in the case of any other person. does not fall within the definition of “property” for the purposes Infection of IT systems with malware (including ransomware, of Canadian criminal law. The Supreme Court of Canada, in R. spyware, worms, trojans and viruses) v. Stewart ([1988] 1 SCR 963), held that confidential information Yes, pursuant to the Criminal Code, it is an offence to: wilfully that was not in a tangible form could not be considered property, destroy or alter computer data; render computer data meaningless, and therefore could not be stolen. This rule has been interpreted to useless, or ineffective; obstruct, interrupt or interfere with the lawful apply to data and images, which also cannot be the subject of theft use of computer data; or obstruct, interrupt or interfere with a person (although they can be the subject of other criminal offences) (see, in the lawful use of computer data or deny access to computer data to for example, R. v. Maurer (2014 SKPC 118); ORBCOMM Inc. v. a person who is entitled to access it. If a human life is endangered, Randy Taylor Professional Corp. (2017 ONSC 2308)). offenders are liable to imprisonment for life. Otherwise, offenders With respect to cases of breach of confidence by employees, are liable to imprisonment for up to 10 years. although no criminal offences exist, there exists a common law tort

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 35 © Published and reproduced with kind permission by Global Legal Group Ltd, London Baker McKenzie Canada

of breach of confidence. The Ontario Superior Court recently held an related to “terrorist activities” including participating in, facilitating, employee liable for wrongfully siphoning and then deleting customer instructing, harbouring and financing terrorism. It also establishes data before leaving the company to start a competing business a list of terrorist entities, and provides authorities with the power to (Accreditation Canada International v. Guerra (2016 ONSC 3595)). freeze, seize, restrain and obtain orders for forfeiture of property or Any other activity that adversely affects or threatens the assets owned or controlled by a terrorist group, or that has been or security, confidentiality, integrity or availability of any IT will be used to facilitate or carry out terrorist activity. system, infrastructure, communications network, device or data The Criminal Code addresses the cyber element of modern The Criminal Code also provides protection against the interception terrorism by giving judges specific powers with regard to computers of private communications. Any person that wilfully intercepts and computer data. If a judge is satisfied that there are reasonable grounds to believe that there is terrorist propaganda or computer Canada the private communications of an individual through any capable device or apparatus is liable to imprisonment for up to five years. data that makes terrorist propaganda available, and that this material Although the general understanding of ‘intercept’ requires the is stored on and made available through a computer system, the listening or recording of contemporaneous communication, the judge may order the computer system’s custodian to provide a copy crime of unlawful interception was found to also apply to the seizing of the material to the court, ensure that the material is no longer of text messages that are stored on a telecommunication provider’s stored on the computer, and provide information that is necessary to computer (R. v. TELUS Communications Co. ([2013] 2 SCR 3)). identify and locate the person who posted the material. Failure by an organisation to implement cybersecurity measures This is not applicable in our jurisdiction. 2 Applicable Laws

1.2 Do any of the above-mentioned offences have extraterritorial application? 2.1 Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation Although criminal offences not committed in Canada are generally and management of Incidents. This may include, not subject to prosecution under Canadian criminal law, Canadian for example, laws of data protection, intellectual courts will exercise jurisdiction over an offence where there is a real property, breach of confidence, privacy of electronic and substantial link between that offence and the country. A real and communications, information security, and import / substantial link exists where a significant portion of the activities export controls, among others. constituting the offence occurred in Canada. Because cyber crime takes place online, more often than not the actual location of the server Criminal Code of Canada, RSC 1985, c. C-46. or computer is not indicative of the location of the crime, and all of the Copyright Act, RSC 1985, c. C-42. above offences therefore potentially have extraterritorial application. An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage 1.3 Are there any actions (e.g. notification) that might Reliance on Electronic Means of Carrying out Commercial mitigate any penalty or otherwise constitute an Activities, and to Amend the Canadian Radio-television and exception to any of the above-mentioned offences? Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act For criminal offences, there are no specific mitigating factors, such and the Telecommunications Act (known as “Canada’s anti-spam as providing notification, that would mitigate a penalty. However, legislation” or “CASL”), SC 2010, c. 23, SC 2010 c. 23. the Criminal Code provides that a sentence should be increased or reduced to account for any relevant aggravating or mitigating Personal Information Protection and Electronic Documents Act circumstances relating to the offence or the offender. (Federal), SC 2000, c. 5. The Copyright Act establishes an exception for a person who Act, SC 2015, c. 32 (enacted, but not yet in force). is acting on behalf of certain organisations such as libraries or Personal Information Protection Act (Alberta), SA 2003, c. P-6.5. educational institutions, where their acts would otherwise constitute Personal Information Protection Act (British Columbia), SBC infringement. The penalties will also not apply to the circumvention 2003, c. 63. of technological protection measures under certain circumstances An Act Respecting the Protection of Personal Information in the (e.g., the protection of national security). Private Sector (Québec), CQLR, c. P-39.1. CASL establishes an exception to the prohibition on unsolicited commercial electronic messages for messages that are sent by or Health Information Act (Alberta), RSA 2000, c. H-5. on behalf of an individual to another individual with whom they Personal Health Information Act (Manitoba), CCSM, c. P-33.5. have a personal or family relationship, or if the recipient of the Personal Health and Access Act (New communication has given express consent. Other CASL exceptions Brunswick), SNB 2009, c. P-7.05. are available for commercial messages that are, in general, follow- Personal Health Information Act (Newfoundland and Labrador), up emails to a transaction, service or product that the recipient has SNL 2008, c. P-7.01. previously agreed to, and/or has used or purchased. Personal Health Information Act (Nova Scotia), SNS 2010, c. 41. Health Information Act (Northwest Territories), SNWT 2014, c. 2. 1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise Personal Health Information Protection Act (Ontario), SO 2004, c. in relation to cybersecurity or the occurrence of an 3, Sched. A. Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences The Health Information Protection Act (Saskatchewan), SS 1999, in a cybersecurity context. c. H-0.021. An Act Respecting the Sharing of Certain Health Information Part II.1 of the Criminal Code establishes a number of offences (Québec), CQLR, c. P-9.0001.

36 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Baker McKenzie Canada

Telecommunications Act, SC 1993, c. 38. substantially similar to PIPEDA in relation to health information. Privacy Act, RSC, 1985, c. P-21. All other provinces and territories which have not yet been declared substantially similar with PIPEDA must comply both with their Communications Security Establishment Act (Bill C-59 proposed, respective provincial statute and with PIPEDA. but not yet enacted). Additionally, some regulators have also provided guidance to address cybersecurity risks for organisations subject to their rules 2.2 Are there any cybersecurity requirements under (see question 3.2). Applicable Laws applicable to critical infrastructure in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction 2.4 In relation to any requirements identified in question

expected to implement the Network and Information 2.3 above, might any conflict of laws issues Canada Systems Directive? Please include details of any arise? For example, conflicts with laws relating instances where the implementing legislation in your to the unauthorised interception of electronic jurisdiction is anticipated to exceed the requirements communications or import / export controls of of the Directive. encryption software and hardware.

Canada does not yet have statutory cybersecurity requirements As noted above, PIPEDA does not apply in a province that enacts applicable to critical infrastructure. However, the Communications privacy legislation found to be “substantially similar” to PIPEDA to Security Establishment (“CSE”), a Canadian intelligence agency, the collection, use, or disclosure of personal information that occurs has been created as the technical authority on cybersecurity and within the province by provincially regulated organisations. Extra- information assurance. Under the newly proposed Communications provincial or international dimensions of data collection or use are Security Establishment Act, the CSE’s mandate will include: (1) still subject to PIPEDA. If a provision under a provincial statute is providing advice, guidance and services to help protect electronic inconsistent or in conflict with a provision of PIPEDA, the provision of the provincial statute will prevail, unless PIPEDA expressly information and information infrastructures of federal institutions as provides that its provision applies, despite the provincial legislation. well as non-federal institutions that are of importance to the federal government; (2) performing defensive cyber operations to help protect such institutions; and (3) performing active cyber operations 2.5 Are organisations required under Applicable Laws, or such as disrupting, degrading, and interfering with the activities of a otherwise expected by a regulatory or other authority, foreign individual, state, organisation or terrorist group as it relates to report information related to Incidents or potential Incidents to a regulatory or other authority in your to the security, defence and international affairs of Canada. jurisdiction? If so, please provide details of: (a) the Furthermore, through Public Safety Canada, a department of the circumstance in which this reporting obligation is federal government, the government has been active in promoting triggered; (b) the regulatory or other authority to cybersecurity by the introduction of a national strategy for safeguarding which the information is required to be reported; (c) the nature and scope of information that is required critical infrastructure through collaboration between federal, to be reported (e.g. malware signatures, network provincial and territorial governments, and critical infrastructure vulnerabilities and other technical characteristics sectors to strengthen the resiliency of critical infrastructure. identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by which the organisation might prevent publication of 2.3 Are organisations required under Applicable Laws, that information. or otherwise expected by a regulatory or other authority, to take measures to monitor, detect, prevent ABPIPA requires organisations to notify Alberta’s Privacy or mitigate Incidents? If so, please describe what measures are required to be taken. Commissioner if personal information under an organisation’s control is lost, accessed or disclosed without authorisation, or if it has in any way suffered a privacy breach, where a real risk of Canada’s Personal Information Protection and Electronic Documents significant harm to an individual exists as a result of the breach. Act (“PIPEDA”), Alberta’s Personal Information Protection Act This notification requirement is triggered if the harm threshold is (“ABPIPA”), British Columbia’s Personal Information Protection met, which is defined as “where a reasonable person would consider Act (“BCPIPA”), and Québec’s An Act Respecting the Protection that there exists a real risk of significant harm to an individual”. The of Personal Information in the Private Sector (“QBPIPA”) all notice to the Commissioner must be in writing and must include: require organisations to protect personal information with security ■ a description of the circumstances of the breach; safeguards proportionate to the sensitivity of the information. By way of summary, these statutes require organisations to implement ■ the date or time period during which the breach occurred; appropriate technical, physical and administrative protective ■ a description of the personal information involved in the measures to protect against unauthorised access, collection, breach; disclosure, use, modification or destruction, and loss or theft of ■ an assessment of the risk of harm to individuals as a result of personal information. The provincial statutes have been declared the breach; substantially similar to PIPEDA, and therefore PIPEDA does not ■ an estimate of the number of individuals to whom there is a apply in those provinces for the collection, use and disclosure of real risk of substantial harm as a result of the breach; personal information by provincially regulated organisations. ■ a description of any steps the organisation has taken to reduce All Canadian provinces and territories have enacted personal health the risk of harm; information statutes, (see question 2.1), that require organisations to ■ a description of any steps the organisation has taken to notify establish mechanisms to ensure the accountability of persons having individuals of the breach; and custody or control of personal health information, and to safeguard ■ the name and contact information for a person at the the security and integrity of the personal health information in organisation who can be contacted about the breach. their custody or control. Ontario, New Brunswick, Nova Scotia, If a breach meets the “real risk of significant harm” threshold, the and Newfoundland and Labrador’s statutes have been deemed Alberta Privacy Commissioner will review the information provided

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 37 © Published and reproduced with kind permission by Global Legal Group Ltd, London Baker McKenzie Canada

by the organisation to determine whether affected individuals need The Digital Privacy Act will require notification to individuals. See to be notified of the data breach. question 2.5. Digital Privacy Act (Canada) The Digital Privacy Act (enacted, but not yet in force) will add new 2.8 Do the responses to questions 2.5 to 2.7 change if the provisions to PIPEDA, which will introduce mandatory breach information includes: (a) price sensitive information; notification. Once in force, organisations that suffer a “breach of (b) IP addresses; (c) email addresses (e.g. an email security safeguards” (defined as “the loss of, unauthorised access to address from which a phishing email originates); (d) or unauthorised disclosure of personal information resulting from a personally identifiable information of cyber threat actors; and (e) personally identifiable information of breach of an organization’s security safeguards”), where there is a individuals who have been inadvertently involved in

Canada “real risk of significant harm” will face four obligations: an Incident? i. report the incident to the federal Privacy Commissioner; ii. notify all individuals affected by the breach, and inform them No, the responses do not change. of steps they can take to mitigate harm; iii. where the organisation has notified affected individuals, 2.9 Please provide details of the regulator(s) responsible it must also notify any other organisations or government for enforcing the requirements identified under entities of the breach if it believes that this action may reduce questions 2.3 to 2.7. the risk of harm; and iv. keep records of every security data breach and make sure such Each jurisdiction appoints a privacy commissioner to oversee records are available to the federal Privacy Commissioner on the application of its privacy statutes. The federal OPC oversees request. compliance with PIPEDA and the Privacy Act, a statute that The Digital Privacy Act defines “significant harm” broadly to include regulates the personal information handling practices of federal “bodily harm, humiliation, damage to reputation or relationships, government departments and agencies. loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record The provincial Privacy Commissioners of Alberta, British Columbia and damages to or loss of property”. The existence of a “real risk of and Québec oversee compliance with ABPIPA, BCPIPA, and significant harm” is determined by considering the sensitivity of the QBPIPA, respectively. personal information involved in the breach, the probability that the personal information will be misused and any other factors that may 2.10 What are the penalties for not complying with the be prescribed by regulation. requirements identified under questions 2.3 to 2.8? Personal Health Information Protection Act (Ontario) Ontario’s health information statute requires health information Under PIPEDA, an organisation that fails to retain information that custodians to notify affected individuals if personal health is the subject of an access request, commits a reprisal against an information about an individual in its custody or control is used employee for exercising her rights under PIPEDA, or obstructs the or disclosed without authority. The health information custodian OPC’s efforts to perform an audit or investigate a complaint may be must also notify the provincial Privacy Commissioner. Health fined up to $10,000 for a summary offence, or up to $100,000 for an information custodians are further required to give notice to a indictable offence. college of a regulated health profession when an employee, agent Pursuant to BCPIPA and ABPIPA, an organisation that commits an or member of the college, is terminated, suspended, or subject to offence may be subject to a fine of up to $100,000. Offences include disciplinary action resulting from the unauthorised collection, use, the deceptive collection of personal information, obstruction of an disclosure, retention or disposal of personal health information. investigation, and destroying personal information after an access request has been made. 2.6 If not a requirement, are organisations permitted by Under QBPIPA, an organisation that unlawfully collects, holds, Applicable Laws to voluntarily share information communicates to third persons or uses personal information is liable related to Incidents or potential Incidents with: (a) for fines ranging between $1,000 to $10,000, and, for subsequent a regulatory or other authority in your jurisdiction; offences, fines from $10,000 to $20,000. Additionally, organisations (b) a regulatory or other authority outside your jurisdiction; or (c) other private sector organisations may be fined between $5,000 to $50,000 and, for subsequent or trade associations in or outside your jurisdiction? offences, $10,000 to $100,000 for the unlawful transfer of personal information outside of Québec. Yes, the federal Office of the Privacy Commissioner (“OPC”) The Digital Privacy Act will create offences for non-compliance encourages organisations to report breaches to the OPC by visiting its with data breach notification and record-keeping obligations, and privacy breach reporting web page and to notify affected individuals organisations may be fined up to $10,000 for a summary offence, or where appropriate pursuant to its breach notification guidelines. up to $100,000 for an indictable offence.

2.7 Are organisations required under Applicable Laws, or 2.11 Please cite any specific examples of enforcement otherwise expected by a regulatory or other authority, action taken in cases of non-compliance with the to report information related to Incidents or potential above-mentioned requirements. Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this There are no specific examples. reporting obligation is triggered; and (b) the nature and scope of information that is required to be reported.

In Alberta, the Commissioner determines whether individuals are to be notified.

38 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Baker McKenzie Canada

to act in its best interests, and to exercise the care, diligence and 3 Specific Sectors skill that a reasonably prudent person would exercise in comparable circumstances, and would include an obligation to act prudently in 3.1 Does market practice with respect to information the company’s interests as it relates to cybersecurity. security (e.g. measures to prevent, detect, mitigate and respond to Incidents) vary across different business sectors in your jurisdiction? Please include 4.2 Are companies (whether listed or private) required details of any common deviations from the strict legal under Applicable Laws to: (a) designate a CISO; requirements under Applicable Laws. (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, Generally, market practices with respect to information security do including for third party vendors; and (d) perform not substantially vary across business sectors, but there are certain penetration tests or vulnerability assessments? Canada sectors that have supplementary information security requirements and/or recommendations (see question 3.2). Under PIPEDA, ABPIPA and BCPIPA, organisations are required Moreover, the public sector has specific information security to appoint an individual, or individuals, responsible for compliance requirements for all levels of government. For example, the Privacy with obligations under those respective statutes. Such individuals Act governs the personal information handling practices of federal can be referred to as the Chief Information Security Officer, government institutions and applies to all of the personal information although Canadian privacy statutes do not prescribe any particular the federal government collects, uses and discloses. Canadian title. However, no additional requirements are mandated. provinces, territories and municipalities have enacted similar legislation regulating the personal information handling practices of government institutions under their jurisdiction. Guidelines and 4.3 Are companies (whether listed or private) subject policies have also been created pursuant to these statutes. For instance, to any specific disclosure requirements in relation to cybersecurity risks or Incidents (e.g. to listing the Ontario Privacy Commissioner has published guidance on the use authorities, the market or otherwise in their annual of automated licence plate recognition systems by police forces which reports)? establishes security measures that should be adopted to safeguard personal information collected from such a recognition system. When enacted, the Digital Privacy Act will require all organisations to maintain records of every breach of security safeguards involving 3.2 Are there any specific legal requirements in relation personal information under their control. These records must be to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the provided to the OPC upon request. telecommunications sector? 4.4 Are companies (whether public or listed) subject to (a) The Bank Act, through the enactment of regulations, may any other specific requirements under Applicable make regulations mandating Canadian banks to establish Laws in relation to cybersecurity? procedures for restricting the collection, retention, use and disclosure of personal financial information. No, companies are not subject to any other specific requirements. Although not legal requirements, financial services regulators have published various recommendations in relation to cybersecurity. The Canadian Securities Administrators, an 5 Litigation umbrella organisation that regulates provincial securities, recently published non-mandatory recommendations for public corporations relating to cybersecurity; the Investment 5.1 Please provide details of any civil actions that may be Industry Regulatory Organization of Canada, a self-regulated brought in relation to any Incident and the elements of body for organisations listed on the Toronto Stock Exchange, that action that would need to be met. published a set of cybersecurity best practices for its members; and the Office of the Superintendent of Financial An individual can enforce their rights by making a complaint to Institutions, Canada’s financial institutions regulator, has also any of the privacy regulatory authorities mentioned in question published a non-mandatory “Cyber Security Self-Assessment Tool” designed to assist financial institutions. 2.9. A complaint may be made relating to an organisation’s failure to comply with any of its statutory obligations to collect, use and (b) With respect to the telecommunications sector, CASL is disclose personal information in accordance with the principles of governed by Canada’s telecommunications regulatory body, the Canadian Radio-television and Telecommunications fair information practices set out in Canada’s privacy legislation: Commission (“CRTC”). As noted, CASL establishes specific ■ accountability; requirements in relation to the sending of commercial ■ identifying purpose; electronic messages. Furthermore, the Telecommunications ■ consent; Act mandates telecommunications service providers to protect the privacy of their users through the provision of ■ limiting collection; various consumer safeguards. ■ limiting use, disclosure and retention; ■ accuracy; 4 Corporate Governance ■ safeguards; ■ openness; ■ individual access; and 4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, ■ challenging compliance. mitigate, manage or respond to an Incident amount to These authorities are generally required to investigate any such a breach of directors’ duties in your jurisdiction? complaint. Under Canadian law, directors owe a fiduciary duty to their company

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 39 © Published and reproduced with kind permission by Global Legal Group Ltd, London Baker McKenzie Canada

Under PIPEDA, a formal complaint must be investigated and the OPC will issue a report outlining the findings of the investigation and any 6.2 Are there any regulatory limitations to insurance recommendations for compliance. The report may be made public at coverage against specific types of loss, such as the discretion of the OPC. The complainant, but not the organisation, business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal subject to the complaint, may appeal to the Federal Court. The Court limits placed on what the insurance policy can cover? has broad authority, including the authority to order a correction of the organisation’s practices, and award monetary damages. No, there are not any regulatory limitations. Under ABPIPA, and BCPIPA, an investigation may be elevated to a formal inquiry by the Commissioner and result in an order. Organisations are required to comply with the order, or apply for 7 Employees Canada judicial review, within a prescribed time period. Similarly, under QBPIPA, an order must be obeyed within a prescribed time period. An individual may appeal to a judge of the 7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for Court of Québec on questions of law or jurisdiction with respect to the purposes of preventing, detection, mitigating and a final decision. responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents by employees to their employer? 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to Incidents. Employee monitoring is generally permissible under Canada’s privacy legislation, but it must be carried out in compliance In Chitrakar v. Bell TV (2013 FC 1103), the Federal Court awarded with the principles set out in those statutes, and for a reasonable the plaintiff over $20,000 in damages following a privacy violation purpose, such as preventing, detecting, mitigating and responding by Bell TV, a telecommunications company. The Court held that to Incidents. Regulators have established a test to determine the Bell had failed to comply with its obligations pursuant to PIPEDA reasonableness of a monitoring programme: by conducting a credit check without the plaintiff’s prior consent. ■ Can it be demonstrated that monitoring is necessary to meet a Prior to this decision, the federal Privacy Commissioner had found specific need? that the plaintiff’s privacy rights were violated under PIPEDA. ■ Is the monitoring likely to be effective in meeting that need? ■ Is any loss of privacy proportional to the benefit gained? 5.3 Is there any potential liability in tort or equivalent ■ Could the employer have met the need in a less privacy- legal theory in relation to an Incident? invasive way? Notification must be given for such a monitoring programme. Canadian courts have recognised the common law right of action in There are no specific requirements for the reporting of cyber risks, tort of intrusion upon seclusion and invasion of privacy. security flaws, Incidents or potential Incidents by employees to their This cause of action was recently and significantly recognised in the employers. Ontario Court of Appeal case Jones v. Tsige (2012 ONCA 32). The court held that a person who intentionally intrudes, physically or otherwise, upon the seclusion of another or their private affairs or 7.2 Are there any Applicable Laws (e.g. whistle-blowing concerns, is subject to liability to the other for invasion of their privacy, laws) that may prohibit or limit the reporting of cyber if the invasion would be highly offensive to the other person. In Jones risks, security flaws, Incidents or potential Incidents v. Tsige, the plaintiff was awarded $10,000 after the court found that the by an employee? defendant, whose ex-husband was in a relationship with the plaintiff, surreptitiously looked through her banking records on numerous There are no statutory or legislative restrictions on “whistle- occasions. Given that this tort is relatively new, its development is blowing” that would prohibit or limit the reporting of cyber risks, being closely watched. Recently, an Ontario court accepted the security flaws Incidents or potential Incidents by an employee. possibility, raised by a labour union, that the common-law invasion of In addition, PIPEDA and the provincial privacy statutes all prohibit privacy could apply to a corporation’s drug-testing policy (ATU, Local employers from reprisals against employees who disclose to a 113 v. Toronto Transit Commission (2017 ONSC 2078)). regulator that the organisation or any other person has violated or is In addition to the tort of intrusion upon seclusion, Ontario has about to violate a provision of the statute. recently recognised the tort of public disclosure of private facts. Finally, the Digital Privacy Act, when in force, will permit whistle- In Jane Doe 464533 v. N.D. (2016 ONSC 541), the court awarded blowers who notify the Privacy Commissioner of violations to request the plaintiff $100,000 in damages after finding an ex-boyfriend that their identity be kept confidential with respect to the notification. liable for posting a sexually explicit video of the plaintiff on the internet without her consent. The court held that a person that publicly discloses facts concerning the private life of another, which 8 Investigatory and Police Powers would be highly offensive to a reasonable person, and that is not a legitimate concern to the public, is subject to liability. 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable 6 Insurance Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident.

6.1 Are organisations permitted to take out insurance Canada’s Privacy Commissioners have broad powers under against Incidents in your jurisdiction? privacy statutes to investigate complaints, issue reports, compel the production of evidence, issue monetary penalties and make Yes, organisations are permitted to take out insurance against Incidents. recommendations or initiate audits.

40 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Baker McKenzie Canada

Similarly, the CRTC has a broad range of investigative powers Under QBPIPA, an organisation may refuse to communicate personal available under CASL. In addition to issuing monetary penalties, information to the person it concerns, where such disclosure would it may execute search warrants and seize items, as well as obtain be likely to hinder an investigation in connection to a crime or a injunctions (with judicial authorisation) against suspected offenders. statutory offence, or affect judicial proceedings in which the person Other entities that have investigatory powers of law enforcement has an interest. in relation to cybersecurity include local police, provincial police, Pursuant to the newly proposed CSEA, the CSE may be authorised the Royal Canadian Mounted Police, the Communications Security to access any non-federal infrastructure that is of importance to the Establishment and the Canadian Security Intelligence Service. government of Canada, and acquire any information originating from, directed to, stored on or being transmitted on or through that infrastructure for the purpose of helping to protect it from criminal 8.2 Are there any requirements under Applicable Laws Canada for organisations to implement backdoors in their IT offences such as mischief, unauthorised use or disruption. systems for law enforcement authorities or to provide law enforcement authorities with encryption keys? Acknowledgment No. However, all of Canada’s privacy statutes permit an organisation The authors would like to recognise and acknowledge the invaluable to disclose personal information without consent, where the assistance of Sarah Mavula ([email protected]) disclosure is to a law enforcement agency in Canada, and concerns and Frances Chen ([email protected]) in the an offence under Canadian laws. preparation of this chapter.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 41 © Published and reproduced with kind permission by Global Legal Group Ltd, London Baker McKenzie Canada

Dean Dolan Theo Ling Baker McKenzie Baker McKenzie 181 Bay Street 181 Bay Street Suite 2100 Suite 2100 Toronto, ON, M5J 2T3 Toronto, ON, M5J 2T3 Canada Canada

Tel: +1 416 865 3856 Tel: +1 416 865 6954 Email: [email protected] Email: [email protected] URL: www.bakermckenzie.com URL: www.bakermckenzie.com Canada Dean Dolan is Of Counsel to Baker McKenzie’s Toronto office. A Theo Ling is an information technology, privacy and data security highly regarded privacy and data security lawyer, Dean has served lawyer with over 25 years’ experience assisting global organisations on the Executive Committee of the Ontario Bar Association’s Privacy with the development and implementation of enterprise-wide Law Section, the Advisory Board of the Conference Board of Canada’s strategies relating to the commercial and corporate deployment Chief Privacy Officer’s Council, the Retail Council of Canada’s Privacy of technology products, services and solutions, as well as data Committee, and the Board of Directors of the Canadian Association of compliance and information governance programmes. Recognised Counsel to Employers, and is an IAPP Certified Information Privacy as a pragmatic legal advisor and “problem-solver”, Theo was recently Professional. He is an author and frequent speaker on privacy, named one of North America’s Top 10 most innovative lawyers by the employment and litigation matters. Prior to joining the Firm, he served Financial Times. He is the creative mind and driving force behind as Vice-President, Associate General Counsel and Privacy Officer iG360, the Firm’s award-winning global information governance and for a large multi-national retailer in Canada. Focusing on privacy compliance platform, and DatComplianceIQ, winner of the Financial and information governance, Dean provides strategic advice on the Times Innovation Award for the Business of Law; Integrated Solutions. management and retention of information globally. Theo Chairs the Firm’s Global Privacy and Information Management Working Group that leads the Firm’s Global Data Privacy and Information Management practice, which has been ranked Band 1 by Chambers Global for eight consecutive years. Theo is also a member of the Firm’s Global Innovation Committee and Machine Learning Task Force and serves on the Global Steering Committee of the Firm’s Information Technology and Communications practice and industry group. Theo is a recognised IT/Data Privacy practitioner in Chambers and The Legal 500, and is an IAPP Certified Information Privacy Professional.

Baker McKenzie is one of the world’s largest international law firms, with over 4,700 lawyers in 77 offices across 47 countries. It is the largest international law firm in Asia Pacific, Continental Europe and Latin America. Baker McKenzie has more IAPP Certified Privacy Professionals (CIPP) than any other law firm, and in 2016 was ranked Band 1 byChambers Global for Data Protection, Outsourcing and Technology, Media and Telecommunications for the 9th year. Baker McKenzie’s DataComplianceIQ solution helps clients visualise data practices and complex data flows mapped against a comprehensive Privacy Compliance Grid informed by the laws and standards of over 150 jurisdictions, and was recognised in 2016 as by the Financial Times Innovative Lawyer Awards as the Best Integrated Solution in the Business of Law category. iG360, the firm’s online collaborative technology platform for information governance, is recognised by the Financial Times Innovative Lawyers Awards as a stand-out solution in the category of Technology and Compliance. In 2016, Baker McKenzie was named the world’s strongest law firm brand in the Acritas Global Law Firm Brand Index.

42 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 8

China Susan Ning

King & Wood Mallesons Han Wu

Phishing 1 Criminal Activity Phishing is usually performed to steal or otherwise acquire personal information of citizens, which is considered as the “crime of infringing 1.1 Would any of the following activities constitute a citizen’s personal information” provided in Article 253(1) and up to criminal offence in your jurisdiction? If so, please seven years’ imprisonment may be convicted in serious cases. provide details of the offence, the maximum penalties For example, in the criminal case of “Zhang Dawei’s infringement available, and any examples of prosecutions in your jurisdiction: upon citizen’s personal information”, the defendant established a phishing website to counterfeit the official website of Apple iCloud. In this way, the defendant obtained a victim’s Apple ID Under the Criminal Law of the People’s Republic of China and password and then sold them for profit. The court decided that (“Criminal Law”), are mainly provided in the section: the defendant committed the “crime of infringing citizen’s personal “Crimes of Disturbing Pubic Order”. Articles 285, 286, and 287 are information” and imposed imprisonment of seven months. the three major articles that directly relate to cybercrimes. Moreover, Article 253(1) indirectly relates to cybersecurity and applies to cases Infection of IT systems with malware (including ransomware, involving Internet-related personal information infringement acts. spyware, worms, trojans and viruses) The punishments for violating Articles 285, 286, and 287 include For intentional making or dissemination of a or other imprisonment, detention, and fines. For example, the offender destructive programs, including, but not limited to, ransomware, may be sentenced to up to seven years’ imprisonment for illegally spyware, worms, trojans and viruses, which affects the normal operation obtaining data from a computer information system in serious cases. of a computer information system, if serious consequences are caused, Entities may be convicted for violating Articles 285, 286, and 287, such activities constitute the “crime of sabotaging computer information as unit crime has been provided for in all three articles. system” under Article 286 of the Criminal Law. The offender may be sentenced to imprisonment of more than five years in serious cases. It is worth noting that Articles 286 and 287 set up the principle that if someone uses computers (for example, through hacking, phishing Possession or use of hardware, software or other tools used to or other Internet-related illegal action) to commit other crimes, i.e. commit cybercrime (e.g. hacking tools) crimes that traditionally had no relationship with the Internet, such If someone possesses or uses hardware, software or other tools to as financial fraud, theft, embezzlement, misappropriation of public commit cybercrime prescribed in the Criminal Law, depending on funds and theft of state secrets, the offender shall be convicted of the the crime committed, the offender may be convicted in accordance crime – the penalty of which is heavier. with the corresponding article in the Criminal Law, such as the Hacking (i.e. unauthorised access) “crime of invading computer information system”. Pursuant to Article 285 of the Criminal Law, activities which involve There is also an offence, i.e. “illegal use of information networks”, invading a computer information system in the areas of State affairs, which involves activities that take advantage of an information national defence or advanced science and technology constitute the network to establish websites and communication groups for “crime of invading computer information system”. The offender shall criminal activities, such as defrauding, teaching criminal methods, be sentenced to a fixed-term imprisonment of not more than three producing or selling prohibited items and controlled substances. If the criminal activity also constitutes another offence, the offender years or detention. For activities of invading a computer information shall be convicted of the crime which is of a heavier penalty. system other than those in the above areas, it may constitute “crime of obtaining data from computer information system and controlling Identity theft or identity fraud (e.g. in connection with access computer information system” and the offender shall be sentenced to devices) a fixed-term imprisonment of not more than three years or detention, Under the Criminal Law, for identity theft, if the offender obtains or imprisonment of three to seven years in serious cases. If an entity identities by stealing or otherwise illegally acquires the personal commits those crimes, such entities shall be fined, and the persons information of citizens, such activity may be convicted as the “crime of who are directly in charge and the other persons who are directly infringing citizen’s personal information” pursuant to Article 253(1). If liable for the offences shall be punished accordingly. someone uses the stolen identity of others as its own proof of identity, Denial-of-service attacks such behaviour may constitute the “crime of identity theft” under Article 281 of the Criminal Law; in case such person uses the stolen Pursuant to Article 286 of the Criminal Law, denial-of-service attacks identity to commit fraud or other criminal activities, he/she should be could constitute the “crime of sabotaging computer information system” convicted of the crime the penalty of which is higher. and more than five years’ imprisonment may be given in serious cases.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 43 © Published and reproduced with kind permission by Global Legal Group Ltd, London King & Wood Mallesons China

Electronic theft (e.g. breach of confidence by a current or former conditions prescribed in these articles. However, the mitigation employee, or criminal copyright infringement) conditions prescribed in the Criminal Law for all crimes are If a current or former employee breaches confidentiality obligations applicable. For example, if an offender voluntarily gives oneself up and causes infringement of personal information, trade secret, state to the police and confesses his crimes or exposes others’ crimes that secret, etc., the offender will be convicted pursuant to Article 287 can be verified, the offender would be given a mitigated punishment. and punished in accordance with the relevant provisions of the Criminal Law, such as the “crime of infringing trade secrets”. 1.4 Are there any other criminal offences (not specific Any other activity that adversely affects or threatens the to cybersecurity) in your jurisdiction that may arise security, confidentiality, integrity or availability of any IT in relation to cybersecurity or the occurrence of an

China Incident (e.g. terrorism offences)? Please cite any system, infrastructure, communications network, device or data specific examples of prosecutions of these offences If someone, in violation of laws and regulations, deletes, amends, adds in a cybersecurity context. or disturbs functions of a computer information system and causes the computer information system’s inability to work normally or conducts Article 287(2) of the Criminal Law provides for the “crime of operations of deletion, amendment or addition towards the data or assisting information network criminal activity”, which regulates application programs which are stored, disposed of or transmitted activities of providing Internet access, server hosting, network in a computer information system, and serious consequences are storage, communication transmission and other technical support caused, such activities constitute the “crime of sabotaging computer while being aware that others use such information networks to information system” under Article 286 of the Criminal Law. The commit criminal offences (e.g. activities that lead to cybersecurity offender shall be sentenced to a fixed-term imprisonment of more incidents or terrorism activities). than five years if serious consequences are incurred. Failure by an organisation to implement cybersecurity measures 2 Applicable Laws Pursuant to Article 286(1) of the Criminal Law, if an organisation is a network service provider, and does not perform its duties of safety management, provided by laws and administrative regulations, on 2.1 Please cite any Applicable Laws in your jurisdiction its information network, and refuses to correct their conduct after applicable to cybersecurity, including laws applicable the regulatory authorities order them to rectify the non-performance, to the monitoring, detection, prevention, mitigation the organisation shall be fined, and the persons who are directly in and management of Incidents. This may include, for example, laws of data protection, intellectual charge and the other persons who are directly liable for the offences property, breach of confidence, privacy of electronic may be sentenced to a fixed-term imprisonment of no more than communications, information security, and import / three years, under any of the following circumstances: export controls, among others. (1) resulting in the dissemination of a large number of illegal information; The Cybersecurity Law of the People’s Republic of China (2) causing the disclosure of user information, resulting in (“Cybersecurity Law”), which came into force on June 1st 2017, is serious consequences; a law covering various aspects of network security and has laid the (3) causing the damage or loss of criminal evidence which results foundation for a comprehensive cybersecurity regulatory regime of in serious consequences; or China. So far, a series of specific measures aimed at facilitating the (4) other serious circumstances. implementation of the Cybersecurity Law have already been enacted, such as the Measures on the Security Review of Network Products and Services (for Trial Implementation) and the National Emergency 1.2 Do any of the above-mentioned offences have Response Plan for Cybersecurity Incidents. Meanwhile, the draft extraterritorial application? regulations and guidelines on the protection of critical information infrastructure (“CII”) and security assessment of outbound data All of the above-mentioned offences have extraterritorial transfers have been finished and the relevant authorities are now application. First, if the criminal act or its consequence takes place seeking opinions, including the draft Regulations on the Security within the territory of China, the crime shall be deemed to have been Protection of Critical Information Infrastructure, the draft Measures committed within the territory of China. Second, the Criminal Law for the Security Assessment of Personal Information and Important is applicable to the citizens of China who commit crimes prescribed Data to be Transmitted Abroad, and the draft Guidelines for the in the Criminal Law outside the territory of China; however, if the Security Assessment of Cross-Border Data Transfer. maximum penalty of such crime prescribed in the Criminal Law is a fixed-term imprisonment of not more than three years, the offender could be exempted from punishment. Third, if a foreigner 2.2 Are there any cybersecurity requirements under commits a crime outside the territory of China against the State or Applicable Laws applicable to critical infrastructure against Chinese citizens, the offender may be convicted pursuant in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction to the Criminal Law if the Criminal Law prescribes a minimum expected to implement the Network and Information punishment of fixed-term imprisonment of not less than three Systems Directive? Please include details of any years; but, the Criminal Law shall not apply if it is not punishable instances where the implementing legislation in your according to the law of the place where it was committed. jurisdiction is anticipated to exceed the requirements of the Directive.

1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an The Cybersecurity Law includes provisions on the security protection exception to any of the above-mentioned offences? of CII. The draft Regulations on the Security Protection of Critical Information Infrastructure further specify the requirements on the For the above-mentioned offences, there are no specific mitigation security protection of critical information infrastructure, including

44 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London King & Wood Mallesons China

CII operators’ obligations relating to the setting up, suspension of operation and occurrence of security incidents of CII, daily security 2.5 Are organisations required under Applicable Laws, or maintenance, security monitoring and assessment, data local storage otherwise expected by a regulatory or other authority, to report information related to Incidents or potential and security assessment of outbound data transfers, security of Incidents to a regulatory or other authority in your network products and services procured, etc. jurisdiction? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to 2.3 Are organisations required under Applicable Laws, which the information is required to be reported; (c) or otherwise expected by a regulatory or other the nature and scope of information that is required authority, to take measures to monitor, detect, prevent to be reported (e.g. malware signatures, network

or mitigate Incidents? If so, please describe what China vulnerabilities and other technical characteristics measures are required to be taken. identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by Yes. The Cybersecurity Law, the Regulations on the Security which the organisation might prevent publication of Protection of Computer Information System, the Emergency that information. Response Plan for Cybersecurity Incidents, and other relevant laws and regulations have provided for network operators’ legal duties Yes. when facing cybersecurity incidents, which in general could be (a) The reporting obligation will be triggered by the occurrence categorised into the following: of an incident threatening network security. (1) regular preventive work: network operators must adopt (b) Pursuant to the Cybersecurity Law and relevant regulations, regular measures to prevent cybersecurity incidents, including network operators shall at least timely notify the local adopting technical measures to prevent cybersecurity government, industry regulator and local violations such as computer viruses, cyberattacks and administrations. Pursuant to the Regulations of the People’s network intrusions, adopting technical measures to monitor Republic of China on the Security Protection of Computer and record the network operation status and cybersecurity Information System, any case arising from computer events, maintaining cyber-related logs for no less than six information systems shall be reported to the public security months, etc.; authority within 24 hours. Moreover, if there is a possibility (2) emergency measures for security incidents: network of information leakage related to national security, the operators must develop an emergency plan for cybersecurity national security authorities shall also be informed. incidents in order to promptly respond to security risks, to (c) At least the following contents are required to be reported: take remedial actions immediately, to notify affected data information of the notification party; description of the subjects, and to report the case to the competent authorities network security incident; detailed information about the as required; and incident; nature of the incident; affected properties (if any); (3) after-action review: to keep communication with and assist personal information being affected/breached (if any); the authorities to finish their investigation and review after an preliminary containment measures that have been taken; and incident, such as providing a summary of the cause, nature, preliminary assessment on the severity of the incident. and influence of the security incident and improvement (d) If the publication of incident-related information will measures. jeopardise national security or public interest, then such publication shall be prohibited. 2.4 In relation to any requirements identified in question 2.3 above, might any conflict of laws issues 2.6 If not a requirement, are organisations permitted by arise? For example, conflicts with laws relating Applicable Laws to voluntarily share information to the unauthorised interception of electronic related to Incidents or potential Incidents with: (a) communications or import / export controls of a regulatory or other authority in your jurisdiction; encryption software and hardware. (b) a regulatory or other authority outside your jurisdiction; or (c) other private sector organisations Conflict of law issues may arise, as although China’s cybersecurity or trade associations in or outside your jurisdiction? laws and regulations in general apply to network operators within the territory of China, any activities outside China that may threaten Pursuant to the Cybersecurity Law, the authorities support the the cybersecurity of China could also be governed by Chinese laws. cooperation among network operators in the collection, analysis For example, in terms of import/export controls of encryption and notification of cybersecurity information and the emergency software and hardware, pursuant to the Regulation on the response, in order to improve their capability for cybersecurity Administration of Commercial Cipher Codes of China, import of protection. But the releasing of cybersecurity information, such as encryption products and equipment with encryption technology or system bugs, computer viruses, network attacks and intrusions, to export of commercial encryption products shall be approved by the the public shall be carried out in compliance with the applicable national encryption administrations. Any sale of foreign encryption regulations. products by an entity or individual is prohibited. In China, users, suppliers and research institutions are encouraged to report any potential system vulnerabilities identified to the China National Vulnerability Database, an official database operated by the National Network Emergency Response Coordination Center of China, so as to gather, verify and warn against any security vulnerabilities and to establish an effective and coordinated emergency response mechanism among all operators.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 45 © Published and reproduced with kind permission by Global Legal Group Ltd, London King & Wood Mallesons China

of Public Security, and the National Standardization Committee 2.7 Are organisations required under Applicable Laws, or jointly initiated an inspection on the “privacy policy” of network otherwise expected by a regulatory or other authority, operators to identify any non-compliance with the rules of personal to report information related to Incidents or potential information protection. Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this Also, early in May 2017, before the implementation of the reporting obligation is triggered; and (b) the nature and Cybersecurity Law, 15 data companies were questioned by the scope of information that is required to be reported. CAC, challenging the legality of data collection.

Under the Cybersecurity Law, in case of disclosure, damage or loss of,

China or possible disclosure, damage or loss of user information, the network 3 Specific Sectors operator is obligated to take immediate remedies and notify the affected users promptly. Currently, relevant laws and regulations do not provide 3.1 Does market practice with respect to information specific requirements about the nature and scope of information to security (e.g. measures to prevent, detect, mitigate be reported; according to the draft Information Security Techniques – and respond to Incidents) vary across different Personal Information Security Specification, recommended standards business sectors in your jurisdiction? Please include formulated by the National Standardization Committee, operators shall details of any common deviations from the strict legal at least inform data subjects of the general description of the incident requirements under Applicable Laws. and its impact, any remedial measures taken or to be taken, suggestions for individual data subjects to mitigate risks, contact information of the Although industries or sectors such as telecoms, credit reporting, person responsible for dealing with the incident, etc. banking and finance, and insurance have some specific requirements with respect to the collection and protection of information, the prevention of information leakage, and the emergency response 2.8 Do the responses to questions 2.5 to 2.7 change if the to incidents, these requirements are, in general, in line with those information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email address under the Cybersecurity Law without deviations. from which a phishing email originates); (d) personally identifiable information of cyber threat actors; and (e) 3.2 Are there any specific legal requirements in relation personally identifiable information of individuals who to cybersecurity applicable to organisations have been inadvertently involved in an Incident? in: (a) the financial services sector; and (b) the telecommunications sector? When reporting an incident to the regulatory authorities, network operators are required to provide any information relating to the Yes. For example, pursuant to the Provisions on Protecting the incident as required by the authorities, even if such information Personal Information of Telecommunications and Internet Users, involves sensitive business information or personal identifiable telecommunication business operators or Internet information service information, so as to effectively cooperate with the authorities in providers shall record information such as the staff members who investigating and dealing with the incident. perform operations on the personal information of users, the time and place of such operations, and the matters involved, to prevent user 2.9 Please provide details of the regulator(s) responsible information from being divulged, damaged, tampered with or lost. for enforcing the requirements identified under questions 2.3 to 2.7. 4 Corporate Governance Any regulators identified under question 2.5 above to which network operators are required to report an incident shall have the authority 4.1 In what circumstances, if any, might a failure by to enforce the requirements identified under questions 2.3 to 2.7. a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to a breach of directors’ duties in your jurisdiction? 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? Under the Cybersecurity Law, if a company, as a network operator, Pursuant to the Cybersecurity Law, in the case of non-compliance, fails to fulfil the obligation of security protection to ensure that network operators may be given a warning, ordered to take the network is free from interference, disruption or unauthorised rectification measures, or imposed fines by the relevant authorities. access, and to prevent network data from being disclosed, stolen or tampered, fails to satisfy the mandatory requirements set forth in the applicable national standards, or fails to develop an emergency 2.11 Please cite any specific examples of enforcement plan for cybersecurity incidents, a fine ranging from 10,000 yuan to action taken in cases of non-compliance with the 100,000 yuan shall be imposed on the responsible person directly above-mentioned requirements. in charge. Moreover, as mentioned in question 1.1 above, pursuant to Article One of the first enforcement actions taken since the implementation 286(1), if a network service provider fails to perform its duties of of the Cybersecurity Law relates to the failure to maintain web logs. security protection on the information network as required by laws The cybersecurity team of the public security bureau of Chongqing and administrative regulations, and refuses to correct their conduct Municipality gave warnings to a company providing a data centre after the regulatory authorities order them to rectify the non- service for failure to keep a web log, as required by the Cybersecurity performance, the network operator shall be fined, and the persons Law, and ordered it to rectify the non-compliance. who are directly in charge and the other persons who are directly In late July, the Cyberspace Administration of China (“CAC”), liable for the offences may be sentenced. the Ministry of Industry and Information Technology, the Ministry

46 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London King & Wood Mallesons China

unauthorised access to or disclosure of personal information 4.2 Are companies (whether listed or private) required collected and kept by the network operator, the individuals being under Applicable Laws to: (a) designate a CISO; affected could bring a lawsuit against such network operator for (b) establish a written Incident response plan or breach of security protection obligations or for disclosing personal policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform information by negligence on the basis of tort pursuant to the penetration tests or vulnerability assessments? General Provisions of the Civil Law of the People’s Republic of China and the Tort Law of the People’s Republic of China. Under the Cybersecurity Law, all network operators are required Further, as confirmed by the decision on the Sina/Maimai case by to designate a person in charge of cybersecurity, such as a CISO, the Beijing Intellectual Property Court, user data/information is an to establish an emergency plan for cybersecurity incidents, and to important operating resource of and confers competitive advantages China take technical measures to monitor and record network operation to network operators. If a network operator “steals” data from and cybersecurity events. its competitor by accessing the data of such competitor without In addition, pursuant to Article 38 of the Cybersecurity Law, CII authorisation, the aggrieved party could sue the infringing party for operators are required to conduct, by itself or entrusting a service unfair competition on the basis of the Anti-unfair Competition Law provider, an examination and assessment of its cybersecurity and of the People’s Republic of China. the potential risks at least once a year, and submit the examination and assessment results, as well as improvement measures, to the 5.2 Please cite any specific examples of cases that competent authorities in charge of the security of the CII. That is to have been brought in your jurisdiction in relation to say, periodic cyber risk assessments and vulnerability assessments Incidents. are mandatory for CII operators. There is no clear requirement to include third-party vendors in the Qunar, a major online ticket-booking platform in China, and China scope of the risk assessment. However, critical network equipment Eastern Airlines were sued by its user for tort before the First and special-purpose cybersecurity products provided by third-party Intermediate People’s Court of Beijing in March 2017, as the user’s vendors should satisfy the compulsory requirements set forth in personal information, including name and telephone number, was the national standards and shall not be sold or supplied until such disclosed by Qunar and China Eastern Airlines to a third party who equipment or product successfully passes security certification or sent phishing messages to such user claiming that the flight booked security tests by a qualified organisation. was cancelled. The court ordered Qunar and China Eastern Airlines to apologise to the plaintiff. As mentioned in question 5.1 above, in the Sina/Maimai case, 4.3 Are companies (whether listed or private) subject to any specific disclosure requirements in relation Maimai illegally accessed and collected user information from Sina to cybersecurity risks or Incidents (e.g. to listing without authorisation, Sina brought a lawsuit against Maimai for authorities, the market or otherwise in their annual unfair competition, and the court upheld the claims made by Sina reports)? and ordered Maimai to stop its illegal activities, apologise in public, and compensate Sina. Please refer to the answers to questions 2.5, 2.6 and 2.7 above. In addition, listed companies may have the duty to disclose 5.3 Is there any potential liability in tort or equivalent cybersecurity risks or incidents to the China Securities Regulatory legal theory in relation to an Incident? Commission or disclose such information in their annual reports, depending on whether such information is deemed as major events Please refer to the answer to question 5.1. and required to be disclosed.

6 Insurance 4.4 Are companies (whether public or listed) subject to any other specific requirements under Applicable Laws in relation to cybersecurity? 6.1 Are organisations permitted to take out insurance against Incidents in your jurisdiction? In general, network operators’ obligations in relation to cybersecurity under relevant laws and regulations include maintaining the security Yes, organisations may take out insurance against incidents, of the network operation, and protecting the security of network provided that such insurance categories are within the permitted information. The Cybersecurity Law has established the relevant scope of insurance regulations and have been approved by or mechanism for the above purpose, such as regulations in relation to filed with the China Insurance Regulatory Commission (CIRC). personal information protection, CII protection, cross-border data Currently, in China, there are already several insurance agents transmission, emergency response for incidents, and security review providing insurances related to incidents such as data leakage, of network products and services. Under each of these mechanisms, hacking, etc. network operators are subject to specific obligations.

6.2 Are there any regulatory limitations to insurance 5 Litigation coverage against specific types of loss, such as business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal 5.1 Please provide details of any civil actions that may be limits placed on what the insurance policy can cover? brought in relation to any Incident and the elements of that action that would need to be met. So far we are not aware of any regulation that sets out limitations specifically on insurance against incidents. Normally, the coverage From the perspective of individuals, if an incident results in of loss will be decided through private negotiation between the

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 47 © Published and reproduced with kind permission by Global Legal Group Ltd, London King & Wood Mallesons China

insurer and the applicant, as long as such coverage does not violate are entitled to have investigatory power regarding an incident, such mandatory regulations in China. as: (1) CAC, which is responsible for the overall planning and coordination of cybersecurity work and the relevant 7 Employees supervision and administration; and (2) the authority in charge of telecommunication, the public 7.1 Are there any specific requirements under Applicable security authority and other relevant authorities of the State Law regarding: (a) the monitoring of employees for Council, which will take charge of protecting, supervising the purposes of preventing, detection, mitigating and and administrating cybersecurity pursuant to the present regulations in China.

China responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents The specific investigatory power of the above enforcement agencies by employees to their employer? could be found in a number of laws and regulations. For example, as stated in Article 54 of the Cybersecurity Law, the relevant Article 21 of the Cybersecurity Law has set out several general departments of the government at provincial level and above are obligations for network operators in terms of the issue of employees, entitled to take the following measures in case of an increasing risk including formulating internal security management systems of an incident: and operation instructions, and determining a person in charge of (1) require authorities, organs and personnel concerned to cybersecurity so that his responsibility will be clearly defined. promptly collect and report necessary information; Apart from that, pursuant to Article 34 of the Cybersecurity Law, (2) organise authorities, organs and professionals concerned to CII operators shall establish a dedicated security management body, analyse and evaluate cybersecurity risks; and designate a person in charge, and review the security backgrounds (3) give warnings to the public about the cybersecurity risks and of the said person and those in key positions. Furthermore, CII release prevention and mitigation measures. operators are also obliged to provide the relevant employees Pursuant to Article 19 of the Anti-Terrorism Law of the People’s with regular cybersecurity education, technical training and skill Republic of China (“Anti-Terrorism Law”), where a risk assessment. of terrorism may arise in an incident, the CAC, competent It is understood that specific requirements on the monitoring of telecommunications department, public security department, as employees or the reporting by employees may be stipulated in the well as the national security department shall engage the following internal rules or policies of network operators for the purpose of actions in accordance with their respective duties: security protection. (1) order the relevant entities to stop transmission and delete the information involving terrorism and extremism; and 7.2 Are there any Applicable Laws (e.g. whistle-blowing (2) shut down the relevant sites, and cease the related services. laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents by an employee? 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide From the perspective of commercial practice, as companies will law enforcement authorities with encryption keys? impose confidentiality obligations on their employees (say, in the employment contract or separate confidentiality agreement or First, the Cybersecurity Law has made it clear that network internal company rules and policies), an employee’s reporting of operators shall provide technical support for the public security the vulnerability of his company’s network system to a third party department and the national security department specifically on would probably lead to a failure to fulfil such obligations. two matters: 1) safeguard of national security; and 2) investigation of crimes. Second, the Anti-Terrorism Law explicitly states that 8 Investigatory and Police Powers telecommunications operators and Internet service providers shall facilitate the relevant departments in terrorism cases, such as providing technical interfaces and decryption services. Moreover, 8.1 Please provide details of any investigatory powers of for entities and individuals which engage in international network law enforcement or other authorities under Applicable connections, public security departments may also ask them to Laws in your jurisdiction (e.g. antiterrorism laws) that provide information, materials and digital files on security protection may be relied upon to investigate an Incident. matters when investigating crimes committed through computer networks connected with international networks. In accordance with the Cybersecurity Law and other relevant regulations, generally there are several enforcement agencies that

48 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London King & Wood Mallesons China

Susan Ning Han Wu King & Wood Mallesons King & Wood Mallesons 40th Floor, Office Tower A 40th Floor, Office Tower A Beijing Fortune Plaza Beijing Fortune Plaza 7 Dongsanhuan Zhonglu, Chaoyang District 7 Dongsanhuan Zhonglu, Chaoyang District Beijing 100020 Beijing 100020 China China

Tel: +86 10 5878 5010 Tel: +86 10 5878 5749 Email: [email protected] Email: [email protected] URL: www.kwm.com URL: www.kwm.com China

Susan Ning is a senior partner and the head of the Commercial and Han Wu is a senior associate of the Commercial and Regulatory Group. Regulatory Group. She is one of the first legal practitioners in China He currently provides legal services with regard to cybersecurity, data to practise antitrust and competition law, and also one of the pioneers compliance, and antitrust. engaged in the cybersecurity and data compliance practice in China. In the area of cybersecurity and data compliance, Han provides In the area of cybersecurity and data compliance, Susan’s practice various services including assisting clients in establishing internal covers self-assessment of network security, responding to network cybersecurity compliance system, conducting internal training of security checks initiated by authorities, data compliance training, cybersecurity and data compliance, conducting due diligence of data due diligence of data transactions, compliance of cross-border data transactions, assisting clients to design plans for cross-border data transmission, etc. Susan has assisted companies in sectors such transfers, and providing advice on responding to investigations on as IT (including emerging block chain technology), transportation, cybersecurity and emergency cybersecurity incidents. online payment, consumer goods, finance (including digital currency), Han has provided legal services on cybersecurity and data Internet of Vehicles, and in dealing with network security and data compliance for many leading enterprises in multiple industries. The compliance issues. projects he participated in cover the industry of financial payment, Susan and her team have been highly acclaimed for years and financial clearing, issuance of a new type of financial project (ICO), recognised and awarded by different reputed legal ranking institutions online platform for vehicle booking, consumer electronics, Internet and well-known legal magazines on many occasions. advertising, personal care, etc. Susan holds a Bachelor of Laws from Peking University and a Master Han used to work for SJ Berwin, London Office, in 2015. He obtained of Laws from McGill University. Susan was admitted as a Chinese his Bachelor’s degree in Geographic Information System from Wuhan lawyer in 1988. University. Han holds both Juris Doctor and Master of Laws degrees from Peking University in Beijing.

Recognised as one of the world’s most innovative law firms, King & Wood Mallesons offers a different perspective to commercial thinking and the client experience. With access to a global platform, a team of over 2000 lawyers in 26 locations around the world works with clients to help them understand local challenges, navigate through regional complexity, and to find commercial solutions that deliver a competitive advantage for our clients. As a leading international law firm headquartered in Asia, we help clients to open doors and unlock opportunities as they look to Asian markets to unleash their full potential. Combining an unrivalled depth of expertise and breadth of relationships in our core markets, we are connecting Asia to the world, and the world to Asia. We take a partnership approach in working with clients, focusing not just on what they want, but how they want it. Always pushing the boundaries of what can be achieved, we are reshaping the legal market and challenging our clients to think differently about what a law firm can be.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 49 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 9

England & Wales Nigel Parker

Allen & Overy LLP Alex Shandro

to commit, or which may be likely to be used to commit, an offence 1 Criminal Activity under section 1 (see the answer in respect of hacking) or section 3 (see the answer in respect of denial-of-service attacks) of the Act. 1.1 Would any of the following activities constitute a On indictment, the maximum penalty is two years’ imprisonment or criminal offence in your jurisdiction? If so, please an unlimited fine, or both. provide details of the offence, the maximum penalties Identity theft or identity fraud (e.g. in connection with access available, and any examples of prosecutions in your devices) jurisdiction: Yes. Under the Fraud Act 2006, it is an offence to dishonestly make Hacking (i.e. unauthorised access) a false representation, knowing that the representation was or may be untrue or misleading, with the intent of making a gain for yourself Yes. Under the Computer Misuse Act 1990, it is an offence to or another or causing a loss or risk of loss to another (i.e. fraud cause a computer to perform any function with the intent to secure by false representation). On indictment, the maximum penalty is unauthorised access to any program or data held in a computer (or 10 years’ imprisonment. In 2014, an individual was convicted of enable such access to be secured). On indictment, the maximum offences under the Fraud Act 2006 and Computer Misuse Act 1990 penalty is two years’ imprisonment or an unlimited fine, or both. In (in relation to stolen bank and credit card details) and was sentenced 2012, two separate cases were prosecuted involving unauthorised to a total of three years’ imprisonment. access to accounts and Facebook’s computers (respectively). In the first instance, the individual was sentenced Electronic theft (e.g. breach of confidence by a current or former to four and eight months concurrent in a young offender institution. employee, or criminal copyright infringement) In the latter, the individual was sentenced to four months’ Yes. This may constitute an offence under the Computer Misuse imprisonment. Act 1990 (such as hacking) as well as a financial crime, such as theft Denial-of-service attacks (under the Theft Act 1990). A breach of confidence or misuse of private information is actionable as a common law tort, but not as a Yes. Under the Computer Misuse Act 1990, it is an offence to do criminal offence in itself. any unauthorised act in relation to a computer that a person knows to be unauthorised, with the intent of impairing the operation of any Any other activity that adversely affects or threatens the computer, preventing or hindering access to any program or the data security, confidentiality, integrity or availability of any IT held in any computer, impairing the operation of any program or the system, infrastructure, communications network, device or data reliability of any data, or enabling any of the above. On indictment, Please see above. the maximum penalty is 10 years’ imprisonment or an unlimited Failure by an organisation to implement cybersecurity measures fine, or both. In 2013, an individual was sentenced to two years’ Under the Data Protection Act 1998 (and, from 25 May 2018, the imprisonment in relation to denial-of-service attacks against various GDPR), organisations are required to implement technical and websites and targeting two private individuals. organisational measures to safeguard personal data, which may Phishing involve implementing cybersecurity measures. A failure to implement Yes. See the answer in respect of hacking. these measures is not, in itself, a criminal offence. However, the ICO Under the Fraud Act 2006, phishing could also constitute fraud may investigate such a failure (if, for example, an Incident occurred by false representation if (for example) an email was sent falsely and this triggered an investigation) and issue an enforcement notice representing that it was sent by a legitimate firm. On indictment, the requiring the organisation to comply with its obligation to implement maximum penalty is 10 years’ imprisonment. appropriate security measures. Failure to comply with such an enforcement notice is a criminal offence. It remains to be seen whether Infection of IT systems with malware (including ransomware, the UK will adopt a similar approach in respect of enforcement of spyware, worms, trojans and viruses) obligations to implement security measures under the NIS Directive. Yes. See the answer in respect of denial-of-service attacks. Possession or use of hardware, software or other tools used to 1.2 Do any of the above-mentioned offences have commit cybercrime (e.g. hacking tools) extraterritorial application? Yes. Under the Computer Misuse Act 1990, it is an offence to make, adapt, supply or offer to supply any article intending it to be used Yes. For certain offences under the Computer Misuse Act 1990

50 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP England & Wales

(such as hacking, phishing or denial-of-service attacks), the offence ■ The Network and Information Systems Directive (NIS will be committed where there is a “significant link to the domestic Directive) will be implemented in the UK in 2017 (see the jurisdiction”. This includes the person committing the offence being answer to question 2.2). in the UK, the target computer being in the UK or a UK national ■ Public companies are subject to additional governance committing the offence while outside the UK (provided in the latter obligations under the Companies Act 2006, Disclosure instance that the act was still an offence in the country where it took and Transparency Rules (DTR) in the Financial Conduct place). Authority (FCA) Handbook, Listing Rules in the FCA Handbook and the risk management and control provisions in the UK Corporate Governance Code, which can directly or 1.3 Are there any actions (e.g. notification) that might indirectly relate to cybersecurity. mitigate any penalty or otherwise constitute an ■ The Regulation of Investigatory Powers Act 2000 (RIPA) exception to any of the above-mentioned offences? governs the investigative powers of law enforcement, such as surveillance and interception of communications data. There is an exemption for certain offences under the Computer RIPA will ultimately be replaced by the Investigatory Powers England & Wales Misuse Act 1990 (such as hacking, phishing or denial-of-service Act 2016, the operative provisions of which are not yet all in attacks) in respect of an enforcement officer acting in accordance force. with legislation to facilitate inspection, search or seizure without a ■ The Computer Misuse Act 1990 sets out various cybercrime person’s consent. There are no general defences under the Computer offences (see the answers to question 1.1), which may be Misuse Act 1990. prosecuted in conjunction with offences under the Theft Act 1968 or the Fraud Act 2006. ■ The Official Secrets Act 1989 may also apply in respect of 1.4 Are there any other criminal offences (not specific servants of the Crown or UK government contractors, and to cybersecurity) in your jurisdiction that may arise creates offences in relation to disclosure (or failure to secure) in relation to cybersecurity or the occurrence of an certain information which may be damaging to the UK’s Incident (e.g. terrorism offences)? Please cite any interests. specific examples of prosecutions of these offences in a cybersecurity context. ■ Various common law doctrines may also apply in respect of civil actions (see the answer to question 5.1). Certain terrorism offences may arise in relation to cybersecurity. For example, under the Terrorism Act 2000 it is an offence to take 2.2 Are there any cybersecurity requirements under any action designed to seriously interfere with or seriously disrupt Applicable Laws applicable to critical infrastructure an electronic system if this is designed to influence the government in your jurisdiction? For EU countries only, how or intimidate the public or a section of the public, or for the purpose (and according to what timetable) is your jurisdiction of advancing a political, religious, racial or ideological cause. In expected to implement the Network and Information Systems Directive? Please include details of any this context, offences under UK terrorism legislation also include instances where the implementing legislation in your planning, assisting or collecting information on how to commit jurisdiction is anticipated to exceed the requirements an act of terrorism. There have been a number of prosecutions of of the Directive. terrorism offences that involved seizure of the suspect’s computer to secure evidence of the offence. Cybersecurity requirements in the telecommunications sector are set out in the Communications Act 2003 (for example, in respect 2 Applicable Laws of maintaining the security and integrity of public electronic communications networks and public electronic communications services). These requirements apply to providers of public electronic 2.1 Please cite any Applicable Laws in your jurisdiction communications networks and public electronic communications applicable to cybersecurity, including laws applicable services, and include taking measures to prevent or minimise the to the monitoring, detection, prevention, mitigation impact of Incidents on end users and on interconnection of networks. and management of Incidents. This may include, Financial services infrastructure providers may be regulated by the for example, laws of data protection, intellectual property, breach of confidence, privacy of electronic FCA and subject to the requirements in the Senior Management communications, information security, and import / Arrangements Systems and Controls part of the FCA Handbook (see export controls, among others. the answer to question 3.2). These organisations will be operators of essential services for the purposes of the Directive. The UK legal framework for cybersecurity is dispersed, with a The UK government published a public consultation on its number of different laws that may apply depending on the context proposed implementation of the Directive in August 2017. The of the Incident and the nature of the organisation involved. UK proposes to nominate sector-based competent authorities, ■ To the extent that Incidents involve personal data, the Data with the National Cyber Security Centre as the UK’s single point Protection Act 1998 will apply. From 25 May 2018, this will of contact for Incident reporting. The consultation indicates that be replaced by the EU General Data Protection Regulation Incident-reporting requirements by essential services operators will (GDPR). be aligned to the GDPR (i.e. without undue delay and not later than ■ In respect of telecommunications, public electronic 72 hours after becoming aware of the Incident). Penalties are also communications network providers and public electronic proposed to be aligned to the GPDR, with two bands of fines up to communications service providers are subject to cybersecurity a maximum of EUR10 million or 2% of annual worldwide turnover obligations under the Communications Act 2003. for offences including failure to report an Incident, and up to EUR20 ■ Public electronic communications service providers are million or 4% of annual worldwide turnover for failure to implement also subject to cybersecurity obligations under the Privacy appropriate and proportionate security measures. and Electronic Communications (EC Directive) Regulations 2003 (PECR) in respect of personal data.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 51 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP England & Wales

involving personal data, although the ICO expects that “serious 2.3 Are organisations required under Applicable Laws, breaches” will be voluntarily reported. or otherwise expected by a regulatory or other authority, to take measures to monitor, detect, prevent However, under the GDPR, which will apply from 25 May 2018, or mitigate Incidents? If so, please describe what a data controller will be required to notify an Incident involving measures are required to be taken. personal data to the ICO without undue delay and, where feasible, within 72 hours after becoming aware of it unless it is unlikely to Under the Data Protection Act 1998 (and, from 25 May 2018, the result in risks to individuals. This notification must include: (a) a GDPR) if the organisation is a data controller in respect of personal description of the nature of the Incident (including, where possible, data (i.e. it determines how and why personal data is processed) it the categories and approximate number of affected individuals and will be required to implement appropriate technical organisational the categories and approximate number of personal data records measures to ensure a level of security of that personal data concerned); (b) the name and contact details of a contact point appropriate to the risk, including the risk of accidental or unlawful where the affected individual can obtain further information (which England & Wales disclosure of or access to that data. will be the organisation’s data protection officer if there is one); (c) the likely consequences of the Incident; and (d) the measures taken, The NIS Directive, which will be implemented in the UK before 9 or proposed to be taken, by the organisation to address the Incident May 2018, also requires operators of essential services and digital and mitigate possible adverse effects. In certain circumstances, the service providers to take appropriate and proportionate technical Incident will also need to be notified to affected data subjects (see and organisational risk management measures, including to prevent the answer to question 2.7). and minimise the impact of Incidents. Under the Data Protection Act 1998, the ICO is not permitted to Under PECR, a public electronic communications service provider publicise any information that has been disclosed to it (for example, must take appropriate technical and organisational measures to through notification of an Incident) if that information relates to an safeguard the security of their service and maintain a record of all identified or identifiable individual or business and is not already Incidents involving a personal data breach in an inventory or log. in the public domain. However, this restriction on publication This must contain the facts surrounding the breach, the effects of the will not apply in certain cases, such as if the ICO determines that breach and the remedial action taken by the service provider. publication is in the public interest. The ICO’s practice is not to publicise data breach notification information unless it has taken 2.4 In relation to any requirements identified in question public enforcement action in relation to the breach, or publication is 2.3 above, might any conflict of laws issues necessary in the public interest (e.g. to allay public concern). arise? For example, conflicts with laws relating to the unauthorised interception of electronic The NIS Directive also requires operators of essential services communications or import / export controls of and digital service providers to report Incidents to the competent encryption software and hardware. authority without undue delay. The competent authority may inform the public where public awareness is needed either to prevent or Yes. Obligations to implement effective security measures, systems resolve the Incident, or where this would otherwise be in the public and controls may conflict with Applicable Laws relating to unlawful interest, but the organisation will be consulted before disclosure interception of communications. Under RIPA, it is an offence to to the public is made to preserve confidentiality and commercial intentionally and without lawful authority intercept a communication interests. in the course of its transmission. Interception will be lawful if: Under the Communications Act 2003, a public electronic (a) both sender and recipient have consented; (b) the interception communications network provider must notify Ofcom of a breach is carried out by a communications service provider for purposes of security that has a significant impact on the network’s operation. connected with the operation of that service or to prevent fraudulent Further, a public electronic communications service provider must or improper use of that service; (c) the government has issued a notify Ofcom of a breach of security that has a significant impact on warrant; or (d) the interception is authorised by other regulations. the operation of the service. In respect of the latter, an organisation may lawfully monitor Similarly, under PECR, a public electronic communications service communications of employees in certain circumstances under the provider must notify the Information Commissioner’s Office Telecommunications (Lawful Business Practice) (Interception of (ICO) of a data breach within 24 hours of becoming aware of the Communications) Regulations 2000 (see the answer to question 7.1). ‘essential facts’ of the breach. The notification must include: (a) the service provider’s name and contact details; (b) the date and time 2.5 Are organisations required under Applicable Laws, or of the breach (or an estimate); (c) the date and time the breach was otherwise expected by a regulatory or other authority, detected; (d) basic information about the time of the breach; and (e) to report information related to Incidents or potential basic information about the personal data concerned. Incidents to a regulatory or other authority in your Organisations that are regulated by the Financial Conduct Authority jurisdiction? If so, please provide details of: (a) the (FCA) are also required to notify the FCA of any significant failure circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to in the organisation’s systems and controls under Chapter 15.3 of the which the information is required to be reported; (c) Supervision Manual of the FCA and PRA Handbooks, which may the nature and scope of information that is required include Incidents that involve data loss. Similarly, under European to be reported (e.g. malware signatures, network Banking Authority guidelines on major Incident reporting under vulnerabilities and other technical characteristics the revised Payment Services Directive, payment service providers identifying an Incident or cyber attack methodology); are required to report major operational or security Incidents to and (d) whether any defences or exemptions exist by the competent authority within four hours from the moment the which the organisation might prevent publication of that information. Incident was first detected, with intermediate updates and a final report delivered within two weeks after business is deemed back to normal. In respect of data protection law, under the Data Protection Act 1998 there is no mandatory duty to notify the ICO of a data breach

52 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP England & Wales

Listed companies may also be required to notify an Incident to 2.6 If not a requirement, are organisations permitted by the FCA if it would constitute price-sensitive information (see the Applicable Laws to voluntarily share information answer to question 4.3). related to Incidents or potential Incidents with: (a) a regulatory or other authority in your jurisdiction; (b) a regulatory or other authority outside your 2.9 Please provide details of the regulator(s) responsible jurisdiction; or (c) other private sector organisations for enforcing the requirements identified under or trade associations in or outside your jurisdiction? questions 2.3 to 2.7.

Organisations are permitted to voluntarily share information with Under data protection laws (the Data Protection Act 1998, the GDPR other regulatory or other authorities outside the UK, or with other and PECR), the relevant regulator is the ICO (https://ico.org.uk/). private sector organisations or trade associations. However, if the Under the Communications Act 2003, the relevant regulator is Incident involves personal data, any such disclosures must be made Ofcom (https://www.ofcom.org.uk/). in accordance with the requirements of data protection laws. For England & Wales example, disclosures to regulatory or other authorities outside the Under the FCA Handbook, the relevant regulator is the FCA (https:// UK must comply with restrictions on cross-border transfers of www.fca.org.uk/). personal data. 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? 2.7 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Under the GDPR, which will apply from 25 May 2018, failure to Incidents to any affected individuals? If so, please report an Incident involving a personal data breach, or to implement provide details of: (a) the circumstance in which appropriate security measures, can incur a fine of up to the higher of this reporting obligation is triggered; and (b) the 2% of annual worldwide turnover or EUR10 million. nature and scope of information that is required to be reported. Under PECR, failure by a public electronic communications service provider to notify an Incident involving a personal data breach to the Under the GDPR, which will apply from 25 May 2018, a data ICO can incur a £1,000 fixed fine. A failure by a public electronic controller will be required to notify affected individuals of an communications service provider to take appropriate technical and Incident without undue delay if the Incident involves personal data organisational measures to safeguard the security of their service and is likely to result in a high risk to the rights and freedoms of can incur a fine of up to £500,000 from the ICO. those individuals. This notification must include: (a) a description of the nature of the Incident; (b) the name and contact details of 2.11 Please cite any specific examples of enforcement a contact point where the affected individual can obtain further action taken in cases of non-compliance with the information (which will be the organisation’s data protection officer above-mentioned requirements. if there is one); (c) the likely consequences of the Incident; and (d) the measures taken, or proposed to be taken, by the organisation to In October 2016, the ICO issued a record £400,000 fine to telecoms address the Incident and mitigate possible adverse effects. company TalkTalk for security failings that allowed a cyber attacker Under PECR, a public electronic communications service provider to access customer data. The ICO investigation found that the attack must notify affected subscribers or users of an Incident without took advantage of a technical weakness in TalkTalk’s systems which unnecessary delay if that Incident is likely to adversely affect their could have been prevented if TalkTalk had taken ‘basic steps’ to personal data or privacy. The service provider should provide a protect customer data. summary of the Incident, including the estimated date of the breach, In June 2017, the ICO issued a £100,000 fine to Gloucester City the nature and content of personal data affected, the likely effect Council after it suffered a cyber attack that allowed the attacker on the individual, any measures the service provider has taken to to gain access to financial and sensitive personal information address the Incident and information as to how the individual can relating to between 30 and 40 former or current staff. In this case, mitigate any possible adverse impact. No notification is required the ‘heartbleed’ vulnerability was widely publicised in the media if the service provider can demonstrate to the ICO’s satisfaction and the Council failed to apply an available patch for the affected that the data that has been breached was encrypted or was rendered software. unintelligible by similar security measures. 3 Specific Sectors 2.8 Do the responses to questions 2.5 to 2.7 change if the information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email 3.1 Does market practice with respect to information address from which a phishing email originates); (d) security (e.g. measures to prevent, detect, mitigate personally identifiable information of cyber threat and respond to Incidents) vary across different actors; and (e) personally identifiable information of business sectors in your jurisdiction? Please include individuals who have been inadvertently involved in details of any common deviations from the strict legal an Incident? requirements under Applicable Laws.

Reporting obligations under data protection laws will only apply Certain sectors, such as financial services and telecommunications, to the extent that the Incident involved personal data. IP addresses are more incentivised to avoid the cost and reputational impact of and email addresses may constitute or comprise personal data. Incidents. In some organisations, cybersecurity practice is driven Reporting obligations under the Communications Act 2003, PECR not only by compliance with Applicable Laws but also the desire or FCA rules may apply regardless of the information that was to promote good ‘cyber hygiene’ culture. For example, although subject to the Incident. there is no legal requirement to train employees in cyber risks, many

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 53 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP England & Wales

organisations do and may carry out simulations (such as phishing listed companies are required, under the UK Corporate Governance simulations and ‘war games’) as a matter of good practice. Code, to set up certain committees with responsibility for specific Public sector organisations (such as the National Health Service) areas, such as audit. Financial services companies may also be and government authorities are subject to additional reporting required to have a risk committee. These committees may, as part guidelines issued by the central government, in addition to disclosure of their functions, conduct risk assessments that cover cyber risk. obligations under Applicable Laws. 4.3 Are companies (whether listed or private) subject to any specific disclosure requirements in relation 3.2 Are there any specific legal requirements in relation to cybersecurity risks or Incidents (e.g. to listing to cybersecurity applicable to organisations authorities, the market or otherwise in their annual in: (a) the financial services sector; and (b) the reports)? telecommunications sector?

England & Wales Financial services organisations that are regulated by the FCA Under the Disclosure and Transparency Rules (DTR) set out in are subject to the FCA Handbook, which includes Principles for the FCA Handbook, listed companies are required to disclose an Business and the Senior Management Arrangements Systems and Incident if the Incident amounts to inside information that may affect Controls (SYSC). Under SYSC 3.2.6R, regulated financial services the company’s share price. For example, theft of business-critical organisations are required to take reasonable care to establish intellectual property is likely to be price-sensitive information. and maintain effective systems and controls for compliance with regulatory requirements and standards and for countering risk that 4.4 Are companies (whether public or listed) subject to the organisation may be used to further financial crime. Further, any other specific requirements under Applicable under SYSC 3.1.1R the organisation is required to maintain Laws in relation to cybersecurity? adequate policies and procedures to ensure compliance with those obligations and countering those risks. These requirements extend No, there are no other specific requirements. to cybersecurity issues. For example, the FCA has previously fined Norwich Union Life (£1.26 million) and three HSBC firms (£3 million) for failure to have adequate systems and controls in place 5 Litigation to protect customer confidential information and manage financial crime risk. 5.1 Please provide details of any civil actions that may be In respect of telecommunications, public electronic communications brought in relation to any Incident and the elements of network providers and public electronic communications service that action that would need to be met. providers must take appropriate technical and organisation measures to manage risks to the security of the networks and services, There are a number of potential civil actions that may be brought in including to minimise the impact of Incidents. Public electronic relation to any Incident, for example: communications network providers must also take all appropriate Breach of confidence. First, the information itself must have the steps to protect, so far as possible, the availability of that provider’s necessary quality of confidence about it. Secondly, that information network. must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it. 4 Corporate Governance Breach of contract. This could take any form from a breach of a commercial contract to an employee’s terms and conditions of 4.1 In what circumstances, if any, might a failure by employment. a company (whether listed or private) to prevent, One example may be in relation to an International Organisation mitigate, manage or respond to an Incident amount to a breach of directors’ duties in your jurisdiction? for Standardization (ISO) compliance standard in relation to information security and risk management. Although a failure to meet such a standard is not enforced by the ISO, if a party has Directors are required, under the Companies Act 2006, to promote contractually agreed or warranted that it complies with an ISO the success of the company for the benefit of its members as a whole standard, a failure to do so will be a breach of contract. and exercise reasonable skill, care and diligence in performing their role. It is up to the board of directors of each company to ensure that Breach of trust. A person who owes a fiduciary duty to another the board has the relevant competence and integrity to exercise these may not place him or herself in a situation where s/he has a personal duties in view of the risk to the company as a whole, including the interest that may conflict with the interest of the person to whom the risk of Incidents. A failure to prevent, mitigate, manage or respond fiduciary duty is owed. If an Incident is caused by an employee or a to an Incident may be a breach of directors’ duties if, for example, director, a breach of trust/fiduciary duty may be claimed. the failure resulted from a lack of skill, care and diligence on the part Causing loss by unlawful means. A defendant will be liable for of the relevant director. causing loss by unlawful means where s/he intentionally causes loss to the claimant by unlawfully interfering in the freedom of a third 4.2 Are companies (whether listed or private) required party to deal with the claimant. under Applicable Laws to: (a) designate a CISO; Compensation for breach of the Data Protection Act 1998. (b) establish a written Incident response plan or Individuals who suffer “damage” by reason of any contravention, policy; (c) conduct periodic cyber risk assessments, by a data controller, of any requirements of the Data Protection Act including for third party vendors; and (d) perform 1998 are entitled to compensation for that damage (section 13 of the penetration tests or vulnerability assessments? 1998 Act). This does not require the claimant to prove pecuniary loss. In order to claim compensation for distress under section 13 of No, there are no specific requirements in this respect. However,

54 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP England & Wales

the Data Protection Act 1998 the claimant must establish sufficient Trespass causation between the data protection breach and the distress Arqiva Ltd & Ors v Everything Everywhere Ltd & Ors [2011] suffered. EWHC 1411 (TCC): obiter reference to Clerk & Lindsell on Torts Conspiracy. The economic tort of conspiracy requires there to be (20th Edition) at paragraphs 19-02 and 17–131. At paragraph 19-02 two or more perpetrators who are legal persons who conspire to do the authors state the proposition that “one who has the right of entry an unlawful act, or to a lawful act but by unlawful means. upon another’s land and acts in excess of his right or after his right Conversion is a tort that may cover unauthorised interference with has expired, is a trespasser”. At paragraphs 17–131 the authors refer personal information and other property. to “Cyber-trespass” and say that “[w]hile the definition of corporeal personal property may normally be straightforward, questions may Deceit. There are four elements: (i) the defendant makes a false nevertheless arise in a number of borderline cases, in particular in representation to the claimant; (ii) the defendant knows that the respect of electronic technology. For example, it is hard to see why representation is false, alternatively s/he is reckless as to whether it a deliberate attempt through the internet unlawfully to manipulate

is true of false; (iii) the defendant intends that the claimant should England & Wales data on a computer should not amount to trespass to that computer”. act in reliance on it; and (iv) the claimant does act in reliance of the representation and in consequence suffers loss. Directors’ duties. See the answer to question 4.1. 5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident? Dishonest assistance may be claimed where there is a fiduciary relationship and dishonest assistance has been given by a third party Please see the list in response to question 5.1. to the breach of trust. Infringement of copyright and/or database rights. Copyright is infringed when a person, without authority, carries out an infringing 6 Insurance act under the Copyright, Designs and Patents Act, such as copying the work or communicating the work to the public. Database rights 6.1 Are organisations permitted to take out insurance are infringed if a person extracts or re-utilises all or a substantial part against Incidents in your jurisdiction? of a database without the owner’s permission. Misuse of private information. Similar to a breach of confidence, Yes, organisations are permitted to take out insurance against but removing the need for the claimant to establish a relationship of Incidents. confidence. The cause of action may be better described as a right to informational privacy and to control dissemination of information about one’s private life. 6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as Negligence may be claimed where the defendant owed a duty of business interruption, system failures, cyber extortion care to the claimant, breached that duty of care and that breach or digital asset restoration? If so, are there any legal caused the claimant to suffer a recoverable loss. limits placed on what the insurance policy can cover? Trespass is the intentional or negligent interference with personal goods. A deliberate attempt through the internet unlawfully to manipulate data No, there are no regulatory limitations. on a computer may amount to trespass to that computer. 7 Employees 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to Incidents. 7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for The following are illustrations of cases that have been brought that the purposes of preventing, detection, mitigating and responding to Incidents; and (b) the reporting of cyber can be said to relate to Incidents. risks, security flaws, Incidents or potential Incidents Breach of confidence and various economic torts by employees to their employer? Ashton Investments Ltd v OJSC Russian Aluminium (Rusal) [2006] EWHC 2545 (Comm): there was a good arguable case justifying Monitoring of employees, for example monitoring use of email service out of the jurisdiction, in respect of claims for breach of and internet access, involves processing of personal data and so the confidence, unlawful interference with business, and conspiracy Data Protection Act 1998 (and, from 25 May 2018, the GDPR) will where a computer server in London had allegedly been improperly apply. The ICO’s Employment Practices Code contains guidance accessed from Russia and confidential information and privileged on monitoring employees at work. The Code states that employees information viewed and downloaded. still have an , and so monitoring should be justified, proportionate, secured and that organisations should Contract undertake an impact assessment and ensure that the employees are Bristol Groundschool Ltd v Intelligent Data Capture Ltd [2014] notified that monitoring will take place. This notification should EWHC 2145 (Ch): a contract relating to the development of computer- include details of the circumstances in which monitoring will take based pilot training materials was a “relational” contract containing an place, the nature of the monitoring, how the information will be implied duty of good faith. One party had behaved in a commercially used and what safeguards are in place for the employees. A failure unacceptable manner in accessing the other party’s computer and to comply with the Code will not automatically result in a breach of downloading information, but its conduct was not repudiatory. the Data Protection Act 1998. However, an organisation should be Frontier Systems Ltd (t/a Voiceflex) v Frip Finishing Ltd [2014] able to justify any departure from the Code, and the ICO can take EWHC 1907 (TCC): an internet telephony provider’s customer this into account in consideration of any enforcement action. whose computer network had been hacked was not liable to pay the bill incurred by unauthorised third parties.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 55 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP England & Wales

Under the Telecommunications (Lawful Business Practice) Other powers of surveillance and interception of communications (Interception of Communications) Regulations 2000, an organisation data are subject to RIPA. Under RIPA, the Secretary of State can may lawfully monitor and record communications without consent issue an interception warrant if this is necessary for the prevention to: (a) ascertain compliance with regulatory practices or procedures or detection of serious crime (among others), provided this is relevant to the business; (b) ascertain or demonstrate standards which proportionate and the information could not reasonably be obtained ought to be achieved by employees using the telecommunications by other means. Under the Investigatory Powers Act 2016, new system; (c) prevent or detect crime; (d) investigate or detect warrants are available for targeted equipment interference and unauthorised use of the telecommunications system (such as detecting targeted examination, as well as bulk warrants to enable law a potential Incident); and (e) ensure the effective operation of the enforcement to obtain the communications data of multiple telecommunications system. individuals using one warrant. The Investigatory Powers Act 2016 amends some of the legislation relating to a business’s ability to record telephone calls with its 8.2 Are there any requirements under Applicable Laws England & Wales employees, but the operative provisions are not yet in force. for organisations to implement backdoors in their IT The Human Rights Act 1998, and in particular the right to respect systems for law enforcement authorities or to provide law enforcement authorities with encryption keys? for private and family life, home and correspondence, must also be considered and balanced against obligations on the organisation to implement appropriate security measures in respect of potential Under RIPA, telecommunications service providers are required to Incidents. give effect to an interception warrant to assist law enforcement. The Secretary of State may issue a notice to a specified service provider detailing the measures that the service provider must implement to 7.2 Are there any Applicable Laws (e.g. whistle-blowing establish an interception capability. laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents The Investigatory Powers Act 2016 includes provision for the by an employee? Secretary of State to require some telecommunications operators to install permanent interception capabilities through ‘technical There are no Applicable Laws which may prevent or limit the capability notices’. These notices will require approval by a Judicial reporting of Incidents by an employee. However, the employee Commissioner, but may include equipment interference, interception would need to satisfy the whistleblowing provisions in the capability (such as removal of electronic protection applied to data) Employment Rights Act 1996, one of which is that the subject and disclosure of data. These provisions of the Investigatory Powers matter of the disclosure falls into one or more of six categories. The Act 2016 are not yet in force, but there is some uncertainty over categories include criminal offences and breach of a legal obligation, whether these notices could prevent a telecommunications operator which may be appropriate for Incidents, although may not be wide from providing end-to-end encryption capabilities to end users. enough to cover security flaws or mere risks.

8 Investigatory and Police Powers

8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident.

Law enforcement authorities have various surveillance powers under UK laws. For example, the Police Act 1997 authorises covert entry into and interference with communications systems by the police, and similar powers are available to the security services under the Security Service Act 1989 and the Intelligence Services Act 1994.

56 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP England & Wales

Nigel Parker Alex Shandro Allen & Overy LLP Allen & Overy LLP One Bishops Square One Bishops Square London E1 6AD London E1 6AD United Kingdom United Kingdom

Tel: +44 203 088 3136 Tel: +44 203 088 4594 Email: [email protected] Email: [email protected] URL: www.allenovery.com URL: www.allenovery.com

Nigel is a partner specialising in intellectual property, data protection Alex is a senior associate specialising in commercial contracts, and privacy, commercial contracts and IT law. He is a member of intellectual property, cybersecurity and data protection law. Alex

the firm’s Cyber Security Group and has advised clients on strategies advises clients in technology and data-rich sectors on their most England & Wales for managing legal risk in relation to cybersecurity, including the complex commercial arrangements, including outsourcings, licensing, deployment of a variety of risk management tools, on the response collaborations and IP / data exploitation. A member of the firm’s Cyber to attacks and dealing with regulatory authorities, and on taking pro- Security Group, Alex has advised regularly on risk management active steps in response to attacks. strategies in relation to cybersecurity, including contractual arrangements with vendors. Chambers 2015 cites Nigel as an expert in the fields of data privacy and outsourcing, describing him as “technically faultless” as well as “very practical and very good at finding solutions”.

Allen & Overy is a full-service global elite law firm headquartered in London. Our commitment to help our clients deliver their global strategies has seen us build a truly global network now spanning 44 offices in 31 countries. We have also developed strong ties with relationship law firms in more than 100 countries where we do not have a presence. We have a strong cybersecurity practice comprising a core team of 15 partners with diverse backgrounds in data protection, bank regulation, antitrust, securities laws, technology, IT, litigation, employment, IP and corporate. This spread is crucial because cybersecurity incidents frequently span a wide range of traditional legal practice areas. There is an important legal component to cybersecurity and our integrated team of diverse practitioners reflects this requirement. As a full-service global elite law firm, we are able to advise clients on all legal issues concerning cybersecurity.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 57 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 10

Germany Dr. Alexander Niethammer

Eversheds Sutherland Steffen Morawietz

interferes with data processing operations which are of substantial 1 Criminal Activity importance to another by deleting, suppressing, rendering unusable or altering data, or by entering or transmitting data with the intention 1.1 Would any of the following activities constitute a of causing damage to another, shall be liable to imprisonment of up criminal offence in your jurisdiction? If so, please to three years or a fine. The same applies to destroying, damaging, provide details of the offence, the maximum penalties rendering unusable, removing or altering a data processing system available, and any examples of prosecutions in your or data carrier. Also, it is important to note that the sole attempt jurisdiction: is punishable and if the data processing operation is of substantial importance to another’s business or enterprise, or a public authority, Yes, all of the following activities constitute a criminal offence in the penalty can be imprisonment of up to five years or a fine. Germany. Possession or use of hardware, software or other tools used to Hacking (i.e. unauthorised access) commit cybercrime (e.g. hacking tools) Hacking constitutes a criminal offence according to Sec. 202a of the The sole possession of hardware, software or other tools which can German Criminal Code (so-called “unauthorised obtaining of data”). be used to commit cybercrime can constitute a criminal offence According to this provision, whosoever unlawfully obtains data for according to Sec. 202c of the German Criminal Code. According to himself, or another, that was not intended for him and was especially this provision, the preparation of the commission of an unauthorised protected against unauthorised access, if he has circumvented the obtaining of data or phishing by producing, acquiring for himself protection, shall be liable to imprisonment not exceeding three years or another, selling, supplying to another, disseminating or making or a fine. otherwise accessible software for the purpose of the commission of Denial-of-service attacks such an offence shall be liable to imprisonment of up to one year or Denial-of-service attacks constitute a criminal offence according to Sec. a fine. In case of a use of such instruments, the same principles as 303b of the German Criminal Code (so-called “computer sabotage”). set forth above with respect to “Hacking” apply. According to this provision, whosoever interferes with data processing Identity theft or identity fraud (e.g. in connection with access operations which are of substantial importance to another by deleting, devices) suppressing, rendering unusable or altering data, or by entering or Identity theft can constitute various criminal offences, depending on how transmitting data with the intention of causing damage to another, shall the offender obtains access to the identity data. This can either be done be liable to imprisonment of up to three years or a fine. The same applies by phishing methods, which would constitute a criminal offence under to destroying, damaging, rendering unusable, removing or altering a Sec. 202b of the German Criminal Code as set forth above with respect data processing system or data carrier. Also, it is important to note that to “Phishing”, or by use of such identity data for fraudulent purposes, the sole attempt is punishable and if the data processing operation is of which could constitute a criminal offence under Sec. 263 of the German substantial importance for another’s business or enterprise, or a public Criminal Code (fraud) or Sec. 263a of the German Criminal Code authority, the penalty can be imprisonment of up to five years or a fine. (computer fraud), both are subject to imprisonment of up to 10 years. Phishing Electronic theft (e.g. breach of confidence by a current or former Phishing can constitute two different criminal offences. The unlawful employee, or criminal copyright infringement) interception of data by technical means from a non-public data Electronic theft only constitutes a criminal offence under the processing facility constitutes a criminal offence according to Sec. 202b preconditions of Sec. 202a of the German Criminal Code. of the German Criminal Code and is punishable with imprisonment of Therefore, the affected data must be especially protected against up to two years or a fine. Theuse of such data with the intent of obtaining unauthorised access. Usually, this is not the case when a current an unlawful material benefit would constitute a criminal offence under or former employee breaches confidence, as the employee has Sec. 263a of the German Criminal Code (so-called “computer fraud”) authorised access to the data. If this is not the case and the employee and is punishable with imprisonment of up to five years or a fine. circumvents the protection, this would constitute a criminal offence Infection of IT systems with malware (including ransomware, of “phishing”. The above-mentioned principles would apply. spyware, worms, trojans and viruses) Any other activity that adversely affects or threatens the Infection of IT systems with malware constitutes a criminal offence security, confidentiality, integrity or availability of any IT according to Sec. 303b of the German Criminal Code (so-called system, infrastructure, communications network, device or data “computer sabotage”). According to this provision, whosoever Under German criminal law, some other activities in connection

58 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Eversheds Sutherland Germany

with the above-mentioned crimes constitute criminal offences. law relating to cybersecurity is the German IT Security Act (IT- These are: (i) preparing of an unauthorised obtaining or interception Sicherheitsgesetz) of 25 July 2015, which amended a number of of data, Sec. 202c of the German Criminal Code; (ii) handling of laws, in particular the German Telemedia Act (Telemediengesetz), stolen data, Sec. 202d of the German Criminal Code; (iii) violation the German Telecommunucations Act (Telekommunikationsgesetz), of postal and telecommunications secrets, Sec. 206 of the German the German Federal Data Protection Act () Criminal Code; (iv) computer sabotage, Sec. 303b of the German and the Act on the Federal Office for Information Security (Gesetz Criminal Code; (v) violation of the German Federal Data Protection über das Bundesamt für Sicherheit in der Informationstechnik). Act with the intention of enrichment or to harm someone, Sec. 44 Besides this, parts of cybersecurity are governed by the of the German Federal Data Protection Act; and (vi) falsification Banking Act (Kreditwesengesetz), Securities Trading Act of digital evidence, Sec. 269 et seq. of the German Criminal Code. (Wertpapierhandelsgesetz) and the upcoming EU General Data

Failure by an organisation to implement cybersecurity measures Protection Regulation (Datenschutzgrundverordnung). Germany The failure of an organisation to implement cybersecurity measures Besides this formal legislation, there are a few important informal does not constitute a criminal but an administrative offence, provisions with respect to IT security in Germany. These are the BSI and the organisation would be subject to civil liability in case of Basic IT Protection catalogues which are developed by the Federal negligence. The financial penalty can be up to 10 mio. EUR or 2% Office for Information Security (Bundesamt für Sicherheit in der of the company’s annual turnover. The civil liability depends on Informationstechnik – BSI), the Common Criteria for Information the damage which occurred due to the organisation’s failure and is Technology Security Evaluation, standardised as ISO/IEC 15408, basically not limited. and the Control Objectives for Information and Related Technology (COBIT).

1.2 Do any of the above-mentioned offences have extraterritorial application? 2.2 Are there any cybersecurity requirements under Applicable Laws applicable to critical infrastructure in your jurisdiction? For EU countries only, how The above-mentioned offences have no specific extraterritorial (and according to what timetable) is your jurisdiction application. However, the application of the German Criminal Code expected to implement the Network and Information depends on the “place of the offence”. According to Sec. 9 of the Systems Directive? Please include details of any German Criminal Code, an offence is deemed to have been committed instances where the implementing legislation in your in every place where the offender acted or in which the result occurs jurisdiction is anticipated to exceed the requirements or should have occurred according to the intention of the offender. of the Directive. Therefore, the above-mentioned offences will be applicable both if the offender acted in the territory of Germany and in case the offence Yes, the Act on the Federal Office for Information Security provides affects IT systems which are situated or used for services provided in for specific obligations for providers of critical infrastructure. The Germany where the offender acted from outside Germany. law defines the following sectors as critical infrastructure: ■ Energy. 1.3 Are there any actions (e.g. notification) that might ■ IT and Telecommunications. mitigate any penalty or otherwise constitute an ■ Transport and Traffic. exception to any of the above-mentioned offences? ■ Health. ■ Water. Yes, as a general principle, under German law, positive behaviour ■ Nutrition. after a violation of a statutory provision as well as compensation for the occurred damage affect the level of penalties. However, this is ■ Finance and Insurance. at the sole discretion of the court. However, not all companies acting in the above-mentioned sectors are subject to the regulations regarding critical infrastructure. These apply only vis-à-vis companies which are of great importance to the 1.4 Are there any other criminal offences (not specific functioning of the community. to cybersecurity) in your jurisdiction that may arise in relation to cybersecurity or the occurrence of an Even though the Act on the Federal Office for Information Security Incident (e.g. terrorism offences)? Please cite any provides for the obligation of providers of critical infrastructure specific examples of prosecutions of these offences to provide reasonable organisational and technical precautions to in a cybersecurity context. prevent disruption of the availability, integrity, authenticity and confidentiality of their information technology systems, the specific No, this is not applicable in our jurisdiction. duties are not specified by the Act but are subject to guidelines on IT security set out by industry associations and approved by the 2 Applicable Laws Federal Office for Information Security. The Network and Information Systems Directive has been implemented with effect from 30 June 2017. 2.1 Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation 2.3 Are organisations required under Applicable Laws, and management of Incidents. This may include, or otherwise expected by a regulatory or other for example, laws of data protection, intellectual authority, to take measures to monitor, detect, prevent property, breach of confidence, privacy of electronic or mitigate Incidents? If so, please describe what communications, information security, and import / measures are required to be taken. export controls, among others. Yes, German law provides for several obligations for organisations Cybersecurity is governed by several Acts in Germany. The main to take measures to monitor, detect, prevent and mitigate Incidents.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 59 © Published and reproduced with kind permission by Global Legal Group Ltd, London Eversheds Sutherland Germany

In detail: The report must be made immediately (and under the ■ According to Sec. 13, subsec. 7 of the Telemedia Act, upcoming General Data Protection Regulation, not later than telemedia providers are obliged to ensure that unauthorised 72 hours after having become aware of the breach) and has access to related data is not possible. A telemedia provider to contain a description of the Incident, an indication of the in the Telemdia Act means, e.g., each operator of a website. category of the affected data, the concerned data subjects and The Telemedia Act does not provide details for measures a detailed description of the measures taken to remedy or that have to be taken by the provider. Specific requirements mitigate negative effects. The notification to the competent are however developed by the competent data protection data protection authority must also describe possible harmful authorities, e.g., with respect to the prevention of unauthorised consequences of the unlawful access and measures taken access to websites, the data protection authorities request a by the body. Under the upcoming General Data Protection SSL encryption of the related data. Regulation, the name and contact details of the data protection

Germany officer have to be provided as well. ■ According to Sec. 109 of the German Telecommunications Act, providers of public telecommunications have to ■ In case of a breach of critical infrastructure as defined in implement necessary technical measures to prevent the Act on the Federal Office for Information Security (see phishing of personal data. Besides this, providers of public above under question 2.2), the provider must notify the telecommunications are obliged to appoint a security officer Federal Office for Information Security of any significant and develop an adequate IT security concept. disruption to the availability, integrity and confidentiality of their information technology systems, components or ■ Providers of several financial products are obliged to develop processes which might lead to a breakdown or malfunction an IT-specific risk management (Sec. 25a of the German of the affected infrastructure. Banking Act (Kreditwesengesetz), Sec. 33 of the German Securities Trading Act (Wertpapierhandelsgesetz)). ■ Providers of public telecommunications networks or services are obliged to report any IT breach to the Federal Network Agency. The report, which must be made immediately, has 2.4 In relation to any requirements identified in question to contain a description of the Incident, an indication of the 2.3 above, might any conflict of laws issues category of the affected data, the concerned data subjects and arise? For example, conflicts with laws relating a detailed description of the measures taken to remedy or to the unauthorised interception of electronic mitigate negative effects. communications or import / export controls of encryption software and hardware. 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information Such specific conflicts may arise with foreign laws with exterritorial related to Incidents or potential Incidents with: (a) reach. a regulatory or other authority in your jurisdiction; (b) a regulatory or other authority outside your jurisdiction; or (c) other private sector organisations 2.5 Are organisations required under Applicable Laws, or or trade associations in or outside your jurisdiction? otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents to a regulatory or other authority in your Yes, there is no prohibition of such voluntary reports as long as jurisdiction? If so, please provide details of: (a) the possible (confidentiality) rights of third parties are safeguarded. circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) 2.7 Are organisations required under Applicable Laws, or the nature and scope of information that is required otherwise expected by a regulatory or other authority, to be reported (e.g. malware signatures, network to report information related to Incidents or potential vulnerabilities and other technical characteristics Incidents to any affected individuals? If so, please identifying an Incident or cyber attack methodology); provide details of: (a) the circumstance in which and (d) whether any defences or exemptions exist by this reporting obligation is triggered; and (b) the which the organisation might prevent publication of nature and scope of information that is required to be that information. reported.

Yes, there are specific reporting obligations with respect to Incidents Yes, in case of a security breach which creates a notification under German law. obligation (see above under question 2.5), the data subject must be In detail: notified as soon as (i) appropriate measures have been taken to secure the data or have not been carried out without undue delay, and (ii) ■ There is a general obligation to notify security breaches to the competent data protection authority. This obligation a criminal enforcement is not/no longer at risk. The notification to only applies where certain categories of personal data are the data subjects must describe the nature of the unlawful access and affected, i.e., sensitive personal data, personal data subject include recommendations for measures to minimise possible harm. to professional secrecy, personal data related to criminal Where notifying the data subjects would require unreasonable offences or administrative offences and personal data efforts, in particular due to the large number of cases involved, such concerning bank or credit card accounts. An exception notification may be replaced by public advertisements of at least applies where the security breach is unlikely to result in a one-half of a page in at least two national daily newspapers, or by high risk to the rights and freedom of the data subject (Sec. another equally effective measure for notifying the data subjects 42a of the Federal Data Protection Act). (Sec. 42a of the Federal Data Protection Act). This obligation also Under the upcoming General Data Protection Regulation applies under the upcoming General Data Protection Regulation, (Art. 33), this obligation applies to any kind of personal data, provided the Incident is likely to result in a high risk to the rights not only the certain categories described above, unless the and freedoms of the data subject. Further exceptions apply under breach is unlikely to result in a risk to the rights and freedoms Art. 34, para. 3 of the upcoming General Data Protection Regulation of natural persons. and Sec. 29 of the new Federal Data Protection Act.

60 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Eversheds Sutherland Germany

2.8 Do the responses to questions 2.5 to 2.7 change if the 3 Specific Sectors information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email address from which a phishing email originates); (d) 3.1 Does market practice with respect to information personally identifiable information of cyber threat security (e.g. measures to prevent, detect, mitigate actors; and (e) personally identifiable information of and respond to Incidents) vary across different individuals who have been inadvertently involved in business sectors in your jurisdiction? Please include an Incident? details of any common deviations from the strict legal requirements under Applicable Laws. No, none of these scenarios would change the responses to questions The market practice with respect to information security in Germany 2.5 to 2.7. Germany mainly depends on the security relevance of the concrete business; in particular, whether the sector is considered as a sector which is 2.9 Please provide details of the regulator(s) responsible related to critical infrastructures and whether the business processes for enforcing the requirements identified under sensitive personal data or not. However, there are no sector-specific questions 2.3 to 2.7. deviations from the strict legal requirements known.

The requirements identified under questions 2.3 to 2.7 are enforced by the Federal Office for Information Security, competent Data 3.2 Are there any specific legal requirements in relation Protection Authorities and the Federal Network Agency. to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the In detail: telecommunications sector? ■ The Federal Office for Information Security is the main authority with respect to cybersecurity in Germany. This Yes, in detail: authority should be the main contact regarding questions ■ Providers of certain financial products are obliged to develop about preventive security measures and is responsible for an IT-specific risk management (Sec. 25a of the German receiving notifications about security breaches with respect Banking Act (Kreditwesengesetz), Sec. 33 of the German to critical infrastructures. Securities Trading Act (Wertpapierhandelsgesetz)). ■ Data Protection Authorities enforce all relevant data ■ According to Sec. 109 of the German Telecommunications protection laws. In Germany, each federal state has a separate Act, providers of public telecommunications have to Data Protection Authority. implement the necessary technical measures to prevent ■ The Federal Network Agency enforces the phishing of personal data. Besides this, providers of public telecommunications-related laws and is responsible for telecommunications are obliged to appoint a security officer receiving notifications about security breaches with respect and develop an adequate IT security concept. to telecommunications networks and services.

4 Corporate Governance 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? 4.1 In what circumstances, if any, might a failure by ■ Under the German IT Security Act, non-compliance may be a company (whether listed or private) to prevent, subject to administrative fines of up to 100,000 EUR. mitigate, manage or respond to an Incident amount to ■ Non-compliance with the reporting requirements under the a breach of directors’ duties in your jurisdiction? Federal Data Protection Act is subject to fines of up to 300,000 EUR (and under the upcoming General Data Protection Yes, such failure may lead to a breach of directors’ duties. Regulation, with a fine of up to 10 mio. EUR or 2% of the According to Sec. 130 of the German Administrative Offences Act worldwide annual turnover, whichever is higher). Anyone wilfully committing the offence in exchange for payment or (Ordnungswidrigkeitengesetz – OWiG), the owner or management with the intention of enriching himself or another person or of a company commits a misdemeanour if: of harming another person shall be liable to imprisonment for ■ it omits purposefully or negligently to appropriately control up to two years or a fine. the company; and ■ if a crime or misdemeanour was committed that could have 2.11 Please cite any specific examples of enforcement been avoided or significantly impeded by exercising such action taken in cases of non-compliance with the control. above-mentioned requirements. The obligation to control also includes the obligation to diligently select and monitor supervising personnel, active monitoring of the Up to now, no publicly-known enforcement actions have been development of legal and technical standards, random inspections, taken by the competent authorities in cases of non-compliance and enforcement of implementation measures, etc. The owner or with cybersecurity requirements. The reason for this is that most management of a company is obligated to organise the company of the relevant laws are rather new and the competent authorities in a manner that allows the company to comply with the law. are currently trying to develop a joint position with the industry. Consequently, failures to prevent, mitigate, manage or respond However, this might change in the future. to an Incident can constitute a breach of directors’ duties if the directors’ failed to implement the appropriate measures to avoid such occurrences.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 61 © Published and reproduced with kind permission by Global Legal Group Ltd, London Eversheds Sutherland Germany

4.2 Are companies (whether listed or private) required 6 Insurance under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, 6.1 Are organisations permitted to take out insurance including for third party vendors; and (d) perform against Incidents in your jurisdiction? penetration tests or vulnerability assessments? Yes, organisations are permitted to take out insurance against There are no general obligations, so far, to either designate a CISO, Incidents and are common in Germany. establish a written Incident response plan or policy, or conduct periodic cyber risk assessments. However, depending on the size 6.2 Are there any regulatory limitations to insurance Germany of the company, such measures can be required in order to ensure coverage against specific types of loss, such as appropriate IT security measures. This has to be therefore assessed business interruption, system failures, cyber extortion on a case-by-case basis. or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover?

4.3 Are companies (whether listed or private) subject to any specific disclosure requirements in relation No, there are no regulatory limitations to insurance coverage against to cybersecurity risks or Incidents (e.g. to listing any types of loss. authorities, the market or otherwise in their annual reports)? 7 Employees Notification requirements generally exist solely with respect to security breaches (see question 2.5 above). However, with respect 7.1 Are there any specific requirements under Applicable to public listed companies, sole cybersecurity risks without an Law regarding: (a) the monitoring of employees for Incident having occurred may trigger the obligation to disclose the the purposes of preventing, detection, mitigating and cybersecurity risk in an ad hoc notification if the risk is likely to responding to Incidents; and (b) the reporting of cyber have an impact on the company’s stock market price. risks, security flaws, Incidents or potential Incidents by employees to their employer?

4.4 Are companies (whether public or listed) subject to (a) Yes, the monitoring of employees is only permissible in specific any other specific requirements under Applicable cases, e.g., in case of definite suspicion. Comprehensive Laws in relation to cybersecurity? monitoring measures would not be admissible. In case of works-council representation, the monitoring of employees Companies are obliged to implement an IT security concept. needs to be generally agreed in a works-council agreement. However, there are no detailed statutory provisions regarding such (b) There is no specific statutory obligation for employees concepts. to report such risks to their employer. However, such obligations should be imposed on the employees by internal policies (e.g., whistle-blowing policies) of the employer. 5 Litigation

7.2 Are there any Applicable Laws (e.g. whistle-blowing 5.1 Please provide details of any civil actions that may be laws) that may prohibit or limit the reporting of cyber brought in relation to any Incident and the elements of risks, security flaws, Incidents or potential Incidents that action that would need to be met. by an employee?

The civil liability of a company depends on whether damage No, there are no Applicable Laws that may prohibit or limit the has occurred due to the organisation’s failure to implement an reporting of the above. appropriate IT security concept. In this case, any individual or other company which suffered material damage can take civil actions against the company which is responsible for the Incident. This 8 Investigatory and Police Powers liability is basically not limited but can be covered by insurance. 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable 5.2 Please cite any specific examples of cases that Laws in your jurisdiction (e.g. antiterrorism laws) that have been brought in your jurisdiction in relation to may be relied upon to investigate an Incident. Incidents.

The case law on Incidents in Germany is very rare due to the lack of Depending on the type of authority (e.g., Public Prosecutor, Federal the possibility of class actions in Germany. Office for Information Security, Data Protection Authority), the enforcement powers vary. However, all authorities have the power to carry out on-site investigations including accessing IT systems. 5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident?

Yes, civil liability in tort depends on the damage which occurred due to the organisation’s failure and is basically not limited.

62 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Eversheds Sutherland Germany

8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide law enforcement authorities with encryption keys?

No, so far, there is no such obligation. However, the German legislator is currently debating such an obligation with respect to social media and instant messaging accounts. It is likely that such a law will come into force in 2018. Germany

Dr. Alexander Niethammer Steffen Morawietz Eversheds Sutherland Eversheds Sutherland Brienner Str. 12 Brienner Str. 12 80333 Munich 80333 Munich Germany Germany

Tel: +49 89 545 65 318 Tel: +49 89 545 65 262 Email: alexanderniethammer@eversheds- Email: steffenmorawietz@eversheds- sutherland.de sutherland.de URL: www.eversheds-sutherland.de URL: www.eversheds-sutherland.de

Alexander Niethammer is a Partner in the Munich office of Eversheds Steffen Morawietz is an Associate in the IT/IP practice at Eversheds Sutherland and heads the Company Commercial Practice Group in Sutherland in Munich. His activities include providing legal advice to Germany. He specialises in complex IT transactions, cybersecurity international companies in the areas of IT law and data protection. and data protection. Alexander advises, for over 14 years, many Steffen’s advice focuses on companies in the e-commerce sector, in Fortune 100 companies from the IT, DI, Consumer and Financial particular with regard to data protection, cybersecurity and consumer sectors on global projects. protection requirements, contract drafting and distribution law matters. He mainly advises international and national clients from the media, Alexander has a dual legal qualification an as attorney-at-law in New sports and consumer goods industries out of court as well as in court, York (USA) as well as in Germany. in particular with regard to interim legal protection. Moreover, Steffen Alexander was recently named by the International Law Office (ILO) is appointed as lecturer in civil and public law at Ludwig Maximilians as the exclusive recipient of the prestigious “Client Choice Award” University of Munich. 2016 as Germany’s best IT & Internet counsel.

Eversheds Sutherland is a one of the leading legal service providers in the world. Eversheds Sutherland represents the combination of two firms with a shared culture and commitment to client service excellence. We are each known for our commercial awareness and industry knowledge and for providing innovative and tailored solutions for every client. With 66 offices in 32 countries and more than 2,400 lawyers, we partner with many of the most dynamic and successful business organisations across Africa, Asia, Europe, the Middle East and the United States, to address their most critical challenges, supporting their legal needs and unlocking their global ambitions. Our international IT team frequently works for major corporate and public clients across the globe, and also acts for some of the world-leading IT suppliers. Our cybersecurity practice spans the full range of data protection, cyber and information security law topics.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 63 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 11

India Prashant Mara

BTG Legal Devina Deshpande

(i) Identity theft: fraudulent or dishonest use of the electronic 1 Criminal Activity signature, password or other unique identification feature of any other person (Sec. 66C, ITA). 1.1 Would any of the following activities constitute a (ii) Cheating by personation: using a computer/communication criminal offence in your jurisdiction? If so, please device to cheat by pretending/representing to be another provide details of the offence, the maximum penalties person or knowingly substituting one person for another available, and any examples of prosecutions in your (Sec. 66D, ITA). jurisdiction: The above offences are punishable with imprisonment of up to three years and with a fine of up to INR 100,000. Hacking (i.e. unauthorised access) (iii) Deceptive/misleading emails: sending emails/messages that The following acts constitute offences when conducted fraudulently deceive/mislead the recipient as to the origin of such message or dishonestly and without the permission of the owner/person in (Sec 66A(c), ITA). charge of the computer: The above is punishable with imprisonment of up to three years and a fine. (i) accessing/securing unauthorised access to a computer resource (which includes computers, communication devices, Cheating under the IPC may also be invoked (see question 1.4 below). computer networks, data, computer databases or software, Prosecutions: etc.); and ■ Mumbai Cyber Cell registered an offence against a person (ii) providing assistance to any person to facilitate such who circulated misleading emails ostensibly emanating from unauthorised access (Sec. 43(a) and (b) Information ICICI Bank to obtain confidential information (including Technology Act, 2000 (“ITA”)). usernames, passwords, debit card numbers, PIN codes, etc.) The above offences are punishable with imprisonment of up to three from the recipient bank’s customers. years or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA). ■ Persons were arrested for circulating emails indicating that Also see question 1.4 below in respect of and the recipient had won a lottery prize and requiring them criminal trespass and question 2.2 below in respect of ‘protected to deposit courier, VAT and insurance charges prior to the transfer of the ‘lottery winnings’. system’. Infection of IT systems with malware (including ransomware, Prosecutions: spyware, worms, trojans and viruses) ■ Kumar v. Whiteley (2009): the accused was sentenced to one year of rigorous imprisonment and a fine of INR 5,000 for The following acts constitute offences when conducted fraudulently hacking a government website, gaining unauthorised access or dishonestly and without the permission of the owner/person in to broadband internet and making alterations to subscriber charge of the computer: accounts in the computer database. (i) introduction of a computer contaminant/virus; and ■ Call centre employees at Mphasis were prosecuted for (ii) damage to any computer, computer system or computer securing unauthorised access to PIN codes of customers of network or any data, database or computer program residing Citi Group (a client of their call centre) and using these codes therein (Sec. 43(c) and (d), ITA). to transfer funds into their accounts (2005). The above offences are punishable with imprisonment of up to three Denial-of-service attacks years or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA). ■ Causing disruption or denial of access to any person Also, see question 1.4 below in respect of cyberterrorism. authorised to access any computer by any means is an offence when conducted fraudulently or dishonestly and without the Possession or use of hardware, software or other tools used to permission of the owner/person in charge of such computer commit cybercrime (e.g. hacking tools) (Sec. 43(e) and (f), ITA). Possession of any plate (including negative duplicating equipment, ■ Punishable with imprisonment of up to three years or with a block, mould, etc.) for making infringing copies of copyrighted fine of up to INR 500,000 or with both (Sec. 66A, ITA). work is punishable with imprisonment of up to two years and a fine ■ Also see question 1.4 below in respect of cyberterrorism. (Sec. 65, Copyright Act). Phishing Dishonestly receiving stolen computer resources or communication While “phishing” is not expressly defined, the following acts devices is punishable with imprisonment of up to three years or a constitute offences: fine of up to INR 100,000 (Sec. 66B, ITA).

64 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London BTG Legal India

Identity theft or identity fraud (e.g. in connection with access (ii) stealing, concealing, destroying or altering computer source devices) code (including computer commands, design and layout, program analysis, etc.) with an intention to cause damage See “Phishing” above. (Sec. 43(i) and (j), ITA). Publication of electronic signatures: (i) that are fake; or (ii) for The above are punishable with imprisonment of up to three years fraudulent/unlawful purposes is punishable with imprisonment of or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA). up to two years or with a fine of up to INR 100,000 or with both (Sec. 73 and 74, ITA). Knowingly or intentionally tampering (concealing, destroying or altering) with computer source documents required to be kept/ Prosecutions: maintained by law is punishable with imprisonment of up to three ■ State of Odisha v. Jayanta Das (2017): sentenced to six years or with a fine of up to INR 200,000 or with both (Sec. 65, India years’ imprisonment and a fine on charges of forgery, identity ITA). theft and cyber for creating a fake profile on a pornographic website in the name of the complainant’s wife. Prosecutions: Electronic theft (e.g. breach of confidence by a current or former ■ Shankar v. State (2010) (see “Electronic theft” above): a employee, or criminal copyright infringement) case was also made out that by downloading, copying and causing the publication of confidential information, the The following acts constitute offences when conducted fraudulently accused diminished the value and utility of such information or dishonestly and without the permission of the owner/person in and affected it injuriously. charge of the computer: ■ The offence of tampering with computer source documents (i) downloading, copying or extracting data/information from was held in the following: a computer resource (including any removable storage a) Bhim Sen Garg v. State of Rajasthan (2006): fabrication medium) (Sec. 43(b), ITA); and of an electronic record, or committing forgery by way of (ii) charging services availed of by a person to the account of interpolations in a CD; and another person by tampering with/manipulating any computer b) Syed Asifuddin v. State of Andhra Pradesh (2005): Tata (Sec 43(h), ITA). Indicom employees were arrested for the manipulation The above are punishable with imprisonment of up to three years of the electronic 32-bit number (ESN) programmed into or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA). cell phones that were exclusively franchised to Reliance Infocomm. Violation of privacy by intentionally or knowingly publishing/ transmitting a private image of a person without his consent is Failure by an organisation to implement cybersecurity measures punishable with imprisonment of up to three years or with a fine of This is not applicable in our jurisdiction. See questions 2.10 and 5.1 up to INR 200,000 or with both (Sec. 66E, ITA). below for non-penal repercussions. Disclosure of personal information obtained while providing contractual services, with the intent/knowledge that wrongful loss/ 1.2 Do any of the above-mentioned offences have gain will result, is punishable with imprisonment of up to three years extraterritorial application? or with a fine of up to INR 500,000 or with both (Sec. 72A, ITA). Criminal copyright infringement (i.e. with knowledge): knowingly Yes, provided that the offence committed outside India involves a using an infringing copy of a computer program, and infringement computer, computer system or computer network located in India and passing off of trademarks, are punishable with imprisonment (Sec. 75, ITA). of up to three years and a fine of up to INR 200,000. In each case, an enhanced penalty is invoked upon subsequent convictions (Sec. 1.3 Are there any actions (e.g. notification) that might 63 and Sec. 63B, Copyright Act and Sec. 104 of Trade Marks Act). mitigate any penalty or otherwise constitute an Theft, cheating, fraud, dishonest misappropriation and criminal exception to any of the above-mentioned offences? breach of trust provisions under the IPC may also be invoked (see question 1.4 below). Acts under Sec. 43 of the ITA (including hacking, denial-of-service Prosecutions: attacks, introduction of virus, etc.) not conducted fraudulently or dishonestly will invoke the civil (and not criminal) liability of ■ Shankar v. State (2010): an employee caused the publication of confidential information which he obtained through compensation of up to INR 10,000,000 for damage caused. unauthorised access of a computer at the office of the For trademark/copyright infringement, no damages will be Directorate of Vigilance and Anti-Corruption. He was payable where the defendant can prove he was unaware, and had charged with securing unauthorised access to a ‘protected no reasonable ground for believing, that the work was trademark/ system’ and breach of confidentiality and privacy. copyright protected. ■ An employee of HSBC’s BPO arm in India was arrested on charges of data theft and cyber fraud for producing forged certificates used to illegally embezzle funds (2005). 1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise Any other activity that adversely affects or threatens the in relation to cybersecurity or the occurrence of an security, confidentiality, integrity or availability of any IT Incident (e.g. terrorism offences)? Please cite any system, infrastructure, communications network, device or data specific examples of prosecutions of these offences The following acts constitute offences when conducted fraudulently in a cybersecurity context. or dishonestly and without the permission of the owner/person in charge of the computer: The following Incidents will constitute “cyberterrorism”, which are punishable with life imprisonment: (i) destroying, deleting, injuring, altering or diminishing the value/utility of information residing in a computer resource; (i) unauthorised access, denial of access or introduction of a and computer contaminant with the intent to threaten national security and causing (or likely to cause) death, injuries,

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 65 © Published and reproduced with kind permission by Global Legal Group Ltd, London BTG Legal India

damage to property or disruption of essential supplies/ Privacy and data protection laws: services; and (i) IT (Reasonable security practices and procedures and (ii) intentionally/knowingly obtaining unauthorised access to sensitive personal data or information) Rules, 2011 (“Privacy restricted information/data which may be used to injure Rules”). national security, public order, relations with foreign states, Note: Data (Privacy and Protection) Bill, 2017 (“Privacy , etc. (Sec. 66F, ITA). Bill”) has been tabled before Parliament. Additionally, the Incidents may also invoke: Supreme Court of India has recently recognised the right to (i) Criminal offences under the IPC, such as cheating, theft, privacy as a fundamental right under the Indian Constitution. criminal breach of trust, criminal trespass, forgery of Reserve Bank of India (“RBI”) directions/notifications:

India electronic records, dishonest misappropriation, etc. (i) RBI Notification – Cyber Security Framework in Banks (ii) Penal provisions under specialised legislations which (June 2016) (“Bank Notification”). punish publishing or transmitting obscene and sexually (ii) RBI Press Release – Establishment of an Inter-Disciplinary explicit materials (such as child pornography or indecent Committee on Cyber Security (February 2017). representation of women). (iii) RBI Master Direction – IT Framework for NBFC Sector Prosecutions: (June 2017) (“NBFC Master Direction”). ■ Sedition charges were pressed against a former scientist Intellectual property (“IP”) laws: for the hacking of an internet service provider and sending (i) Copyright Act, 1957. emails threatening national security to the Department of Atomic Energy (2001). (ii) Patent Act, 1970. ■ A criminal case for cheating, theft and criminal conspiracy (iii) Trade Marks Act, 1999. under the IPC was registered against hackers involved in Telecommunications laws: stealing debit and credit card details using a proxy IP address (i) Unified License Agreement (“ULA”) issued under the Indian (2017). Telegraph Act, 1885. ■ Dr. Prakash v. State of Tamil Nadu (2002): sentenced to imprisonment for posting nude pictures of female patients online in contravention of the ITA, IPC and Indecent 2.2 Are there any cybersecurity requirements under Representation of Women (Prohibition) Act, 1986. Applicable Laws applicable to critical infrastructure in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction 2 Applicable Laws expected to implement the Network and Information Systems Directive? Please include details of any instances where the implementing legislation in your 2.1 Please cite any Applicable Laws in your jurisdiction jurisdiction is anticipated to exceed the requirements applicable to cybersecurity, including laws applicable of the Directive. to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, The government may declare any computer resource which affects for example, laws of data protection, intellectual critical information infrastructure as a ‘protected system’ and property, breach of confidence, privacy of electronic specifically identify persons authorised to access such protected communications, information security, and import / systems. Securing/attempting to secure unauthorised access to a export controls, among others. protected system is punishable with imprisonment of up to 10 years and a fine. Information technology laws: The government has designated the National Critical Information (i) Information Technology Act, 2000 (“ITA”); Infrastructure Protection Centre (“NCIIPC”) as the national nodal (ii) IT (Certifying Authority) Regulations, 2001; agency for critical information infrastructure protection. (iii) IT (Security Procedure) Rules, 2004; (iv) IT (Procedure and safeguards for interception, monitoring 2.3 Are organisations required under Applicable Laws, and decryption of information) Rules, 2009 (“Decryption or otherwise expected by a regulatory or other Rules”); authority, to take measures to monitor, detect, prevent (v) IT (Procedure and safeguards for blocking for access of or mitigate Incidents? If so, please describe what information by public) Rules, 2009; measures are required to be taken. (vi) IT (Procedure and safeguard for monitoring and collecting traffic data or information) Rules, 2009; Intermediaries/persons in charge of computer resources may be (vii) IT (Intermediaries Guidelines) Rules, 2011 (“Intermediary required by the government to provide access/assistance in respect Rules”); of: (i) the interception, monitoring or decryption of information (viii) IT (Guidelines for Cyber Cafe) Rules, 2011; stored/transmitted through a computer resource; (ii) the monitoring (ix) IT (Electronic Services Delivery) Rules, 2011; and collecting of traffic data/information to enhance cybersecurity and to identify/prevent the spread of computer contaminant; (x) IT (the Indian Computer Emergency Response Team and manner of performing functions and duties) Rules, 2013 and (iii) the prevention, detection, investigation, prosecution, (“CERT Rules”); and punishment, etc. of an Incident (Sec. 69 and 69A, ITA and Rule 3(7), Intermediary Rules). (xi) National Cyber Security Policy, 2013. Intermediaries and body corporates which store/handle/deal with In addition, relevant offences under the Indian Penal Code, 1860 personal information must implement reasonable security practices (“IPC”) may also be added to offences under the ITA at the time of and procedures (i.e. control measures commensurate with the prosecution. information assets being protected) (Rule 3(8), Intermediary Rules and Rule 4, Privacy Rules).

66 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London BTG Legal India

Persons authorised to issue electronic signatures under the ITA (b) The regulatory or other authority to which the information (“Certifying Authorities”) must: (i) use secure hardware and is required to be reported: software; and (ii) implement security procedures to ensure secrecy ■ Indian Computer Emergency Response Team (“CERT- and privacy of electronic signatures (Sec. 30, ITA). In”). Banks, Non-Banking Finance Companies (“NBFCs”) and insurance ■ NCIIPC (for sectors falling under “critical infrastructure”). companies must implement a board-approved cybersecurity policy ■ See (a) at question 2.5 above for sector-specific reporting (distinct from their broader IT/IS security policy) with arrangements authorities. for continuous surveillance and vulnerability testing. (c) The nature and scope of information that is required to be Telecom companies must, within 12 months of being licensed, reported (e.g. malware signatures, network vulnerabilities India create facilities to monitor intrusions, attacks and frauds on their and other technical characteristics identifying an Incident or cyber attack methodology): technical facilities and provide related reports to the Department of Telecommunications (“DOT”) (Clause 39.10(i), ULA). ■ Reports to CERT-In must specify: (i) the time of occurrence; (ii) information regarding the affected system/network; (iii) symptoms observed (i.e. suspicious 2.4 In relation to any requirements identified in question probes, denial of service, unaccounted changes in firewall 2.3 above, might any conflict of laws issues rules, etc.); and (iv) the relevant technical information (i.e. arise? For example, conflicts with laws relating security systems deployed, hosts affected, actions taken to to the unauthorised interception of electronic mitigate the damage, etc.). Details regarding formats for communications or import / export controls of reporting Incidents are published on the CERT-In website encryption software and hardware. (www.cert-in.org.in) and are updated from time to time. ■ Reports to the RBI must include: (i) details of the Incident The government’s approach is to maintain access to electronic (i.e. outage of critical IT system, theft/loss of information, communications for itself, while ensuring protection against etc.); (ii) actions taken; (iii) impact assessment; (iv) root unauthorised access by third parties. To that extent, there is a conflict cause analysis; and (v) impact of the attack, etc. in the expectation that networks/data should be protected by a “key”, (d) Whether any defences or exemptions exist by which but that such key should be made available to the government when the organisation might prevent publication of that requested. However, there are no inherent conflicts in legislations information: which are drafted to achieve the above. ■ CERT-In will not disclose any information which may lead to the identification of individuals or organisations affected by, or those reporting, cybersecurity Incidents without their 2.5 Are organisations required under Applicable Laws, or written consent or pursuant to a court order (Rule 13(2), otherwise expected by a regulatory or other authority, CERT Rules). to report information related to Incidents or potential Incidents to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the 2.6 If not a requirement, are organisations permitted by circumstance in which this reporting obligation is Applicable Laws to voluntarily share information triggered; (b) the regulatory or other authority to related to Incidents or potential Incidents with: (a) a which the information is required to be reported; (c) regulatory or other authority in your jurisdiction; (b) a the nature and scope of information that is required regulatory or other authority outside your jurisdiction; to be reported (e.g. malware signatures, network or (c) other private sector organisations or trade vulnerabilities and other technical characteristics associations in or outside your jurisdiction? identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by which the organisation might prevent publication of (a) A regulatory or other authority in your jurisdiction: that information. ■ Please see the response to (a) at question 2.5 above. (b) A regulatory or other authority outside your jurisdiction: (a) The circumstance in which this reporting obligation is ■ No express permission or prohibition (insofar as such triggered: disclosure does not violate privacy and data protection ■ Individuals, organisations and corporate entities must requirements, telecom user data or banking user data). promptly report the occurrence of certain Incidents (c) Other private sector organisations or trade associations in (including unauthorised access, compromise of critical or outside your jurisdiction: systems and infrastructure, malicious code, server attacks, identity theft, denial-of-service, etc.). Service providers, ■ Same as (b) above. intermediaries, data centres and body corporates must report Incidents within a reasonable time of the occurrence 2.7 Are organisations required under Applicable Laws, or or of becoming aware of the Incident (Rule 12(1), CERT otherwise expected by a regulatory or other authority, Rules, and Rule 3(9), Intermediary Rules). to report information related to Incidents or potential ■ In the financial services sector, all Incidents (successful Incidents to any affected individuals? If so, please and attempted) must be reported to the RBI: (i) by Banks provide details of: (a) the circumstance in which within two to six hours; and (ii) by NBFCs within 24 this reporting obligation is triggered; and (b) the hours. nature and scope of information that is required to be reported. ■ Insurance companies must report Incidents which critically affect business operations and a large number of customers to the Insurance Regulatory and Development Certifying Authorities must, upon an event/situation which may Authority (“IRDA”) within 48 hours of knowledge of the materially/adversely affect the integrity of its computer system or Incident. conditions under which an electronic signature was granted, use ■ See question 2.3 above in respect of telecom companies. reasonable efforts to notify persons likely to be affected (Sec. 34, ITA).

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 67 © Published and reproduced with kind permission by Global Legal Group Ltd, London BTG Legal India

While there is no legal requirement to notify data breaches to affected individuals at present, the draft Privacy Bill mandates 3 Specific Sectors such notification (except where notification will impede a criminal investigation or the affected individual cannot be identified). 3.1 Does market practice with respect to information security (e.g. measures to prevent, detect, mitigate and respond to Incidents) vary across different 2.8 Do the responses to questions 2.5 to 2.7 change if the business sectors in your jurisdiction? Please include information includes: (a) price sensitive information; details of any common deviations from the strict legal (b) IP addresses; (c) email addresses (e.g. an email requirements under Applicable Laws. address from which a phishing email originates); (d)

India personally identifiable information of cyber threat actors; and (e) personally identifiable information of Organisations in the defence, power and other national security individuals who have been inadvertently involved in sectors may (on a case-by-case basis) be subject to more stringent an Incident? information security requirements.

The responses do not change. 3.2 Are there any specific legal requirements in relation to cybersecurity applicable to organisations 2.9 Please provide details of the regulator(s) responsible in: (a) the financial services sector; and (b) the for enforcing the requirements identified under telecommunications sector? questions 2.3 to 2.7. (a) The financial services sector: ■ Indian Computer Emergency Response Team. ■ Banks and NBFCs ■ National Information Infrastructure Protection Centre. ■ The RBI requires banks/NBFCs to, inter alia: ■ Department of Information Technology. (i) evolve a ‘Cyber Crisis Management Plan’ (“CCMP”) ■ Department of Telecommunications. to address potential Incidents and face emerging cyber threats such as ‘zero-day’ attacks and remote access ■ National Information Board (NIB). threats; ■ National Crisis Management Committee. (ii) create awareness among stakeholders (failing which, ■ National Security Council Secretariat. stakeholders will not be responsible for Incidents that ■ Ministry of Home Affairs. occur due to their ignorance); ■ Ministry of Defence. (iii) Banks are additionally required to: (a) set up a ‘security ■ National Disaster Management Authority. operations centre’ to conduct continuous surveillance and testing for vulnerabilities; and (b) appoint a Chief Information Security Officer (“CISO”) to identify 2.10 What are the penalties for not complying with the gaps in preparedness and propose measures/controls; requirements identified under questions 2.3 to 2.8? and (iv) NBFCs are additionally required to: (i) consider the ITA/CERT Rules/Intermediary Rules: use of digital signatures for high-value fund transfers; (i) There is no penalty prescribed for non-compliance with (ii) develop a mechanism for safeguarding information the mandatory reporting of Incidents. As such, a residuary assets (including end-to-end encryption) in respect of penalty (of up to INR 25,000) under the ITA will apply (Sec. mobile financial services; and (iii) develop controls 45, ITA). and secure connections when using social media for marketing products. (ii) The licence of the Certifying Authority may be revoked for failure to maintain/follow required security standards (Sec. ■ Internet-based trading/securities using wireless technology 25, ITA). ■ The Securities and Exchange Board of India requires ULA: stock exchanges to: Telecom companies will be liable: (i) ensure brokers implement secure end-to-end encryption for all data transmission, safety features against internal/ (i) for any inadvertent security breach: a penalty of up to INR external Incidents, two-factor authentication for login, 500,000,000; and etc.; and (ii) for any inadequate compliance with the licence, intentional (ii) arrange periodic systems audits of broker systems omission, deliberate vulnerability, etc.: a penalty of INR and include wireless technology trading in investor 500,000,000 per breach. The licence may also be terminated awareness programmes. and the vendor who supplied the hardware/software responsible for the breach could be blacklisted (Clause ■ Insurance 39.10(i) and (ii), Clause 3.11(ii), ULA). ■ IRDA requires insurances companies to, inter alia: (i) evolve a CCMP and create awareness about cyber threats among stakeholders; 2.11 Please cite any specific examples of enforcement action taken in cases of non-compliance with the (ii) designate a CISO to formulate and enforce policies to above-mentioned requirements. protect information assets; (iii) constitute an ‘Information Security Committee’ for Poona Auto Ancillaries v. Punjab National Bank (2011): money information security management; and was fraudulently transferred from the complainant’s account after (iv) undertake measures for data and application security, he responded to a phishing email. The bank was found negligent Incident response planning, vulnerability assessments, due to the lack of proper security checks against fraud accounts and penetration tests, etc. was ordered to pay INR 4,500,000 as compensation.

68 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London BTG Legal India

(b) The telecommunications sector: ■ Vendor contracts with telecom companies must: (i) allow 4.4 Are companies (whether public or listed) subject to inspection of hardware, software, manufacturing facility, etc. any other specific requirements under Applicable Laws in relation to cybersecurity? by the telecom company/DOT; (ii) allow security checks of vendor software any time; and (iii) acknowledge the DOT’s discretion to blacklist vendors for security breaches. Listed companies/companies with over 1,000 shareholders must: ■ The DOT will constitute a five-member committee (including (i) provide e-voting facilities with votes recorded in an electronic two cybersecurity experts) to assess breaches and determine registry with adequate cybersecurity; and applicable penalties. (ii) ensure the security of any electronic records, including:

■ The DOT may mandate (as necessary) that telecom (i) protection against unauthorised access, alteration or India companies: tampering; (ii) security of computer systems, software and hardware; (iii) periodic backups; (iv) ability of computer (i) enter into vendor agreements: (a) certifying services/ systems to discern invalid/altered records; and (v) retrieval software are ‘safe to connect’ and have been checked of readable/printable records, etc. (Rule 20 and Rule 28, for risks/vulnerabilities; (b) covering security measures Companies (Management and Administration) Rules, 2014). (such as access and password control); and (c) addressing service continuity and upgradation, etc.; (ii) create a forum to increase security assurance levels and 5 Litigation share common issues; and (iii) build capability and capacity (through local maintenance personnel) to maintain security of the telecom network. 5.1 Please provide details of any civil actions that may be ■ Encryption standards have been prescribed for telecom and brought in relation to any Incident and the elements of internet service providers, and bulk encryption is expressly that action that would need to be met. prohibited. See question 1.3 above in respect of civil liability under Sec. 43, ITA. 4 Corporate Governance An organisation will be liable for damages of up to INR 50,000,000 if it fails to implement reasonable security practices and procedures 4.1 In what circumstances, if any, might a failure by to protect sensitive personal information (such as passwords, a company (whether listed or private) to prevent, financial information, biometrics, etc.) (“SPI”) and such negligence mitigate, manage or respond to an Incident amount to results in a wrongful gain or loss (Sec. 43A, ITA). a breach of directors’ duties in your jurisdiction? Organisations required to furnish information, records, returns, etc. or to maintain books of account/records under the ITA/rules will be Where a company is legally subject to cybersecurity requirements liable to monetary penalties for any failure to comply (Sec. 44, ITA). (such as data storage or privacy under the ITA), the occurrence of Civil suits may be brought in respect of infringement of IP rights a related Incident due to the failure of the directors to implement including in respect of injunction, damages and account of profits. proper systems to comply with such requirements, or to ensure the adequacy and effectiveness of the systems, may amount to a breach of directors’ duties under company law (Sec. 134, Companies Act, 5.2 Please cite any specific examples of cases that 2013). have been brought in your jurisdiction in relation to Incidents. Persons in charge of the conduct of business of a company will be considered guilty for any contravention by the company of the Prosecution under the ITA: provisions of the ITA or rules (unless he is able to prove lack of knowledge of the contravention or exercise of due diligence) (Sec. (i) See the Poona Auto case under question 2.11 above. 85, ITA). (ii) Compensation has been imposed for breach of privacy in a number of cases, including Amit Patwardhan v. Rud India Chains and Nirmalkumar Bagherwal v. Minal Bagherwal 4.2 Are companies (whether listed or private) required (both 2013), where the complainants’ financial information under Applicable Laws to: (a) designate a CISO; (constituting SPI) was obtained from their respective (b) establish a written Incident response plan or banks without their consent and used against them in legal policy; (c) conduct periodic cyber risk assessments, proceedings. including for third party vendors; and (d) perform penetration tests or vulnerability assessments? IPR infringement: (i) In Adobe Systems Inc. v. Sachin Naik (2010), the plaintiff The above requirements are mandatory for banks, NBFCs (with was held entitled to damages of INR 200,000 and costs for the exception of designation of a CISO), insurance companies and software infringement. telecom companies. (ii) In Infosys Technologies v. Akhil Gupta (2005), the plaintiff was awarded a permanent injunction against the defendant’s use of the trademark/name “Infosys”, along with damages of 4.3 Are companies (whether listed or private) subject INR 300,000 and costs. to any specific disclosure requirements in relation to cybersecurity risks or Incidents (e.g. to listing authorities, the market or otherwise in their annual 5.3 Is there any potential liability in tort or equivalent reports)? legal theory in relation to an Incident?

No specific disclosure requirements are imposed. Tortious liability may arise in respect of trespass (hacking), fraudulent misrepresentation (phishing/identity theft), breach of privacy, breach of confidentiality, nuisance (denial-of-service), etc.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 69 © Published and reproduced with kind permission by Global Legal Group Ltd, London BTG Legal India

(i) confiscating computer systems, hardware, tape drives, etc. 6 Insurance containing information or used to contravene the ITA (Sec 76, ITA); 6.1 Are organisations permitted to take out insurance (ii) entering any public place and searching and arresting without against Incidents in your jurisdiction? a warrant persons guilty/reasonably suspected of committing an offence under the ITA (Sec. 80(1), ITA); and Yes, cyber insurance may be taken as a standalone liability policy (iii) search and seizure procedures, issuing summons, requiring or as an extension under E&O or professional indemnity insurance. the attendance of witnesses and making arrests under the Criminal Procedure Code, 1973.

India Authorised officers empowered to investigate contraventions of the 6.2 Are there any regulatory limitations to insurance ITA and rules can: (a) access and undertake searches of computer coverage against specific types of loss, such as business interruption, system failures, cyber extortion systems to obtain information/data; and (b) by order require persons or digital asset restoration? If so, are there any legal in charge of the computer system to provide reasonable technical limits placed on what the insurance policy can cover? assistance (Sec. 28 and 29, ITA). Intermediaries must, upon lawful order and receipt of a written This is not applicable in our jurisdiction. request, provide information/assistance to authorised government agencies for the investigation, prosecution and punishment of offences under Applicable Law (Rule 3(7), Intermediary Rules). 7 Employees

8.2 Are there any requirements under Applicable Laws 7.1 Are there any specific requirements under Applicable for organisations to implement backdoors in their IT Law regarding: (a) the monitoring of employees for systems for law enforcement authorities or to provide the purposes of preventing, detection, mitigating and law enforcement authorities with encryption keys? responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents Authorised government authorities can require information by employees to their employer? generated, transmitted, received or stored in a computer resource to be intercepted, monitored or decrypted by requiring, inter alia: This is not applicable in our jurisdiction. (i) access to such computer resource; (ii) cooperation and technical assistance by intermediaries (including for installation and use of 7.2 Are there any Applicable Laws (e.g. whistle-blowing interception/monitoring/decryption equipment by the authorities); laws) that may prohibit or limit the reporting of cyber and (iii) disclosure of decryption key or provision of decryption risks, security flaws, Incidents or potential Incidents assistance by the key holder (Sec. 69, ITA and Decryption Rules). by an employee? Consent of the provider of SPI is not required for sharing such SPI with legally mandated government agencies for identity verification This is not applicable in our jurisdiction. or for the prevention, investigation, prosecution, etc. of offences (Rule 6, Privacy Rules). 8 Investigatory and Police Powers Telecom/internet service providers must provide the DOT with all the details of the technology employed, drawings, testing instruments, installation tools, etc. Licence conditions do not expressly require 8.1 Please provide details of any investigatory powers of means of decryption to be provided to the government, but the law enforcement or other authorities under Applicable language is sufficiently broad to include such access (ULA). Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident.

Offences under the ITA must be investigated by police officers not below the rank of Inspector (Sec. 78, ITA). Investigatory powers include:

70 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London BTG Legal India

Prashant Mara Devina Deshpande BTG Legal BTG Legal 804, Lodha Supremus 804, Lodha Supremus Dr. E. Moses Road Dr. E. Moses Road Worli Worli Mumbai – 400018 Mumbai – 400018 India India

Tel: +91 22 2482 0801 / +91 72080 12801 Tel: +91 22 2482 0807 / +91 70454 29808 Email: [email protected] Email: [email protected]

URL: www.btg-legal.com URL: www.btg-legal.com India

Prashant is a commercial lawyer specialising in strategic investments, Devina is a senior associate with BTG Legal, focusing on the digital collaborations, compliance and procurement projects – mostly cross- business, defence and industrials sectors. Her experience includes border. He specialises in the digital business, defence (with a focus cross-border and domestic private equity investments, M&A, debt on technology transfer and licensing) and industrial (with a focus capital markets, Islamic finance, investment management, fund on technology deployment) sectors. His clients include Facebook, formation, corporate governance and corporate advisory. Expedia, TripAdvisor, Fitbit, AirBnB, News Corp, Indigo, MAN group, Devina has previously worked at a magic circle UK law firm, in their Zeppelin, Rolls Royce, Voith and Tech Mahindra. London and Dubai offices. She is dual-qualified, being admitted to Prashant has spent nine years in Europe, working with top-tier law practise law in India and a solicitor of the Senior Courts of England firms in France, Germany and the UK. and Wales. Over the last decade, he has worked closely, as a trusted advisor, with the in-house teams of his clients. This has equipped him to approach a transaction with its strategic rationale in mind, which makes the transaction interesting and the execution effective. Prashant is proficient in providing compliance and crisis response advice, including dispute management, and acting as the interface between his clients and the regulator.

BTG Legal is a transactional law firm with best-of-breed technical expertise, a culture of innovation, and an unrelenting commitment to excellence. Our team has specialist sector knowledge in key areas including: ■■ Defence. ■■ Industrials. ■■ Digital business. ■■ Energy and infrastructure. ■■ Life sciences. ■■ Retail. ■■ Financial services. ■■ Transport. Our practices include corporate transactions, M&A, private equity, commercial contracting and procurement, regulatory advice, banking and finance, project finance, labour, fraud and anti-bribery compliance and other areas of law that are fast developing to keep up with rapid changes in technology and methods of doing business. Our lawyers have worked in-house in large conglomerates as well as in established Indian and international law firms, bringing immense depth to the team. We work closely with Osborne Clarke, a leading international law firm, and are able to extend our global reach significantly. Clients such as Facebook, WhatsApp, Jet Airways, Indigo Airlines, Tech Mahindra, MAN, Zeppelin, News Group, TripAdvisor, Wirecard and Leica Cameras continue to trust us with their work, given our innovative service delivery models, our understanding of their sectors and our appreciation of the challenging business environment in which they operate.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 71 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 12

Ireland Kevin Harnett

Maples and Calder Victor Timon

distributes, or otherwise makes available, for the purpose of the 1 Criminal Activity commission of an offence under the 2017 Act, certain hacking tools. Such tools are described as “(i) any computer programme 1.1 Would any of the following activities constitute a that is primarily designed or adapted for use in connection with criminal offence in your jurisdiction? If so, please the commission of such an offence, or (ii) any device, computer provide details of the offence, the maximum penalties password, unencryption key or code, or access code, or similar data, available, and any examples of prosecutions in your by which an information system is capable of being accessed”. jurisdiction: Identity theft or identity fraud (e.g. in connection with access devices) The Criminal Justice (Offences Relating to Information Systems) Act 2017 (the “2017 Act”) came into force on 12 June 2017, giving Although there is no precise, standalone offence of identity theft effect to Directive 2013/40/EU regarding criminal attacks against or identity fraud in this jurisdiction, it can nonetheless potentially information systems. be captured by the more general offence referred to as ‘making a gain or causing a loss by deception’ (as contained in section 6 Hacking (i.e. unauthorised access) of the Criminal Justice (Theft and Fraud Offences) Act 2001 (the Hacking is an offence in Ireland, which, under section 2 of the “2001 Act”)). This occurs where a person who dishonestly, with 2017 Act, occurs when a person who, without lawful authority or the intention of making a gain for himself or herself or another, or reasonable excuse, intentionally accesses an information system by of causing loss to another, by any deception induces another to do or infringing a security measure. refrain from doing an act. In addition, sections 25, 26 and 27 of the Denial-of-service attacks 2001 Act cover specific forgery offences. Denial-of-service attacks constitute an offence under the 2017 Act, Separately, under section 8 of the 2017 Act, identity theft or fraud captured under section 3, which provides that it is an offence when is an aggravating factor when it comes to sentencing, in relation to a person who, without lawful authority: intentionally hinders or ‘denial-of-service attack’ or ‘infection of IT systems’ offences. This interrupts the functioning of an information system by inputting is described in broad terms as being a misuse of the personal data data on the system; transmits, damages, deletes, alters or suppresses, of another person with the aim of gaining the trust of a third party, or causes the deterioration of, data on the system; or renders data on thereby causing prejudice to that person. the system inaccessible. Electronic theft (e.g. breach of confidence by a current or former Phishing employee, or criminal copyright infringement) Phishing does not, per se, constitute a specific offence in Ireland. Electronic theft is covered by the relatively broad offence of However, it is possible that the activity would be caught by ‘unlawful use of a computer’, as provided for in section 9 of the certain other, more general criminal legislation, depending on the 2001 Act. This occurs where a person who dishonestly, whether circumstances (for instance, relating to identity theft or identity within or outside the State, operates or causes to be operated a fraud). In this regard, see below. computer within the State with the intention of making a gain for Infection of IT systems with malware (including ransomware, himself or herself or another, or of causing loss to another. spyware, worms, trojans and viruses) Any other activity that adversely affects or threatens the Infection of IT systems with malware is also an offence, again security, confidentiality, integrity or availability of any IT covered by the 2017 Act. In this regard, section 4 provides that system, infrastructure, communications network, device or data a person who, without lawful authority, intentionally deletes, Section 5 of the 2017 Act creates the offence of ‘intercepting the damages, alters or suppresses, or renders inaccessible, or causes the transmission of data without lawful authority’, which occurs when deterioration of data on an information system commits an offence. a person who, without lawful authority, intentionally intercepts any Possession or use of hardware, software or other tools used to transmission (other than a public transmission) of data to, from commit cybercrime (e.g. hacking tools) or within an information system (including any electromagnetic emission from such an information system carrying such data). Possession or use of hardware, software or other tools used to This is a broad provision which potentially covers other activity that commit cybercrime also constitutes an offence under the 2017 adversely affects or threatens the security, confidentiality, integrity Act (section 6), which occurs when a person who, without lawful or availability of any IT system, infrastructure, communications authority, intentionally produces, sells, procures for use, imports, network, device or data.

72 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Maples and Calder Ireland

With regard to penalties, in relation to offences under the 2017 Act, the above-mentioned offences under the 2001 Act carry, in and of the penalties range from maximum imprisonment of one year and a themselves, extraterritorial application. maximum fine of €5,000 for charges brought ‘summarily’ (i.e., for less serious offences), to a maximum of five years’ imprisonment (10 1.3 Are there any actions (e.g. notification) that might years in the case of denial-of-service attacks) and an unlimited fine, mitigate any penalty or otherwise constitute an for more serious offences. The above offences under the 2001 Act are exception to any of the above-mentioned offences? only tried in the Circuit Court, with ‘making a gain or causing a loss by deception’ carrying a maximum penalty of five years’ imprisonment Each of the above offences under the 2017 Act contains the ingredient and an unlimited fine, and forgery and ‘unlawful use of a computer’ that it was committed without “lawful authority”, which is defined offences carrying a maximum of 10 years and an unlimited fine.

as either “with the authority of the owner of the system”, “with the Ireland Owing to the very recent implementation of the 2017 Act, there authority of a right holder of the system”, or “as permitted by law”. have been very few (if any) prosecutions of note under this Accordingly, prosecution of these offences will require, necessarily, particular legislation to date. That said, Ireland’s first successful that such authority or lawful permission was absent. prosecution for hacking took place in July 2013 on foot of charges In addition, the offence relating to ‘hacking’ carries a further under the Criminal Damage Act 1991. The prosecution followed a qualification, i.e., where the person or company had a “reasonable collaborative investigation between the Irish Garda Bureau of Fraud excuse”. This term is, however, not defined under the 2017 Act, and and the FBI, and involved the hacking of a major political party’s so its precise application will depend on future judicial interpretation. website during the run-up to a national election. In addition, if a company is charged with any of the above 2017 Act There have also been a number of relatively high-profile denial-of- offences where the offence was committed by an employee for the service attacks on large national websites over the last 12 months benefit of that company, it will be a defence for that company that it (those of certain governmental departments and the national took “all reasonable steps and exercised all due diligence” to avoid lottery, to name a few), which are currently the subject of ongoing the offence taking place. investigations. These investigations may lead to some element of prosecution under the 2017 Act in the near future. Separately, it can be expected that judges will continue to take established factors into account when considering the appropriate Failure by an organisation to implement cybersecurity measures penalty on foot of a conviction of a cybersecurity-related crime There is no particular offence in this jurisdiction directly linked to (e.g., remorse, amends, cooperation with investigators, criminal a failure by an organisation to implement cybersecurity measures. history, and extent of damage). That said, and in specific relation to personal data concerning individuals, section 2 of the Data Protection Acts 1988–2003 (the “DPA”) provides that organisations must ensure that “…appropriate 1.4 Are there any other criminal offences (not specific security measures…be taken against unauthorised access to, or to cybersecurity) in your jurisdiction that may arise in relation to cybersecurity or the occurrence of an unauthorised alteration, disclosure or destruction of, the data, in Incident (e.g. terrorism offences)? Please cite any particular where the processing involves the transmission of data specific examples of prosecutions of these offences over a network, and against all other unlawful forms of processing”. in a cybersecurity context. The Office of the Data Protection Commissioner (the “ODPC”) may, under its statutory powers, notify an organisation that it is deemed to Yes. It is, for instance, an offence under section 8 of the Offences have breached these obligations, and further issue an enforcement Against the State (Amendment) Act 1998 to “collect, record or possess notice in this respect. It is then an offence for any person or company information which is of such a nature that it is likely to be useful in to, without reasonable excuse, fail or refuse to comply with such a the commission by members of any unlawful organisation of serious notice. The maximum fine imposable in this regard is €100,000. offences generally or any particular kind of serious offence”. The (There is no imprisonment penalty attached to this offence.) term “serious offence” would encompass any of the above-mentioned offences (apart from failure to comply with an enforcement notice 1.2 Do any of the above-mentioned offences have issued by the ODPC), so long as the act in question is one which extraterritorial application? involves “serious loss of or damage to property or a serious risk of any such loss…or damage”. The maximum sentence for this offence All of the above offences under the 2017 Act have certain includes an unlimited fine and 10 years’ imprisonment. To date, there extraterritorial application, and so offenders may therefore be does not appear to have been any prosecutions of note which have tried in Ireland, so long as they have not already been convicted or combined this particular offence with acts of cybercrime. acquitted abroad in respect of the same act, and the relevant act was committed: 2 Applicable Laws (a) by the person in Ireland in relation to an information system outside of the country; (b) by the person outside of the country in relation to an 2.1 Please cite any Applicable Laws in your jurisdiction information system in Ireland; or applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation (c) by the person outside of the country in relation to an and management of Incidents. This may include, information system also outside of the country, if: for example, laws of data protection, intellectual (i) that person is an Irish citizen, a person ordinarily resident property, breach of confidence, privacy of electronic in Ireland, or a company established or existing under communications, information security, and import / Irish law; and export controls, among others. (ii) the act is an offence under the law of the place where it was committed. Apart from the above-referenced statutes in respect of criminal Although broader concepts such as, for instance, the ‘European activity, Applicable Laws include the following: arrest warrant’ may be of relevance for Irish prosecutors, none of

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 73 © Published and reproduced with kind permission by Global Legal Group Ltd, London Maples and Calder Ireland

■ Data Protection: The DPA govern the manner in which The Department of Communications, Energy and Natural Resources personal data is collected and processed in Ireland. The (now, the Department of Communications, Climate Action and DPA require that data controllers take ‘appropriate security Environment (“DCCE”)) published the National Cyber Security measures’ against unauthorised access, alteration, disclosure Strategy 2015–2017, which provides a mandate for the National or destruction of data, in particular where the processing Cyber Security Centre to engage in activities to protect critical involves transmission of data over a network. This regime information infrastructure. As matters stand, the DCCE together will be superseded by the introduction of the General Data Protection Regulation (Regulation (EU) 2016/679) (the with the Government Taskforce on Emergency Planning and “GDPR”) in May 2018. the Office of Emergency Planning in the Department of Defence operate as lead government departments for emergency situations ■ e-Privacy: The e-Privacy Regulations 2001 (S.I. 336 of relating to, inter alia, critical infrastructure.

Ireland 2011), which implemented the e-Privacy Directive 2002/58/ EC (as amended by Directives 2006/24/EC and 2009/136/ The NISD will be introduced in Ireland by primary legislation, EC) (the “e-Privacy Regulations”), regulate the manner in expected to be passed in May 2018. According to the Government’s which providers of publicly available telecommunications Legislative Programme Spring/Summer session 2017, drafting is networks or services handle personal data and require underway but no bill has been published to date and, as such, it is providers to take appropriate technical and organisational not yet known whether the implementing legislation will exceed the measures to safeguard the security of its services and requirements of the NISD. report Incidents. It is intended that a revised EU e-Privacy Regulation will be introduced in May 2018 to replace the existing e-Privacy Directive and e-Privacy Regulations, 2.3 Are organisations required under Applicable Laws, which will expand the current regime to cover all businesses or otherwise expected by a regulatory or other which provide online communication services. authority, to take measures to monitor, detect, prevent ■ Payments Services: The existing European Communities or mitigate Incidents? If so, please describe what (Payment Services) Regulations 2009 (S.I. 383/2009) measures are required to be taken. (implementing Directive 2007/64/EC) (the “Payment Services Regulations”) require that payment service Under the DPA, data controllers are required to take appropriate providers take certain steps to ensure personalised security measures, as outlined in questions 1.1 and 2.1 above. The DPA features of payment instruments are not accessible to do not detail specific security measures to be undertaken but in unauthorised persons. The new Payments Services Directive determining appropriate measures, a data controller may have II (Directive 2015/2366/EU), which must be transposed by regard to the state of technological development and the cost of regulation in advance of 13 January 2018, will introduce regulatory technical standards (to be published by the implementing the measures. Data controllers must ensure that the European Banking Authority) to ensure ‘strong customer measures provide a level of security appropriate to the harm that authentication’ and payment service providers will be might result from a breach and the nature of the data concerned. required to inform the national competent authority in the The ODPC has issued guidance which suggests the introduction case of major operational or security Incidents. Providers of measures such as access controls, automatic screen-savers, must also notify customers if any Incident impacts the encryption, anti-virus software, firewalls, software patching, secure financial interests of its payment service users. remote access, back-up systems and Incident response plans. ■ The Security of Network and Information Systems Directive Under the e-Privacy Regulations, providers of publicly available 2016/1148/EU (the “NISD”) is to be transposed by EU telecommunications networks or services are required to take Member States, including Ireland, by May 2018. The NISD appropriate technical and organisational measures and ensure the seeks to harmonise cybersecurity capabilities across the EU and achieve a common level of network and information level of security appropriate to the risk presented, having regard to systems security across the EU by increasing cooperation the state of the art and cost of implementation. Such measures shall amongst EU Member States, improving national capabilities at least ensure that personal data can only be accessed by authorised and introducing security measures and Incident reporting personnel for legally authorised purposes, protect personal obligations for certain operators of essential services. data against accidental or unlawful destruction, loss, alteration, ■ Other: If there is a security breach which results in the processing, etc., and ensure the implementation of a security policy. dissemination of inaccurate information, persons about The NISD, once transposed into Irish law, will require that whom the inaccurate data relates may seek a remedy under operators of essential services take appropriate measures to prevent the Defamation Act 2009. Similarly, if information was and minimise the impact of Incidents affecting the security of the provided in confidence and such information was leaked, network and information systems used for the provision of essential there may be an action under common law for breach of confidence or negligence, in the event that a duty of care is services with a view to ensuring continuity. Similarly, digital found to have been owed. service providers will be required to identify and take appropriate and proportionate technical and organisational measures to manage See also sections 1 and 5. risks posed having regard to the state of the art and take account of, inter alia, the security of the systems and facilities, Incident 2.2 Are there any cybersecurity requirements under handling, business continuity management and compliance with Applicable Laws applicable to critical infrastructure international standards. in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction expected to implement the Network and Information 2.4 In relation to any requirements identified in question Systems Directive? Please include details of any 2.3 above, might any conflict of laws issues instances where the implementing legislation in your arise? For example, conflicts with laws relating jurisdiction is anticipated to exceed the requirements to the unauthorised interception of electronic of the Directive. communications or import / export controls of encryption software and hardware. Publicly available telecommunications networks and services are governed by the e-Privacy Regulations outlined at question 2.1 above. Applicable Laws are largely harmonised at an EU level, and as such

74 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Maples and Calder Ireland

the risk of conflicts of laws is minimised. However, the existence of ■ it does not include sensitive personal data or personal data of differing requirements for organisations with operations both within a financial nature. the EU and externally may present compliance challenges for such Notifications should be made within two working days of becoming companies. aware of the Incident. The ODPC may require a detailed report or With regard to the confidentiality of electronic communications, it subsequent investigation based on the nature of the Incident. is understood that updated interception legislation is in the process Under Article 16 of the NISD, once implemented, Member States of being prepared, namely the Interception of Postal Packets must ensure that digital service providers notify the relevant and Telecommunications Messages (Regulation) (Amendment) competent authority (in Ireland, this is likely to be the National Bill. The purpose of that legislation is to update the Postal and Cyber Security Centre) without delay of any Incident having a

Telecommunications Acts 1983 and 1993, which are limited in scope substantial impact on the provision of a service. The notification Ireland to postal services and traditional telecommunications providers, to must provide sufficient information so that the national authority regulate the lawful interception of all communications delivered can assess the significance of same and any cross-border impact. over the internet. The NISD stipulates that notification shall not make the notifying party subject to increased liability. 2.5 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, 2.6 If not a requirement, are organisations permitted by to report information related to Incidents or potential Applicable Laws to voluntarily share information Incidents to a regulatory or other authority in your related to Incidents or potential Incidents with: (a) jurisdiction? If so, please provide details of: (a) the a regulatory or other authority in your jurisdiction; circumstance in which this reporting obligation is (b) a regulatory or other authority outside your triggered; (b) the regulatory or other authority to jurisdiction; or (c) other private sector organisations which the information is required to be reported; (c) or trade associations in or outside your jurisdiction? the nature and scope of information that is required to be reported (e.g. malware signatures, network vulnerabilities and other technical characteristics See above at question 2.5 regarding the non-binding Code of identifying an Incident or cyber attack methodology); Practice governing notifications to the ODPC and the involvement and (d) whether any defences or exemptions exist by of organisations such as An Garda Siochana or financial institutions. which the organisation might prevent publication of The National Cyber Security Strategy 2015–2017 outlines the that information. intention of the DCCE to deepen its partnerships with third level institutions to aid the sharing of knowledge, experience and best Providers of publicly available telecommunications networks or practice. Moreover, the Strategy outlines the active information- services are required to report information relating to Incidents or sharing role between the DCCE and other public sector bodies and potential Incidents to the ODPC (to the extent that such Incidents industry at the time (including IRISS-CERT). Under the NISD, relate to personal data breaches). In the case of a particular risk of the CSIRTs Network will be tasked with exchanging and making a breach to the security of a network, providers of publicly available available, on a voluntary basis, non-confidential information telecommunications networks or services are required to inform their concerning individual Incidents. subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to be taken by the relevant service provider, any possible remedies including an indication of the likely 2.7 Are organisations required under Applicable Laws, or costs involved. In case of a personal data breach, such providers must otherwise expected by a regulatory or other authority, notify the ODPC without delay and where the said breach is likely to to report information related to Incidents or potential Incidents to any affected individuals? If so, please affect the personal data of a subscriber or individual, notify them also. provide details of: (a) the circumstance in which If the provider can satisfy the ODPC that the data would have been this reporting obligation is triggered; and (b) the unintelligible to unauthorised persons, there may be no requirement nature and scope of information that is required to be to notify the individual or subscriber of the breach. reported. The ODPC has published a non-binding Code of Practice in respect of data security breaches more generally but, save for the procedure See question 2.5 above. outlined above which apply to telecommunications providers, there is currently no general requirement to report data breaches. The 2.8 Do the responses to questions 2.5 to 2.7 change if the GDPR will introduce a more general personal data breach notification information includes: (a) price sensitive information; obligation to the ODPC, which may be relevant to Incidents. The Code (b) IP addresses; (c) email addresses (e.g. an email of Practice notes that where there has been an Incident giving rise to address from which a phishing email originates); (d) a risk of unauthorised disclosure, loss, destruction or alteration of personally identifiable information of cyber threat personal data, the data controller should give immediate consideration actors; and (e) personally identifiable information of individuals who have been inadvertently involved in to notifying the affected data subjects. Data subjects should be an Incident? informed of the nature of the breach, where more information can be obtained and measures which may be taken to mitigate the effects of Parties must ensure that personal data is processed (e.g., shared) in the breach. The Code of Practice also advises that controllers should accordance with the DPA and take appropriate security measures with notify groups which may assist affected data subjects such as the Garda regard to any onward transmission of data including in the context of Siochana or financial institutions. All Incidents in which personal data notifications of Incidents. Personal data includes data relating to a has been put at risk should be reported to the ODPC as soon as the data living individual who is or can be identified from either the data or from controller becomes aware of the Incident, except when: the data in conjunction with other information that is in, or is likely to ■ the full extent and consequences of the Incident has been come into, the possession of the data controller. There are exemptions reported without delay directly to the affected data subject(s); under the DPA such as for the processing of data which is necessary ■ it affects no more than 100 data subjects; and for the administration of justice or to enable the data controller to

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 75 © Published and reproduced with kind permission by Global Legal Group Ltd, London Maples and Calder Ireland

comply with a legal obligation. Therefore, different considerations school’s files inaccessible. These files contained personal details apply in the context of voluntary sharing of personal data relating to and a ransom was demanded to release same. The school was found a breach, and mandatory reporting. For that reason, data controllers to be in breach of the DPA as it had not put in place appropriate should take particular care when a notification includes any personal security measures and had no policies or procedures to maintain data and take steps to anonymise data where appropriate. Additional adequate backups. Recommendations were issued to the school and considerations also apply in the case of ‘sensitive personal data’. the school implemented staff training and awareness and reassessed Parties must also be conscious of their contractual obligations and its contractual arrangements with its ICT suppliers. whether issues may arise regarding the sharing of price-sensitive or confidential information, particularly if there is no mandatory 3 Specific Sectors

Ireland requirement to do so.

2.9 Please provide details of the regulator(s) responsible 3.1 Does market practice with respect to information for enforcing the requirements identified under security (e.g. measures to prevent, detect, mitigate questions 2.3 to 2.7. and respond to Incidents) vary across different business sectors in your jurisdiction? Please include details of any common deviations from the strict legal The ODPC is the primary regulator responsible for enforcing requirements under Applicable Laws. the requirements outlined above. The ODPC is an independent body established under the DPA. The current Data Protection Yes, market practice with respect to information security varies Commissioner is Helen Dixon. considerably in Ireland dependent on the industry sector concerned. Under the NISD, it is intended that the national competent authority Businesses in industries that are recognised as being particularly will be the National Cyber Security Centre which is intended to be vulnerable to Incidents, such as the financial services sector, are placed on a statutory footing. more likely to have adequate processes in place to effectively address cyber risk. With current and long-term trends, such as the continued expansion of cloud computing, mobile data and the internet of things 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? further increasing exposure to cyber risk, financial services firms are expected to update and implement their processes accordingly. The publication of the Cross Industry Guidance in respect of Information There is no automatic penalty for data controllers under the DPA Technology and Cybersecurity Risks by the regulator for financial in the event of a data breach. However, if the ODPC issue an institutions, the Central Bank of Ireland, provides valuable enforcement notice or information notice arising out of the data information on the practices that financial services firms are expected controller’s failure to implement appropriate security measures to apply in order to protect their organisations from cyber threats. (whether there has been a breach or otherwise), a data controller must comply with same. If they do not comply with an enforcement Other industries have previously been less cognisant of the notice, it will constitute an offence. need for adequate cybersecurity protections. For example, the manufacturing industry in Ireland has been largely unaffected by Penalties under the DPA include fines as follows: Incidents. However, advances in robotics, technology and the ■ maximum of €3,000 on summary conviction; and digital marketplace have increased the awareness of manufacturers ■ maximum of €100,000 on indictment. to the need for maintenance and protection of cyber infrastructure. Under the e-Privacy Regulations, a person who commits an offence In response to this, IBEC, the largest business and employer is liable on summary conviction to a fine. Furthermore, if a person association for organisations based in Ireland, has highlighted is convicted of an offence, the court may order any material or data the prioritisation of cybersecurity as a key component in the that appears to it to be connected with the commission of the offence development of the manufacturing industry in Ireland and has set to be forfeited or destroyed and any relevant data to be erased. out a number of recommendations in a recent report setting out their short- to medium-term strategy for Ireland’s manufacturing industry.

2.11 Please cite any specific examples of enforcement action taken in cases of non-compliance with the 3.2 Are there any specific legal requirements in relation above-mentioned requirements. to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the In July 2016, the ODPC was notified of a data breach in respect of an telecommunications sector? organisation providing retail and online services. Over a two-week period, attackers attempted various username/password combinations (a) There is currently no specific legislation focused on and gained access to certain user accounts. The attackers were able to cybersecurity applicable to organisations in the financial services sector. In the absence of any codified law, the Central add new payments methods to those accounts and to access personal Bank of Ireland has published Cross Industry Guidance, which data associated with those accounts. They attempted to withdraw users’ relates to IT governance and risk management by regulated balances. The ODPC assessed the breach and identified deficiencies in financial institutions in Ireland. The publication makes the security measures used, including insufficient measures on password a number of recommendations including (but not limited policy and user authentication and insufficient control measures to to): the preparation of a well-considered and documented validate changes to users’ accounts. This was considered a breach of the strategy to address cyber risk; the implementation of security DPA and recommendations were issued to the organisation to take steps awareness training programmes; the performance of cyber to mitigate the various deficiencies. If the organisation failed to take such risk assessments on a regular basis; and the implementation steps, it would face enforcement action. The company implemented of strong controls by firms over access to their IT systems. multifactor passwords and a comprehensive data retention policy. Once transposed, the NISD will introduce security measures and Incident reporting obligations for credit institutions. See Similarly, the ODPC reported that in October 2016 a primary school also reference to Payment Sources Regulations in question was the victim of a “crypto ransomware attack” which rendered the 2.1 above.

76 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Maples and Calder Ireland

(b) While there are no specific laws on cybersecurity, electronic performed. See question 4.1 above for more detail on directors’ communications companies (such as telecoms companies duties. For industry-specific requirements, see question 3.1 above. and ISPs) are governed by the DPA, and also the e-Privacy Regulations. Under the e-Privacy Regulations, there are more explicit rules governing the security of personal data. 4.3 Are companies (whether listed or private) subject The electronic communications sector will be further affected to any specific disclosure requirements in relation by the introduction of the GDPR in May 2018. Businesses in to cybersecurity risks or Incidents (e.g. to listing the sector are already looking to familiarise themselves with authorities, the market or otherwise in their annual reports)? new requirements that the GDPR will bring about, notably in the areas of transparency, security and accountability by data controllers and processors. Certain operators (IXPs, DNS While there are no such express obligations from a company law service providers and TLD name registries) will also fall perspective, general director fiduciary duties, as well as best corporate Ireland within the ambit of the NISD, upon domestic implementation. governance practices, may dictate that such actions are performed. See question 4.1 above for more detail on directors’ duties. 4 Corporate Governance The e-Privacy Regulations oblige electronic communications service providers to report all data breaches to the ODPC. The GDPR will introduce a more general personal data breach notification obligation 4.1 In what circumstances, if any, might a failure by to the ODPC, which may be of relevance to an Incident. The NISD a company (whether listed or private) to prevent, will introduce Incident reporting obligations for certain operators of mitigate, manage or respond to an Incident amount to essential services. a breach of directors’ duties in your jurisdiction?

4.4 Are companies (whether public or listed) subject to While there are no express directors’ duties specific to cybersecurity, any other specific requirements under Applicable directors owe fiduciary duties to their company under common law Laws in relation to cybersecurity? and under the Companies Act 2014 (the “CA 2014”). There are a number of key fiduciary duties of directors set out This chapter sets out the principal laws and requirements relating to in the CA 2014. This list, however, is not exhaustive. Some cybersecurity in Ireland. However, there may be other requirements examples of directors’ duties which could be considered to extend and/or recommendations established by industry-specific codes of to cybersecurity are: conduct. In addition, there may be other laws that do not directly ■ exercise their powers in good faith in what the director relate to cybersecurity but which establish requirements that bear on considers to be the interests of the company; cybersecurity. See, in addition, section 2 above. ■ act honestly and responsibly in relation to the conduct of the affairs of the company; 5 Litigation ■ act in accordance with the company’s constitution and exercise his or her powers only for the purposes allowed by law; 5.1 Please provide details of any civil actions that may be ■ exercise the care, skill and diligence which would be exercised brought in relation to any Incident and the elements of in the same circumstances by a reasonable person having that action that would need to be met. both the knowledge and experience that may reasonably be expected of a person in the same position as the director with As discussed in response to question 5.3 below, an Incident may give the knowledge and experience which the director has; and rise to various claims under the law of tort. It is also conceivable ■ have regard to the interests of its employees in general. that an Incident would, depending on the circumstances, give rise Directors have a general duty to identify, manage and mitigate risk and to a claim for breach of contract where the particular Incident fiduciary duties, such as those outlined above, which would extend to constituted a breach of contract between the parties. cybersecurity. Such duties could be interpreted to mean that directors In order to be entitled to compensation in damages, whether under a should have appropriate policies and strategies in place with respect to tortious or contractual analysis, a plaintiff will be required to establish: cyber risk and security and that directors should review and monitor that a duty or obligation was owed to him/her by the defendant; that these on a regular basis. Regard may also be had to compliance by an Incident has occurred in consequence of the defendant’s having a company with all relevant legislative obligations imposed on that acted in breach of that duty or obligation; and loss or damage has company in assessing compliance by directors with their duties. been sustained to the plaintiff which, but for the impugned acts or Appropriate insurance coverage should also be considered. omissions of the defendant, would not have been so sustained. Directors should be fully briefed and aware of all of the key issues It should be noted that many classes of Incident will also give rise to relating to cyber risk. Larger organisations may choose to delegate claims for damages for breach of the constitutional . more specific cyber risk issues to a specific risk sub-committee. Moreover, where an Incident is committed by a State actor, for example, during the course of an investigation, it may give rise to an action in judicial review to prevent misuse of any inappropriately 4.2 Are companies (whether listed or private) required obtained data and/or to quash any decision taken in relation to, and/ under Applicable Laws to: (a) designate a CISO; or on foot of, the Incident or any improperly obtained data. (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform 5.2 Please cite any specific examples of cases that have penetration tests or vulnerability assessments? been brought in your jurisdiction in relation to Incidents.

While there are no such express obligations from a company Collins v FBD Insurance [2013] IEHC 137 – This case examined law perspective, general director fiduciary duties, as well as best the issue of whether or not a breach of the DPA would automatically corporate governance practices, may dictate that such actions are entitle a data subject to compensation irrespective of whether or not

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 77 © Published and reproduced with kind permission by Global Legal Group Ltd, London Maples and Calder Ireland

they could prove actual loss or damage. The High Court concluded that a data subject has no entitlement to automatic compensation for a 7 Employees technical breach of his/her rights under the DPA where he/she cannot prove that he/she has suffered loss or damage as a result of the breach. 7.1 Are there any specific requirements under Applicable It must be noted, however, that this would appear to stand somewhat Law regarding: (a) the monitoring of employees for at odds with a recent decision of the Court of Appeal of England and the purposes of preventing, detection, mitigating and Wales (Google Inc v Vidal-Hall [2015] EWCA Civ 311). responding to Incidents; and (b) the reporting of cyber CRH plc and Others v Competition and Consumer Protection risks, security flaws, Incidents or potential Incidents by employees to their employer? Commission [2017] IECS 34 – The Supreme Court upheld the finding of the High Court that, in seizing material unrelated to an Ireland investigation, the Competition and Consumer Protection Commission An employer should avoid covert and excessive monitoring of had acted outside the scope of its statutory powers and would be employees. Under the DPA and the ECHR, employees are entitled acting in breach of the applicants’ rights to privacy were it to examine to privacy which generally means that employers must balance such material. In the exercise by the State of its powers of search, the their need to monitor employees for the purposes of protecting their Supreme Court held that interference with the right to privacy was business against the individual employee’s right to privacy. Each inevitable but that such interference must be proportionate. case would be decided on its particular circumstances. The Irish whistleblowing legislation, the Protected Disclosures Act 2014, protects employees from penalisation arising out of reporting 5.3 Is there any potential liability in tort or equivalent actual or possible wrongdoing. In addition, the employer should legal theory in relation to an Incident? keep in mind its obligations under data protection legislation when processing personal data, including that such data is kept secure and, Yes. Depending on the specific type of Incident concerned, liability where applicable, obligations arising under the e-Privacy Regulations in tort may arise. Examples of such tortious liabilities are as follows: and under the NISD (when implemented). Employees should be The DPA recognise that a data breach may constitute a breach of the made aware, typically by means of a written company policy or duty of care owed to a data subject. This would potentially expose relevant provision in the employment contract, of such obligations the data controller to an action in tort for damages for breach of and their duty to adhere to such obligations on behalf of the company. statutory duty in circumstances where they have committed a breach or breaches of the DPA. 7.2 Are there any Applicable Laws (e.g. whistle-blowing A breach of a person’s privacy rights may give rise to a claim in tort for laws) that may prohibit or limit the reporting of cyber breach of confidence or negligence, depending upon the circumstances. risks, security flaws, Incidents or potential Incidents Incidents involving the theft of information or property may give by an employee? rise to claims in the tort of conversion. Incidents involving the publication of intrusive personal information No. Whistleblowing laws do not limit or prohibit such reporting by may in some circumstances constitute the tort of injurious or an employee; instead, they are intended to protect the employee from malicious falsehood. penalisation following his/her making such a report to the employer. Incidents involving the misuse of private commercial information may give rise to claims for damages for tortious interference with 8 Investigatory and Police Powers economic relations.

8.1 Please provide details of any investigatory powers of 6 Insurance law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident. 6.1 Are organisations permitted to take out insurance against Incidents in your jurisdiction? Under the 2017 Act, the Irish police force (generally operating out of the Garda National Economic Crime Bureau) is given a relatively Yes. While relatively novel in Ireland, ‘cyber insurance’ products are broad authority to investigate cybersecurity Incidents or suspected being take up by businesses with increasing frequency. Such products activity. Specifically, a warrant is obtainable so as to enter and afford cover for various data- and privacy-related issues including the: search a premises, and examine and seize (demanding passwords, if financial consequences of losing or mis-appropriating customer or necessary) anything believed to be evidence relating to an offence, employee data; management of a data breach and attendant consequences, or potential offence, under the 2017 Act, from a District Court Judge including the costs associated with involvement in an investigation by on foot of a suitable Garda statement, on oath. the ODPC and fines levied for breaches; and the costs associated with restoring, recollecting or recreating data after an Incident. 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT 6.2 Are there any regulatory limitations to insurance systems for law enforcement authorities or to provide coverage against specific types of loss, such as law enforcement authorities with encryption keys? business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover? There are no requirements under Irish law for organisations to implement backdoors to their IT systems for law enforcement authorities or to provide law enforcement authorities with encryption No, there are no legal limits placed on what the insurance policy keys. can cover. In the ordinary way, however, the consequences of intentional wrongdoing tend to be contractually excluded, as are the consequences of failure to remedy ascertained weaknesses or shortcomings in systems.

78 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Maples and Calder Ireland

Kevin Harnett Victor Timon Maples and Calder Maples and Calder 75 St. Stephen’s Green 75 St. Stephen’s Green Dublin 2 Dublin 2 Ireland Ireland

Tel: +353 1 619 2036 Tel: +353 1 619 2071 Email: [email protected] Email: [email protected] URL: www.maplesandcalder.com URL: www.maplesandcalder.com Ireland Kevin joined Maples and Calder in 2009 and was elected as a partner Victor is a consultant and head of our Commercial Technology group in 2016. He previously worked for a multinational software company and has over 30 years’ experience in the technology industry. He as corporate counsel and prior to that, he trained and practised with joined Maples and Calder in 2013 and previously worked both as in- a large Irish corporate law firm. Kevin has extensive experience house counsel in the technology industry and as a partner in major advising both domestic and multinational clients on large and complex law firms in the UK and Ireland. His technology practice includes the commercial disputes, including proceedings before the Commercial procurement of systems and software, outsourcing and managed Court, as well as all forms of alternative dispute resolution and related services, e-commerce and online trading, cloud computing, data advisory work. He has a particular focus on the financial services, protection and privacy. Victor also has experience drafting, reviewing technology and construction sectors. and negotiating general commercial contracts, including those for agency and distribution, procurement, BPO outsourcing, logistics and warehousing, franchising, standard terms of sale, advertising, branding and sponsorship.

Maples and Calder is a leading international corporate and finance law firm advising on the laws of the Cayman Islands, Ireland and the British Virgin Islands. The firm’s affiliated organisation, MaplesFS, provides specialised fiduciary, corporate and administration services to finance vehicles and funds. With over 1,500 staff worldwide, the Maples group has offices in Bermuda, Boston, the British Virgin Islands, the Cayman Islands, Delaware, Dubai, Dublin, Hong Kong, London, Luxembourg, Montreal, the Netherlands, New York, San Francisco and Singapore. Established in 1967, Maples and Calder celebrates 50 years of award-winning excellence in 2017.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 79 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 13

Israel

Shibolet & Co. Nir Feinberg

who distributes or offers to the public or transmits to another or 1 Criminal Activity introduces to another person’s computer or installs on another person’s computer a password, access code or similar information 1.1 Would any of the following activities constitute a to perform hacking is liable for five years’ imprisonment. criminal offence in your jurisdiction? If so, please Identity theft or identity fraud (e.g. in connection with access provide details of the offence, the maximum penalties devices) available, and any examples of prosecutions in your jurisdiction: Israeli law has no specific offence that addresses identity theft. However, the Computers Law determines the offence of “false Hacking (i.e. unauthorised access) information or false output”. This offence determines that “anyone who transfers to another or stores on a computer false information Section 4 of the Israeli Computers Law 5755-1995 states that any or acts with respect to information such that the result is false person who gains unauthorised access to computer material in a information or false output” is liable for five years’ imprisonment. computer is liable for three years’ imprisonment; for this purpose, The definition of false information is “information or output which “unauthorized access to computer material” is unauthorised access may be misleading, in accordance with the purposes of the use by means of communication with or connection to a computer, or thereof”. Therefore, a person who steals the identity of another in by operation thereof, with the exception of unauthorised access order to perform acts in his name may be liable for the aforesaid to computer material, which constitutes wiretapping under the offence. Wiretapping Law, 1979. Israel’s Supreme Court (8464/14 State of Israel vs. Nir Ezra) has broadly interpreted the term “unauthorized Electronic theft (e.g. breach of confidence by a current or former access” under this clause to encompass any type of access to a given employee, or criminal copyright infringement) computer, whether direct access through an authorised user or indirect Israel does not have a specific clause for digital theft, but Section access via the interception of files or data. In addition, the Supreme 5 of the Israeli Computers Law states that a person who performs Court in the same ruling interpreted the term “unauthorized” as any an act prohibited under Section 4 (the Hacking Clause), in order to use carried out without the consent of the owner of the computer. commit an offence under any enactment other than the Computers Denial-of-service attacks Law, including offences of digital and IP theft, is liable for five years’ imprisonment. Section 2 of the Computers Law prohibits the unauthorised disruption of the proper operation of a computer system, or any unauthorised Any other activity that adversely affects or threatens the deletion, modification or disruption of materials on a computer security, confidentiality, integrity or availability of any IT system, for which the offender is liable for three years’ imprisonment. system, infrastructure, communications network, device or data Phishing There are no other activities. The Israeli Computers Law makes no specific reference to phishing Failure by an organisation to implement cybersecurity measures offences. However, in such cases the perpetrator may be charged Failure to implement information security measures in an with receipt of benefits through false pretences and forgery, which organisation is not a criminal offence under Israeli legislation. are punishable by up to five years’ imprisonment. However, the PPL determines a penalty of one year’s imprisonment Infection of IT systems with malware (including ransomware, for anyone who was required to appoint a Data Protection Officer, spyware, worms, trojans and viruses) and failed to do so. Section 6 of the Computers Law states that any person who renders software able to disrupt or cause damage to computers or computer 1.2 Do any of the above-mentioned offences have material is liable for three to five years’ imprisonment. extraterritorial application? Section 6 of the Computers Law was enacted in Israeli legislation in order to align with the Budapest Convention (ETS 185-Convention The PPL does not include an applicability clause. Accordingly, the on Cyber Crime), which Israel ratified in 2016. territorial applicability of the offences set forth therein is determined in the choice of law rules. In accordance with the choice of law Possession or use of hardware, software or other tools used to rules determined in the Israeli Penal Law and in accordance with the commit cybercrime (e.g. hacking tools) case law of the courts, it appears that the law may be applicable in Section 6(b) of the Israeli Computers Law states that any person any one of the following situations:

80 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Shibolet & Co. Israel

1. The offence was committed by the owner of a database Privacy Regulations (Conditions for Possessing and Protecting Data located in Israel. and Procedures for Transferring Data Between Public Bodies) 1986 2. The offence is related to acts of data processing performed in (the “Data Possession Regulations”), which set forth mandatory data Israel. protection requirements. The Protection of Privacy Regulations (Data Protection) 2017 (the “Data Protection Regulations”), impose mandatory data breach notification requirements and some additional 1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an security obligations. exception to any of the above-mentioned offences? The Administrative Offences Regulations (Administrative Fine – Protection of Privacy), 2004, determine the administrative fines

The performance of acts which may mitigate the potential damage to which can be imposed in the event of any violation of specific Israel the data subjects upon the occurrence of, for instance, a data breach provisions of the PPL. incident, may assist an entity that failed in protecting its customers’ The Wiretapping Law, 1979, requires investigative authorities to personal information. For example, notifying the data subjects upon obtain a court order before engaging in electronic surveillance, while the occurrence of a data breach or another security failure should be electronic surveillance for purposes of national security requires the considered. direct approval of the Minister of Defense or Prime Minister. The control of defence exports in Israel is regulated by the Defense 1.4 Are there any other criminal offences (not specific Export Controls Law, 2007, and the regulations and orders to cybersecurity) in your jurisdiction that may arise promulgated thereunder. in relation to cybersecurity or the occurrence of an Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences 2.2 Are there any cybersecurity requirements under in a cybersecurity context. Applicable Laws applicable to critical infrastructure in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction There are no other criminal offences. expected to implement the Network and Information Systems Directive? Please include details of any instances where the implementing legislation in your 2 Applicable Laws jurisdiction is anticipated to exceed the requirements of the Directive. 2.1 Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable The Security in Public Bodies Law, 1998, regulates the security to the monitoring, detection, prevention, mitigation requirements for physical, digital and information systems that and management of Incidents. This may include, constitute critical infrastructure. for example, laws of data protection, intellectual The law lists bodies which are considered critical infrastructures and property, breach of confidence, privacy of electronic communications, information security, and import / sets forth the powers of the guiding national bodies – defence and export controls, among others. civilian – vis-à-vis such bodies. The law requires these public bodies to appoint a security officer Israel had a broad array of acts of legislation and regulations, along who is supervised directly by the Israeli Security Agency. with some relevant government resolutions on cybersecurity issues. In 2002, Government Resolution 84/B established the National 2.3 Are organisations required under Applicable Laws, Information Security Agency, which was assigned with the task of or otherwise expected by a regulatory or other regulating critical national infrastructure on cybersecurity issues. authority, to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what In 2011, Government Resolution 3611 established Israel’s National measures are required to be taken. Cyber Bureau (“INCB”), which was tasked with providing policy guidance in cybersecurity, along with other national responsibilities, The PPL determines in Section 17 that the owner of a database, the including encouraging collaboration between academia, industry holder of a database or manager of a database are each responsible and the government. for the security of the information in the database. It is important to In addition, in 2015, Government Resolution 2444 established the note that although Israeli law draws the principles of data protection National Cyber Defense Authority (“NCDA”) as the operational and privacy from EU law, the language and terminology are not arm of the INCB, which is responsible for national cybersecurity identical to the standard terminology of data protection and privacy policy in the civilian sector (although its authority has yet to be in EU law. formally enacted). The term corresponding to ‘data controller’ in Israel law is ‘owner The Computers Law, 1995, focuses on computer cybercrimes and of a database’. ‘Holder of a database’ is defined in Israeli law as prohibits the unauthorised disruption of the proper operation of a “anyone who holds permanent possession of a database, and is computer system, or the unauthorised deletion, modification, or authorized to make use thereof”. Additionally, every database must disruption of materials on a computer system along with some penal have a database manager. The database manager is the CEO, unless provision. determined otherwise in the database registration process. The Protection of Privacy Law, 1981, (“PPL”) established the Registrar After many years in which the requirement for data protection of Databases, which currently act under the ILITA and has issued remained vague, the Data Protection Regulations were enacted regulations and guidelines with respect to information security, such in 2017, which specify the data protection requirements expected as the Protection of Privacy Regulations (Transfer of Information to from owners of databases. The regulations are modular, such that Databases outside of Israel) 2001 (the “Data Transfer Regulations”), the requirements under the regulations vary from one company to which regulate international data transfers, and the Protection of another, in accordance with the level of data protection required

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 81 © Published and reproduced with kind permission by Global Legal Group Ltd, London Shibolet & Co. Israel

of a company. A company’s data protection level is determined in accordance with the type and quantity of information it holds, 2.5 Are organisations required under Applicable Laws, or while the level of data protection is classified as basic, intermediate otherwise expected by a regulatory or other authority, to report information related to Incidents or potential or high. There is an additional level of databases administered by Incidents to a regulatory or other authority in your an individual, which are subject to less requirements under the jurisdiction? If so, please provide details of: (a) the regulations. circumstance in which this reporting obligation is In the framework of the regulations, owners of databases are triggered; (b) the regulatory or other authority to required to have a written information security policy and an which the information is required to be reported; (c) the nature and scope of information that is required updated document on the structure of the database and an updated to be reported (e.g. malware signatures, network Israel inventory of the database systems, which includes, inter alia, a list vulnerabilities and other technical characteristics of software systems used for operating, managing and maintaining identifying an Incident or cyber attack methodology); the database, for supporting its operation, and for monitoring and and (d) whether any defences or exemptions exist by protecting it. which the organisation might prevent publication of that information. With respect to monitoring – in database systems which are subject to the intermediate or high level of security, it is mandatory to maintain an automatic documentation mechanism which allows for The Protection of Privacy Regulations (Data Protection), 2017, control and audit of the access to the database systems. Additionally, requires organisations that experience severe information security it is mandatory to document security incidents. incidents to report to the Registrar of Databases. The reporting obligation also takes into account the organisation’s database With respect to identification – the owner of a database is required security level. The Registrar of Databases has the authority to order to take measures to ensure that access to information in the database such breached organisations to also report the information security is performed only by an employee authorised therefor. In databases incident to every data subject whose sensitive information was with a intermediate or high level it is necessary to consider the use breached. of physical measures that are subject to the exclusive control of the authorised person, and, at the very least, to determine a procedure for changing passwords at a frequency of at least every six months. 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information Prevention – an owner of a database is required to prepare an related to Incidents or potential Incidents with: (a) information security procedure, to specify therein the measures a regulatory or other authority in your jurisdiction; whose purpose is the protection of the computer systems and (b) a regulatory or other authority outside your communications infrastructures of the database and the manner jurisdiction; or (c) other private sector organisations of operation thereof for this purpose, to ensure the physical and or trade associations in or outside your jurisdiction? peripheral protection of the database and the database’s systems, to perform a risk survey and intrusion examinations. Israel does not have any laws or regulations that directly restrict It is noted that there are sectoral regulations (for instance, in the field the sharing of information related to cyber incidents and yet, the of banking and insurance), which determine additional requirements gathering of such information without the consent of network users pertaining to data protection. could potentially violate both the PPL and the Wiretapping Law. In addition, the INCB has established the CERT-IL, which is a civilian centre for collaborating and coordinating cyber events. In 2.4 In relation to any requirements identified in question order to meet its goals, CERT-IL collects information regarding 2.3 above, might any conflict of laws issues arise? For example, conflicts with laws relating cyber incidents from a variety of sources, including private entities to the unauthorised interception of electronic that have volunteered to share information. Prior to sharing the communications or import / export controls of information with CERT-IL, the breached entity is required to encryption software and hardware. disclose such practices to its employees and data subjects, while the CERT-IL confirms that the sharing entity is aware of CERT-IL’s The data protection requirements may indeed create conflicts policies regarding shared information. between different laws. Such a major conflict exists between The Israeli Antitrust Authority has recently published a draft the Wiretapping Law and the Israeli PPL, which determines opinion on the joint effort, exchange and sharing of information that wiretapping – i.e. on a conversation without by institutions, organisations and companies for the purpose of receiving the consent of one of the parties to the conversation – is defending against cyber threats. illegal and carries a penalty of imprisonment. The data protection requirements include, inter alia, monitoring 2.7 Are organisations required under Applicable Laws, or systems and network communications, and therefore a party may otherwise expected by a regulatory or other authority, intercept “conversations” and data transmissions between parties to to report information related to Incidents or potential a conversation, without receiving their consent. Incidents to any affected individuals? If so, please Israeli law does not distinguish between wiretapping a conversation provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the and wiretapping data transmissions – metadata – and therefore nature and scope of information that is required to be wiretapping such communications, underscored by the duty to reported. protect the information, may place the monitor of the transmissions at criminal risk. To date, there has been no obligation to report to data subjects in Currently, the main route for addressing this conflict is by Israel. Currently, with the new Data Protection Regulations taking determining a policy for use of IT components in the organisation, effect, a mandatory reporting requirement became effective for specifying the means of monitoring, and receiving consent to the “severe security incidents”. The definition of a severe security policy, from the employees and others using the systems. incident depends on the data protection level which applies to the

82 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Shibolet & Co. Israel

breached database, as defined in the Data Protection Regulations. criminal or economic sanction, such determination may be used The current requirement is to report severe security incidents to the to establish claims, including class actions, against the breaching Registrar of Databases, who in turn, after consulting with the head entity. of the National Cyber Defense Authority (NCDA), may order a report to the data subjects. 2.11 Please cite any specific examples of enforcement The data protection level of a database is determined in accordance action taken in cases of non-compliance with the with a number of criteria, including: the type of information found above-mentioned requirements. in the database; the number of data subjects in the database; the purposes of use of the database; the type of organisation which holds In recent years, there has been a significant rise in the enforcement the database; and the number of persons holding authorisation for activity of ILITA both in terms of audit in supervised bodies and in Israel the data inside the database and the systems supporting it. determining administrative violations and imposing fines. Some of ILITA’s enforcement activities have even led to police investigations and indictments. 2.8 Do the responses to questions 2.5 to 2.7 change if the information includes: (a) price sensitive information; One of ILITA’s significant cases in recent years dealt with the (b) IP addresses; (c) email addresses (e.g. an email investigation of a leak of the Population Register of the State of Israel address from which a phishing email originates); (d) to the internet. ILITA’s investigation led to the filing of indictments personally identifiable information of cyber threat against a number of defendants for copying and distributing the actors; and (e) personally identifiable information of database. The cases ended with convictions and prison sentences individuals who have been inadvertently involved in an Incident? of up to 18 months. Another example from the past year (2017) is ILITA’s enforcement As stated above, the reporting requirement derives from the amount activity at one of the largest credit companies in Israel. Following of information exposed or affected, depending on the data protection a data breach incident in which an employee of the company level of the database. stole information from the company which included hundreds of Thus, for databases with a high security level, a reporting requirement thousands of records of personal data on customers of the company, will be triggered in the case of an “incident where use was made of including full credit card numbers and bank account details, the information from the database, including an entry into the database level of data protection in the company’s systems and the company’s systems in a manner which allows access to the information in the implementation of the data protection procedures were examined. database, without authorization or in deviation from authorization or At the end of the supervisory activity, ILITA determined that the in a case of tampering with the information”. company had committed an administrative violation, after having With respect to databases with an intermediate data protection found that the company had failed to address data protection matters level, the requirement to report to the Registrar is only in the case pertaining to data management within the company as required by of an “incident in which a substantial part of the database was used the law and had failed to adequately address intra-organisational without authorization or in deviation from authorization or in a case data protection risks, alongside additional failures. of tampering with the information with respect to a substantial part In general, ILITA evidently invests more resources in enforcement of the database”. versus, for example, database registration.

2.9 Please provide details of the regulator(s) responsible 3 Specific Sectors for enforcing the requirements identified under questions 2.3 to 2.7. 3.1 Does market practice with respect to information When the Israeli PPL was enacted in 1981, it provided for the security (e.g. measures to prevent, detect, mitigate appointment of a Registrar of Databases. In 2006, the Israeli Law and respond to Incidents) vary across different business sectors in your jurisdiction? Please include Information and Technology Authority (“ILITA”) was established, details of any common deviations from the strict legal and since then ILITA carries out the functions of the Registrar of requirements under Applicable Laws. Databases. ILITA belongs to the Israeli Ministry of Justice, and the head of The main information security requirements, as aforesaid, are ILITA also serves as the Registrar of Databases. ILITA carries out specified in the PPL and the Data Protection Regulations. The various regulatory functions, including enforcement, handling of general data protection requirement applies to any owner, holder complaints and supervision, as well as maintaining the database and manager of a database. registration system. The regulations, as aforesaid, determine various data protection The Registrar cannot initiate criminal proceedings against a requirements in accordance with the type of the organisation, the company or person breaching the law, but may initiate administrative amount of information it holds and the type of information. proceedings, such as imposing fines, determining administrative Thus, for instance, while the owners of databases who are subject violations and suspending registration of a database. to intermediate and high data protection requirements are required to perform periodic risk surveys and penetration tests, owners of 2.10 What are the penalties for not complying with the databases which are subject to basic or lower data protection requirements identified under questions 2.3 to 2.8? requirements are exempt from this obligation. Additionally, the Data Protection Regulations authorise the Registrar Currently, the authority of the Registrar of Databases on failure of Databases to exempt a certain database from requirements under to comply with reporting requirements is to determine that an the regulations, or to apply requirements under the regulations to a administrative violation has been committed. While it is not a certain database.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 83 © Published and reproduced with kind permission by Global Legal Group Ltd, London Shibolet & Co. Israel

Furthermore, the Registrar may instruct that anyone who meets order to implement a work plan for cyber risk management and shall certain guidelines on data protection or directives of a competent maintain adequate control and supervisory mechanisms in this field. authority with respect to data protection which apply thereto, shall Additional examples are the Bank of Israel Directives 357 and be deemed as complying with the regulations, if he is convinced 361, which require the Boards of Directors of banks to outline a that complying with the provisions of an accepted standard or the corporate cyber protection strategy, to receive reports on significant directives of a competent authority, ensures the level of security cyber incidents, to approve a framework for cyber risk management determined in such regulations with respect to the same database. and a corporate cyber protection policy, etc. In certain scenarios, The purpose of the authority to grant an exemption is to prevent the relevant directors and officers may even bear personal liability conflicts between various regulators (for instance, the Supervisor of for failure to comply with the requirements of the above directives.

Israel Banks, the Commissioner of Capital Market, Insurance, and Savings and the NCDA). 4.2 Are companies (whether listed or private) required under Applicable Laws to: (a) designate a CISO; 3.2 Are there any specific legal requirements in relation (b) establish a written Incident response plan or to cybersecurity applicable to organisations policy; (c) conduct periodic cyber risk assessments, in: (a) the financial services sector; and (b) the including for third party vendors; and (d) perform telecommunications sector? penetration tests or vulnerability assessments?

A number of regulations and directives apply to the Israeli financial In accordance with Section 17B(a) of the PPL, the bodies required services sector. to appoint a Chief Information Security Office (“CISO”) are: an organisation that holds five databases which are required to be The Supervisor of Banks at the Bank of Israel has issued Directive registered according to Section 8 of the PPL; a public body; a bank; 357 – Information Security Management, which sets forth the an insurance company; and a company which engages in the rating required information security controls and policies for banks (in or evaluation of credit. line with the Basel Committee’s Risk Management Principles for Electronic Banking from 2003), and Directive 361 – Proper Conduct In accordance with the Data Protection Regulations, an owner of a of Banking Business, which defines the principles for cyber risk database is required to determine a written information security policy management in banks, along with the responsibility to record cyber (“WISP”) which shall be binding on all of the employees. The written incidents and report them to the Supervisor of Banks. security procedure must include, inter alia, details on the manner of handling of data protection incidents, according to the severity of the In addition, the Capital Market, Insurance and Savings Commissioner incident and the degree of the sensitivity of the information. at the Ministry of Finance has issued a Directive which imposes new requirements aimed at ensuring the availability, confidentiality and With respect to risk management in terms of outsourcing, until now, integrity of sensitive information stored by such financial institutions prior to the Data Protection Regulations taking effect, the customary (for example, insurance companies and pension funds), while also practice was to comply with the directives of the Registrar of protecting the proper functioning of their computer systems. This Databases on outsourcing. The purpose of this directive was to Directive requires these regulated financial institutions to annually ensure that an organisation’s use of outsourcing shall not entail the approve and implement a cybersecurity programme and policy. price of violation of the privacy of citizens. Under the directive, bodies which outsource data processing activities are required to perform a preliminary evaluation of the legitimacy of 4 Corporate Governance outsourcing the activity. Thereafter, any body interested in outsourcing the data is required to clearly define the nature of the service which will be performed by outsourcing and precisely determine the purposes of 4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, the use of the information so that no use is made other than for the mitigate, manage or respond to an Incident amount to purpose for which the data was received. Additionally, the directive a breach of directors’ duties in your jurisdiction? requires: the determination of data protection and confidentiality requirements; ensuring the granting of a right of inspection and Israel’s PPL requires the appointment of a manager for a database, correction to the data subject; and determining a mechanism for control who may be the active manager of a body which owns or holds by the customer of the service provider’s compliance with the privacy the database or anyone who was empowered for such purpose by laws and a clear determination of the duration of time the information such manager. This law also imposes the responsibility for data will be kept by the contractor for the purpose of performance of the protection in the database on each one of the three – the database service and deletion thereof upon expiration of the engagement. manager, the database owner and the database holder. The Data Protection Regulations adopt the principles of the directive There are specific sectoral regulations which impose more specific as part of Section 15 of the Regulations. requirements on officers and directors in connection with the With respect to organisations who possess databases on a high security of databases. security level, as defined in the Data Protection Regulations, it For example, Circular 2016-9-14 of the Capital Market, Insurance was determined that they must perform penetration tests and risk and Savings Commissioner at the Ministry of Finance (Cyber assessments once every 18 months. Risk Management in Institutional Bodies), addresses cyber risk management in insurance companies and pension funds in terms of 4.3 Are companies (whether listed or private) subject the responsibility imposed on the relevant directors and officers in to any specific disclosure requirements in relation this field. This Circular requires directors to discuss a current plan for to cybersecurity risks or Incidents (e.g. to listing cyber risk management and risk evaluation, which includes a plan for authorities, the market or otherwise in their annual risk mitigation and specification of the changes in management of the reports)? cyber risks, at least once a year. The same Circular also states that the CEO of an institutional body shall make proper resources available in Bodies supervised by the Capital Market, Insurance and Savings

84 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Shibolet & Co. Israel

Commissioner (the “Commissioner”), are required to promptly report to the Commissioner any significant cyber incident as a result 6 Insurance of which, directly or indirectly: 1. Harmed or disabled production systems containing sensitive 6.1 Are organisations permitted to take out insurance information for more than three hours. against Incidents in your jurisdiction? 2. Indications arise that sensitive information of the institutional body’s customers or employees was exposed or leaked. In Israel, organisations are permitted to take out insurance policies Bodies supervised by the Supervisor of Banks (the “Supervisor”) against cyber breaches. In light of the growing demand from their are required to report to the Supervisor on any cyber incident or customers and the rising scrutiny from the relevant regulators, many warning of a cyber incident. companies tend to take out cyber insurance policies. Israel

4.4 Are companies (whether public or listed) subject to 6.2 Are there any regulatory limitations to insurance any other specific requirements under Applicable coverage against specific types of loss, such as Laws in relation to cybersecurity? business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover? There are no other specific requirements. Israeli law does not allow the purchase of an insurance policy against 5 Litigation fines. Otherwise, there are no specific regulatory prohibitions with respect to cyber insurance.

5.1 Please provide details of any civil actions that may be brought in relation to any Incident and the elements of 7 Employees that action that would need to be met.

Any organisation that has experienced a cyber attack or another 7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for security incident is exposed to civil claims by various parties – the the purposes of preventing, detection, mitigating and company’s employees, customers, partners, shareholders, etc. responding to Incidents; and (b) the reporting of cyber The claims can be based on contractual grounds, in accordance risks, security flaws, Incidents or potential Incidents with the Contracts Law (General Part), 1973, as well as on grounds by employees to their employer? in accordance with the Torts Ordinance [New Version], including negligence and negligence per se. The Supreme Court in Israel has ruled that employees have a right to privacy also at their workplace. The leading precedent on this issue is the Isakov judgment [National Labor Court Appeal 90/8 Tali 5.2 Please cite any specific examples of cases that Isakov Inbar v. the State of Israel – the Supervisor of the Women’s have been brought in your jurisdiction in relation to Incidents. Employment Law], where the national labour court struck a balance between the employer’s property right and managerial prerogative, and the employee’s right to privacy. Thus, for instance, with Two class actions were filed after data breach incidents, one against respect to the monitoring of an employee’s e-mail correspondence, a website which engages in the sale of computer games (following the Supreme Court ruled that it is necessary to distinguish a leak of personal information of customers of the website) and the between the different types of mailboxes (professional, mixed and second against a credit card company (for the leak of customers’ personal), while the professional box may be monitored – in certain details and credit card numbers). Both ended with the withdrawal circumstances – and the personal box cannot, other than subject to of the claims, such that to date there is no substantial ruling by the a court order. courts in Israel on claims of this type. Additionally, the ILITA released a number of directives pertaining However, it is apparent that the causes of action were diverse, to the protection of personal information in the workplace, use of including violation of the PPL, negligence, a breach of contract, security cameras, generally, and in the workplace, specifically, negligence per se, and failure to comply with an information and other additional directives designed to clarify the regulator’s security requirement. position on the balance between the employer’s interest in protecting his business and the employee’s right to privacy. 5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident? 7.2 Are there any Applicable Laws (e.g. whistle-blowing laws) that may prohibit or limit the reporting of cyber The negligence tort is set forth in the Torts Ordinance [New Version] risks, security flaws, Incidents or potential Incidents and can certainly serve as a cause of action in response to a security by an employee? incident. In order to prove the elements of the negligence tort, the plaintiff must prove the existence of behaviour during which a There are no such applicable laws. person (or company) caused damage without having been aware of the nature of his actions, the circumstances, or the harmful results of his behaviour, while the “reasonable person” could have been aware of such details in similar circumstances.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 85 © Published and reproduced with kind permission by Global Legal Group Ltd, London Shibolet & Co. Israel

8 Investigatory and Police Powers Nir Feinberg Shibolet & Co. Museum Tower 8.1 Please provide details of any investigatory powers of 4 Berkowitz Street law enforcement or other authorities under Applicable Tel-Aviv 6423806 Laws in your jurisdiction (e.g. antiterrorism laws) that Israel may be relied upon to investigate an Incident. Tel: +972 3 777 8333 Email: [email protected] The powers of the enforcement and defence agencies in Israel vary URL: www.shibolet.com

Israel between the various agencies and in accordance with the type of incident. Adv. Nir Feinberg leads the Cyber, Data Protection and Privacy Thus, for instance, the cyber unit of Israel Police, which is practice at Shibolet & Co. responsible, inter alia, for conducting cyber crime investigations Nir provides his clients a broad spectrum of services in the fields of and handling cyber crime which involves economic damage, is Cybersecurity, Data Protection and Privacy. He designs tailor-made authorised to exercise various powers granted by the law, including cybersecurity policies by focusing on three elements: 1) Pre-Breach Stage; 2) Data-Breach Response; and 3) ongoing Cyber Regulatory conducting searches in computers and seizing equipment related to Services (compliance with worldwide regulation to minimise risks and perpetration of an offence. reduce exposure to lawsuits). Other defence agencies have broader powers, mainly with respect to Before joining Shibolet, Adv. Feinberg served for seven years in Israel the receipt of information from Israeli ISPs. Defense Forces’ Military Advocate General’s corps in various legal professional and managerial positions and served in his last position as the Legal Advisor to the J6/C4i Directorate (headed by a Major 8.2 Are there any requirements under Applicable Laws General officer in the IDF), which is responsible for the communication, for organisations to implement backdoors in their IT wireless transmission, computerisation, command and control over systems for law enforcement authorities or to provide and defence of information, IT, information systems and cyber defence law enforcement authorities with encryption keys? in the IDF.

No, Israel has no such requirements under the applicable laws.

Established in 1973, Shibolet is one of Israel’s largest full-service multidisciplinary law firms with a strong corporate and commercial practice, specialising in high-tech and venture capital. Based in the heart of Tel Aviv, Israel’s commercial and financial centre, the firm offers its clients legal services in all fields of commercial/corporate law on a worldwide basis, combining high-quality professional and personal service and a deep understanding of client affairs.

86 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 14

Japan

Mori Hamada & Matsumoto Hiromi Hayashi

above (Articles 4 to 7) is subject to imprisonment of up to one 1 Criminal Activity year or a fine of up to JPY 500,000 (Article 12). However, if the person committing (c) (Article 5) does not know that the recipient intends to use the identification code for an 1.1 Would any of the following activities constitute a Unauthorized Access, that person is subject to fine of only up criminal offence in your jurisdiction? If so, please to JPY 300,000 (Article 13). provide details of the offence, the maximum penalties available, and any examples of prosecutions in your (B) The Penal Code provides for criminal sanctions on the jurisdiction: creation and provision of Improper Command Records which give improper commands, such as a computer virus, As background, there are two main laws criminalising cyber attacks, to a computer (fusei shirei denji-teki kiroku). “Improper Command Records” means (i) electromagnetic records namely (A) the Act on the Prohibition of Unauthorized Computer that give a computer an improper command which causes Access (the “UCAL”), and (B) the Penal Code. the computer to be operated against the operator’s intention (A) The UCAL imposes criminal sanctions on any person who or to fail to be operated in accordance with the operator’s makes an Unauthorized Access to a computer (an “Access intention, and (ii) electromagnetic or other records which Controlled Computer”), the access to and operation of describe such improper commands. which are under the control of an administrator (the “Access Under the Penal Code, any person who creates or provides, Administrator”). without any justifiable reason, Improper Command Records An “Unauthorized Access” means any action which operates or who knowingly infects or attempts to infect a computer an Access Controlled Computer by either (i) inputting an with Improper Command Records is subject to imprisonment identification code (shikibetsu-fugou) (e.g., password and of up to three years or a fine of up to JPY 500,000 (Article ID) allocated to a user who is authorised to access the Access 168-2). Any person who obtains or keeps Improper Command Controlled Computer (an “Authorized User”), without the Records for the purpose of implementing such records is permission of the Access Administrator or the Authorized subject to imprisonment of up to two years or a fine of up to User, or (ii) inputting any information (other than an JPY 300,000 (Article 168-3). identification code) or command which enables that person to In addition, the Penal Code provides for the following evade control (e.g., cyber attack of a security flaw), without additional penalties: the permission of the Access Administrator (UCAL, Article 2, Paragraph 4). (i) any person who obstructs the business of another by causing a computer used in the business to be operated The UCAL prohibits the following actions: against the operator’s intention, or to fail to be operated in (a) an Unauthorized Access (Article 3); accordance with the operator’s intention, by (a) damaging (b) obtaining the identification code of an Authorized User to that computer or any electromagnetic record used by that make an Unauthorized Access (Article 4); computer, or (b) giving false information or an improper command to the computer, is subject to imprisonment of (c) providing the identification code of an Authorized User up to five years or a fine of up to JPY 1,000,000 (Article to a third party other than the Access Administrator or the 234-2); Authorized User (Article 5); (ii) any person who gains or attempts to gain, or causes or (d) keeping the identification code of an Authorized User attempts to cause a third party to gain, illegal financial which was obtained illegally to make an Unauthorized benefits by (a) creating false electromagnetic records by Access (Article 6); and giving false information or an improper command to a (e) committing the following acts by impersonating the computer, or (b) providing false electromagnetic records, Access Administrator or causing a false impression for processing by a third party, in either case in connection of being the Access Administrator: (a) setting up a with a gain, a loss or a change regarding financial benefits, website where the fake Access Administrator requests an is subject to imprisonment of up to 10 years (Article 246- Authorized User to input his/her identification code; or 2); and (b) sending an email where the fake Access Administrator (iii) any person who creates, provides or attempts to provide requests an Authorized User to input his/her identification electromagnetic records for the purpose of causing a code (Article 7). third party to mistakenly administer matters which relate Any person who commits (a) above (Article 3) is subject to rights, obligations or proofs of facts, is subject to to imprisonment of up to three years or a fine of up to JPY imprisonment of up to five years or a fine of up to JPY 1,000,000 (Article 11). Any person who commits (b) to (e) 500,000. However, if the act relates to records to be made

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 87 © Published and reproduced with kind permission by Global Legal Group Ltd, London Mori Hamada & Matsumoto Japan

by public authorities or public servants, the penalty is holds or uploads any device or program which may remove, disable imprisonment of up to 10 years or a fine of up to JPY or change technology intended to protect copyright (e.g., copy 1,000,000 (Article 161-2). protection code), is subject to imprisonment of up to three years or a Hacking (i.e. unauthorised access) fine of up to JPY 3,000,000, or both (Article 120-2). Hacking is an Unauthorized Access under the UCAL, punishable by Any other activity that adversely affects or threatens the imprisonment of up to three years or a fine of up to JPY 1,000,000. security, confidentiality, integrity or availability of any IT If the hacking is made through Improper Command Records, it is system, infrastructure, communications network, device or data also punishable under the Penal Code (please see question 1.1(B) This carries the same penalties as electronic theft. above). In addition, if a business is obstructed by such hacking, the Failure by an organisation to implement cybersecurity measures Japan crime is punishable by imprisonment of up to five years or a fine of The UCAL requires Access Administrators to make efforts to manage up to JPY 1,000,000 (Penal Code, Article 234-2). the identification codes of Authorized Users, examine the validity of Denial-of-service attacks functions to control access to the Access Controlled Computer, and This carries the same penalties as hacking. to implement necessary measures, including enhancing functions Phishing (e.g., encryption of codes, definite deletion of codes which have not been used for a long time, implementing a batch program to Article 7 of the UCAL prohibits phishing, while Article 4 of the address a security hole, program updates, and appointing an officer UCAL prohibits obtaining any identification code through phishing. for network security) (Article 8). However, there is no criminal These actions are punishable by imprisonment of up to one year or sanction on a breach of these obligations. a fine of up to JPY 500,000 (Article 12). In addition, any person who gains illegal benefits by using identification codes obtained by phishing is subject to imprisonment 1.2 Do any of the above-mentioned offences have extraterritorial application? of up to 10 years under Article 246-2 of the Penal Code.

Infection of IT systems with malware (including ransomware, The UCAL provides for the extraterritorial application of Articles spyware, worms, trojans and viruses) 3, 4, 5 (except where the offender did not know the recipient’s This carries the same penalties as hacking. purpose) and 6 of the UCAL (Article 14). Possession or use of hardware, software or other tools used to The Penal Code has extraterritorial application (Article 4-2). commit cybercrime (e.g. hacking tools)

Any person who obtains or keeps Improper Command Records for 1.3 Are there any actions (e.g. notification) that might the purpose of using such records is subject to imprisonment of up mitigate any penalty or otherwise constitute an to two years or a fine of up to JPY 300,000 (Penal Code, Article exception to any of the above-mentioned offences? 168-3). As an example, nine persons were prosecuted for uploading No, there are no such actions. software which contained a computer virus to an online-storage and which infected the computers of people who accessed the storage 1.4 Are there any other criminal offences (not specific and downloaded the software from September to December 2016. to cybersecurity) in your jurisdiction that may arise Identity theft or identity fraud (e.g. in connection with access in relation to cybersecurity or the occurrence of an devices) Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences This carries the same penalties as phishing. in a cybersecurity context. Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement) No. The Organized Crime Act, which applies to an act of terrorism, In addition to the criminal penalties applicable to phishing, electronic designates certain material crimes, such as murder, identified theft is penalised under the Unfair Competition Prevention Act. in the Penal Code, and imposes penalties which are heavier than If a current or former employee (a) acquires a trade secret of the those under the Penal Code. However, criminal offences regarding employer through theft, fraud, threat, or other illegal actions (the cybersecurity which are described in question 1.1 above are not “Illegal Actions”), including an Unauthorized Access, or (b) designated crimes under the Organized Crime Act. uses or discloses a trade secret of the employer acquired through Illegal Actions, for the purpose of obtaining wrongful benefits or 2 Applicable Laws damaging the owner of the trade secret, that employee is subject to imprisonment of up to 10 years or a fine of up to JPY 20,000,000, or both (Article 21, Paragraph 1). In addition, if that employee commits 2.1 Please cite any Applicable Laws in your jurisdiction any of the foregoing acts outside Japan, the fine is increased up to applicable to cybersecurity, including laws applicable JPY 30,000,000 (Article 21, Paragraph 3). to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, Under the Copyright Act, any person who uploads electronic data of for example, laws of data protection, intellectual movies or music, without the permission of the copyright owner, to property, breach of confidence, privacy of electronic enable another person to download them is subject to imprisonment communications, information security, and import / of up to 10 years or a fine of up to JPY 10,000,000, or both (Article export controls, among others. 119, Paragraph 1). Further, any person who downloads electronic data which is protected by another person’s copyright and who In addition to the UCAL, the Penal Code and the Unfair Competition knows of such protection, is subject to imprisonment of up to two Prevention Act described above, the following laws are also years or a fine of up to JPY 2,000,000, or both (Article 119, Paragraph applicable to cybersecurity. 3). In addition, any person who sells, lends, manufactures, imports,

88 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Mori Hamada & Matsumoto Japan

■ Basic Act on Cybersecurity ACTIVE gathers information from business operators such This provides the basic framework for the responsibilities as vendors of IT systems and makes a list of computer viruses and policies of the national and local governments to and malware and infected websites. enhance cybersecurity. Further, it obligates operators of ■ Act on the Protection of Personal Information (the “APPI”) material infrastructure (e.g., financial institutions, operators The APPI is the principal data protection legislation in Japan. of railroads, airplanes and other means of transportation, and It is the APPI’s basic principle that the cautious handling providers of electricity, gas and water) and networks (e.g., of Personal Information under the principle of respect for telecommunications networks) to make efforts to voluntarily individuals will promote the proper handling of Personal and proactively enhance cybersecurity and to cooperate with Information. “Personal Information” means information the national and local governments to promote measures to about specific living individuals which can identify them Japan enhance cybersecurity. Based on this Basic Act, the National by name, date of birth or other descriptions contained in Center of Incident Readiness and Strategy for Cybersecurity the information (including information that will allow easy was established in 2015. reference to other information which may enable individual ■ Telecommunication Business Act (the “TBA”) identification) (Article 2, Paragraph 1). A business operator Article 4 of the TBA provides that (1) the secrecy of handling Personal Information may not disclose or provide communications being handled by a telecommunications Personal Information without obtaining the subject’s consent, carrier shall not be violated, and (2) any person who is engaged unless certain conditions are met. in a telecommunications business shall not disclose secrets To prevent cyber attacks, it would be useful for business operators to obtained, while in office, with respect to communications collect and use information regarding the cyber attacks, e.g., access being handled by the telecommunications carrier, even after logs of infected devices, and share information with other business he/she has left office. operators or public authorities. However, if the information includes The secrecy of communications protects not only the Personal Information, it would be subject to the restrictions on the contents of communications but also any information that use and disclosure of Personal Information under the APPI. would enable someone to infer the meaning or the contents of communications. In this regard, data on access logs and IP addresses are protected under the secrecy of communications. 2.2 Are there any cybersecurity requirements under If a telecommunications carrier intentionally obtains any Applicable Laws applicable to critical infrastructure information protected under the secrecy of communications, in your jurisdiction? For EU countries only, how discloses protected information to third parties, and uses (and according to what timetable) is your jurisdiction protected information without the consent of the parties who expected to implement the Network and Information communicated with each other, that telecommunications Systems Directive? Please include details of any carrier is in breach of Article 4(1). instances where the implementing legislation in your jurisdiction is anticipated to exceed the requirements To prevent cyber attacks, it would be useful for of the Directive. telecommunications carriers to collect and use information regarding cyber attacks, e.g., access logs of infected devices, and share information with other telecommunications carriers The UCAL requires Access Administrators to make efforts to or public authorities. However, the TBA does not explicitly manage the identification codes of Authorized Users, examine the provide how a telecoms carrier may deal with cyber attacks validity of functions to control access to the Access Controlled without breaching Article 4(1). The Ministry of Internal Computer, and implement necessary measures, including enhancing Affairs and Communications (“MIC”), the governmental functions (e.g., encryption of codes, definite deletion of codes which agency primarily responsible for implementing the TBA, have not been used for a long time, implementing a batch program issued reports in 2014 and 2015 which address whether a to address a security flaw, program updates, and appointing an telecoms carrier may deal with cyber attacks and the issues that officer for network security) (Article 8). may arise in connection with the secrecy of communications. The findings in both reports are included in the guidelines on cyber attacks and the secrecy of communications (the 2.3 Are organisations required under Applicable Laws, “Guidelines”) issued by the Council regarding the Stable or otherwise expected by a regulatory or other Use of the Internet (the “Council”), a council composed of authority, to take measures to monitor, detect, prevent five associations which include the Japan Internet Providers or mitigate Incidents? If so, please describe what Association, a voluntary association of telecommunications measures are required to be taken. carriers, cable TV service providers and other companies conducting businesses related to the Internet. The Guidelines The Ministry of Economy, Trade and Industry (“METI”) and include the contents of MIC’s 2014 and 2015 reports. The the Independent Administrative Agency Information-technology Guidelines, however, are not legally binding, although they Promotion Agency (“IPA”) jointly issued the Cybersecurity carry a lot of weight because MIC confirmed them before they were issued by the Council. Management Guidelines (the latest version of which is as of May 2017). The guidelines describe three principles that the management Further, in 2013, MIC started a project called ACTIVE of companies, which have a dedicated division for information system (Advanced Cyber Threats response InitiatiVE) that aims to protect Internet users from cyber attacks by collaborating and are utilising IT, should recognise to protect their company from with ISPs and vendors of IT systems. To prevent computer cyber attacks and 10 material items on which management should virus infections, warning users or blocking communications give instructions to executives or directors in charge of IT security in accordance with the Guidelines may be done by ISPs including the chief information security officer (“CISO”). who are members of ACTIVE. For example, according The 10 material items and some examples of recommended actions to ACTIVE’s release dated February 26, 2016, MIC has for each item described in the guidelines are as follows: started a program through ACTIVE to prevent malware infection. The program aims to mitigate damage by blocking (i) Recognise a cybersecurity risk and develop company-wide telecommunications between the malware and the C&C measures (Command and Control) server and by warning users who Example: Develop security policy which incorporates have infected devices. According to the website of ACTIVE, cybersecurity risk management while aligning it with the

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 89 © Published and reproduced with kind permission by Global Legal Group Ltd, London Mori Hamada & Matsumoto Japan

company’s management policy so that management can publish company-wide measures. 2.4 In relation to any requirements identified in question (ii) Build a structure or process for cybersecurity risk management 2.3 above, might any conflict of laws issues arise? For example, conflicts with laws relating Example: Establish a committee on management risk and to the unauthorised interception of electronic allow responsible personnel of a cybersecurity risk to become communications or import / export controls of a member of the committee. encryption software and hardware. Example: Designate a CISO according to the policy on company-wide measures (or security policy), and establish The secrecy of communications is strongly protected under the TBA. a structure or process for cybersecurity risk management To prevent cyber attacks, it would be useful for telecommunications

Japan within the organisation. carriers to collect and use information regarding the cyber attacks, (iii) Determine goals and develop plans based on the perception e.g., access logs of infected devices, and share information with of cybersecurity risks and the security levels that should be other telecommunications carriers or public authorities. However, attained the TBA does not explicitly provide how a telecoms carrier may Example: Identify risks from cyber attacks (e.g., damage deal with cyber attacks without breaching Article 4(1). Thus, it is from leakage of trade secret on a strategic basis) that should difficult for telecommunications carriers to balance prevention of be regarded as business risks in the course of a business cyber attacks with protection of secrecy of communications. MIC strategy exercise. tried to deal with this issue by helping to establish the Guidelines (iv) Publish cybersecurity measures framework (“PDCA”) and and by collaborating with ISPs through ACTIVE (please see its action plan question 2.1 above). Example: Develop a structure or process where one can constantly respond to cybersecurity risks (assurance of implementation of PDCA). If the organisation has a PDCA 2.5 Are organisations required under Applicable Laws, or on internal governance, it can be combined with security otherwise expected by a regulatory or other authority, measures for efficient execution. to report information related to Incidents or potential Incidents to a regulatory or other authority in your (v) Ensure that group companies and business partners of the jurisdiction? If so, please provide details of: (a) the company’s supply chain take security measures circumstance in which this reporting obligation is Example: Conclude agreements or other documents on how triggered; (b) the regulatory or other authority to group companies and business partners of the company’s which the information is required to be reported; (c) supply chain take security measures. the nature and scope of information that is required Example: Receive and understand reports on how group to be reported (e.g. malware signatures, network companies and business partners of the company’s supply vulnerabilities and other technical characteristics chain take security measures. identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by (vi) Secure resources (e.g., budget and manpower) to execute which the organisation might prevent publication of cybersecurity measures that information. Example: Give directions to specify the costs needed to prepare identified proactive measures for cybersecurity. There is no mandatory requirement to report Incidents. (vii) Identify the scope of outsourcing for system control and However, under the guidelines for banks issued by the Financial ensure cybersecurity in the applicable outsourcing companies Services Agency (“FSA”), banks are required to report an Incident Example: Review if the company can fulfil each security immediately after becoming aware of it. The guidelines are not measure on its own, taking note of its technical capability. legally binding; however, because FSA is a powerful regulator (viii) Collect information on cyber attacks through participation in of the financial sector, banks would typically comply with FSA’s information-sharing activities, and develop the environment guidelines (please see question 3.1). The report must include: to utilise such information (i) the date and time when the Incident occurred and the location Example: Help society guard against cyber attacks by actively where the Incident occurred; giving, sharing and utilising relevant information. (ii) a summary of the Incident and which services were affected Example: Report information on malware and illegal access by the Incident; to the IPA in accordance with public notification procedures (iii) causes why the Incident occurred; (standards for countermeasures for computer virus and for illegal access to a computer). (iv) a summary of the facilities affected by the Incident; (ix) Develop an emergency response system (emergency contacts, (v) a summary of damages caused by the Incident, and how and initial action manual, and Computer Security Incident when the situation was remedied or will be remedied; Response Team (“CSIRT”)), and execute regular and hands- (vi) any effect to other business providers; on drills (vii) how banks responded to inquiries from users and how they Example: Give directions to promptly cooperate with relevant notified users, public authorities and the public; and organisations and to investigate relevant logs to ensure that (viii) possible measures to prevent similar Incidents from efficient actions or investigations can be taken to identify the happening. cause and damage of a cyber attack. Moreover, execute drills to prepare personnel in charge of cyber attack response. It In addition, if a cyber attack causes a serious Incident specified in is recommended that the drill include planning activities to the TBA and the enforcement rules of the TBA, such as a temporary prevent recurrence after Incidents are under control. suspension of telecommunications services or a violation of the (x) Know who should be notified if cyber attacks cause damage, secrecy of communications, the telecommunications carrier is gather information to be disclosed, and prepare materials required to report the Incident to MIC promptly after its occurrence. regarding the management’s accountability In addition, the carrier is required to report the details of the said Example: Promptly publish Incidents, taking into account Incident to MIC within 30 days from its occurrence. The detailed their impact on stakeholders. report must include:

90 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Mori Hamada & Matsumoto Japan

(i) the date and time when the Incident occurred; (ii) the date and time when the situation was remedied; 2.7 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, (iii) the location where the Incident occurred (the location of the to report information related to Incidents or potential facilities); Incidents to any affected individuals? If so, please (iv) a summary of the Incident and which services were affected provide details of: (a) the circumstance in which by the Incident; this reporting obligation is triggered; and (b) the nature and scope of information that is required to be (v) a summary of the facilities affected by the Incident; reported. (vi) details of the events or indications of the Incident, the number of users affected, and the affected service area;

The Cybersecurity Management Guidelines recommend knowing Japan (vii) measures taken to deal with the Incident, including the who should be notified if a cyber attack has caused any damage, persons who dealt with it, in chronological order; gathering information to be disclosed, and promptly publishing the (viii) causes which made the Incident serious, including how the Incident, taking into account its impact on stakeholders (please see facilities have been managed and maintained; question 2.3). (ix) possible measures to prevent similar Incidents from Further, if the Incidents involve any disclosure, loss or damage of happening; Personal Information handled by a business operator, then, according (x) how the telecoms carrier responded to inquiries from users to the guidelines issued by the PPC regarding the APPI, the operator and how it notified users of the Incident; is expected, depending on the contents or extent of the disclosure, (xi) internal rules in connection with the Incident; loss or damage, to notify the affected individuals of the facts relevant (xii) if the telecoms carrier experienced similar Incidents in the to the disclosure, loss or damage, or to make the notification readily past, a summary of the past Incidents; accessible to the affected individuals (e.g., posting the notification (xiii) the name of the manager of the telecoms facilities; and on the operator’s website), in order to prevent secondary damages (xiv) the name and qualifications of the chief engineer of the or similar Incidents. telecoms facilities. Further, it is recommended that companies report the Incident to the 2.8 Do the responses to questions 2.5 to 2.7 change if the IPA (please see question 2.3 above). The report must include: information includes: (a) price sensitive information; (i) the location where the infection was found; (b) IP addresses; (c) email addresses (e.g. an email address from which a phishing email originates); (d) (ii) the name of the computer virus. If the name is unknown, personally identifiable information of cyber threat features of the virus found in the IT system; actors; and (e) personally identifiable information of (iii) the date when the infection was found; individuals who have been inadvertently involved in (iv) the types of OS used and how the IT system is connected (e.g. an Incident? LAN); (v) how the infection was found; The secrecy of communications protects not only the contents of communications but also any information that would enable (vi) possible cause of the infection (e.g., email or downloading files); someone to infer the meaning or the contents of communications. In this regard, IP addresses and email addresses are protected under (vii) extent of the damage (e.g., the number of infected PCs); and the secrecy of communications. Further, personally identifiable (viii) whether the infection has been completely removed. information is protected under the secrecy of communications if it The IPA also has a contact person whom the companies may consult, is delivered through telecommunications facilities. With respect to whether or not they file a report with the IPA, as to how they can an Incident, a telecommunications carrier may not share information deal with cyber attacks or any Unauthorized Access. According to protected under the secrecy of communications unless it complies the IPA’s website, it had 8,961 consultations in 2016. with the Guidelines or the instructions of ACTIVE (please see If the Incidents involve any disclosure, loss, or damage of Personal questions 2.1 and 2.5). Information handled by a business operator, then, according to the In addition, personally identifiable information of cyber threat- guidelines issued by the Personal Information Protection Committee makers and individuals who have been inadvertently involved in (the “PPC”) regarding the APPI, the operator is expected to an Incident would be Personal Information under the APPI which promptly submit to the PPC a summary of such disclosure, loss or cannot be provided to a third party without obtaining the prior damage, and planned measures to prevent future occurrences. consent of the data subjects, except in limited instances. One such exception is where a public authority needs the cooperation of a private person to implement the authority’s legal duties, and 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information the performance of those legal duties will likely be impeded if the related to Incidents or potential Incidents with: (a) private person has to first obtain the data subject’s consent. In this a regulatory or other authority in your jurisdiction; regard, the provision of personally identifiable information of cyber (b) a regulatory or other authority outside your threat-makers would not require their consent. jurisdiction; or (c) other private sector organisations or trade associations in or outside your jurisdiction? 2.9 Please provide details of the regulator(s) responsible for enforcing the requirements identified under Please see question 2.5. Further, through ACTIVE, business questions 2.3 to 2.7. operators are permitted to share information regarding cyber attacks (please see question 2.1). MIC is the governmental agency primarily responsible for implementing the TBA.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 91 © Published and reproduced with kind permission by Global Legal Group Ltd, London Mori Hamada & Matsumoto Japan

METI is not a regulator who has a specific mandated regulatory authority under specific laws. Rather, it promulgates desirable 4 Corporate Governance policies for each industry. The PPC is an independent organ which supervises the enforcement 4.1 In what circumstances, if any, might a failure by and application of the APPI. a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to a breach of directors’ duties in your jurisdiction? 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? Under the Companies Act, a director has the duty to act with “due

Japan care as a prudent manager” in performing his/her functions as Other than the report of a serious Incident under the TBA (please see director (zenkan chuui gimu). The applicable standard of care is that question 2.5), reporting is not mandatory. If a telecommunications which a person in the same position and situation would reasonably carrier does not report a serious Incident, it is subject to a fine of up be expected to observe. In general, if a director fails to get relevant to JPY 300,000. information, inquire or consider how to prevent Incidents, to the extent these acts are reasonably expected of him/her based on the 2.11 Please cite any specific examples of enforcement facts when he/she made a decision (e.g., decision to purchase the IT action taken in cases of non-compliance with the system), then he/she would be in breach of this duty. above-mentioned requirements.

4.2 Are companies (whether listed or private) required No examples can be found based on publicly available information. under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, 3 Specific Sectors including for third party vendors; and (d) perform penetration tests or vulnerability assessments?

3.1 Does market practice with respect to information The Cybersecurity Management Guidelines jointly issued by METI security (e.g. measures to prevent, detect, mitigate and respond to Incidents) vary across different and IPA recommend companies to build a structure or process for business sectors in your jurisdiction? Please include cybersecurity risk management and, as an example, to designate a details of any common deviations from the strict legal CISO according to the companies’ policies, including the security requirements under Applicable Laws. policy (please see question 2.3). Further, FSA’s guidelines for banks provide the standards regarding In general, the financial business sector and the telecommunications cybersecurity management, such as establishing an organisation service sector closely collaborate with relevant authorities on to handle emergencies (e.g., CSIRT), designating a manager in information security. charge of cybersecurity and implementing a periodic assessment of In July 2015, FSA issued a summary of its policies to strengthen cybersecurity (please see question 3.1). cybersecurity in the financial business sector. According to the summary, FSA’s five policies are: (i) continuous dialogue with 4.3 Are companies (whether listed or private) subject financial institutions to understand their cybersecurity risks; (ii) to any specific disclosure requirements in relation improving information sharing among financial institutions; (iii) to cybersecurity risks or Incidents (e.g. to listing implementing cybersecurity exercises in which financial institutions, authorities, the market or otherwise in their annual FSA and other public authorities participate; (iv) developing reports)? cybersecurity human resources; and (v) establishing a department in FSA to handle cybersecurity matters. Based on these policies, There are no disclosure requirements that are specific to FSA amended its guidelines for banks to include standards on cybersecurity risks or Incidents. cybersecurity management, such as establishing an organisation to handle emergencies (e.g., CSIRT), designating a manager in charge 4.4 Are companies (whether public or listed) subject to of cybersecurity, preparing multi-layered defences against cyber any other specific requirements under Applicable attacks and implementing a periodic assessment of cybersecurity. Laws in relation to cybersecurity? The guidelines are not legally binding; however, because FSA is a powerful regulator of the financial sector, banks would typically No, there are no other specific requirements. comply with FSA’s guidelines. As described above, telecommunications carriers are required to report a serious Incident specified in the TBA (please see question 5 Litigation 2.5). In addition, if a telecommunications carrier does not take appropriate measures to remedy problems with its services, MIC 5.1 Please provide details of any civil actions that may be may order it to improve its business. Failure to comply with the brought in relation to any Incident and the elements of order is subject to a fine of up to JPY2,000,000. that action that would need to be met.

3.2 Are there any specific legal requirements in relation Basically, if a person breaches a contract, the other party may bring to cybersecurity applicable to organisations a civil action based on the breach. The plaintiff has the burden of in: (a) the financial services sector; and (b) the proving the breach, the damages incurred by it, and the causation telecommunications sector? between the breach and the plaintiff’s damages. In addition, the Civil Act of Japan provides for a claim based on tort. Please see question 3.1. If a person causes damages to another, the injured party may bring a

92 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Mori Hamada & Matsumoto Japan

civil action based on tort. The plaintiff has the burden of proving the damages incurred by it, the act attributable to the defendant, and the 7 Employees causation between the defendant’s act and the plaintiff’s damages. 7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for 5.2 Please cite any specific examples of cases that the purposes of preventing, detection, mitigating and have been brought in your jurisdiction in relation to responding to Incidents; and (b) the reporting of cyber Incidents. risks, security flaws, Incidents or potential Incidents by employees to their employer? A vendor of a computer system was sued by a company who used Japan the system provided by the vendor. The case related to cyber attacks No, there are no specific requirements. (SQL injections) to the system which resulted in the disclosure of credit card information of the company’s clients. The company sought the payment of damages caused by the cyber attacks in 7.2 Are there any Applicable Laws (e.g. whistle-blowing the amount of approximately JPY 100,000,000, based on breach laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents of contract. The Tokyo District Court decided that although the by an employee? vendor was required to provide programs which are suitable for blocking SQL injections in accordance with existing standards No, there are no Applicable Laws. when the computer system was provided, the Incident was also partially attributable to the company because it ignored the vendor’s proposal to improve the system. The vendor was ordered to pay 8 Investigatory and Police Powers only approximately JPY 20,000,000 (Tokyo District Court decision dated January 23, 2014). 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable 5.3 Is there any potential liability in tort or equivalent Laws in your jurisdiction (e.g. antiterrorism laws) that legal theory in relation to an Incident? may be relied upon to investigate an Incident.

Tort theory is available under the Civil Act of Japan (please see Law enforcers have the power to investigate Incidents which are question 5.1). related to crimes under Applicable Laws. In accordance with the “cybercrime project” of the National Police Agency, the police in 6 Insurance each prefecture have established a contact point where consultations and information regarding cybercrimes are handled.

6.1 Are organisations permitted to take out insurance 8.2 Are there any requirements under Applicable Laws against Incidents in your jurisdiction? for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide Yes. In general, there are two categories of insurance against law enforcement authorities with encryption keys? Incidents, namely (i) insurance to cover the losses incurred by the vendor of an IT system, and (ii) insurance to cover the losses No, there are no such requirements. incurred by a business operator using the IT system.

6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover?

There are no regulatory limitations on insurance coverage under the law. The coverage may differ depending on the insurance products of insurance companies.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 93 © Published and reproduced with kind permission by Global Legal Group Ltd, London Mori Hamada & Matsumoto Japan

Hiromi Hayashi Mori Hamada & Matsumoto Marunouchi Park Building, 2-6-1 Marunouchi Chiyoda-ku Tokyo 100-8222 Japan

Tel: +81 3 5220 1811 Email: [email protected] URL: www.mhmjapan.com Japan

Hiromi Hayashi is a partner at Mori Hamada & Matsumoto, which she joined in 2001. She specialises in communications law and regulation, and authored the Japanese portion of Telecommunication in Asia in 2005. Her other areas of practice are international and domestic transactions, takeover bids and corporate restructuring. She was admitted to the Bar in 2001 in Japan and in 2007 in New York. She worked at Mizuho Corporate Bank from 1989 to 1994 and at Davis Polk & Wardwell in New York from 2006 to 2007.

Mori Hamada & Matsumoto is a full-service international law firm based in Tokyo, with offices in Fukuoka, Nagoya, Osaka, Beijing, Shanghai, Singapore, Yangon and Bangkok, and a Jakarta desk. The firm has over approximately 450 attorneys and a support staff of approximately 450, including legal assistants, translators and secretaries. The firm is one of the largest law firms in Japan and is particularly well-known in the areas of mergers and acquisitions, finance, litigation, insolvency, telecommunications, broadcasting and intellectual property, as well as domestic litigation, bankruptcy, restructuring and multi-jurisdictional litigation and arbitration. The firm regularly advises on some of the largest and most prominent cross-border transactions representing both Japanese and foreign clients. In particular, the firm has extensive practice in, exposure to and expertise on, telecommunications, broadcasting, the Internet, information technology and related areas, and provides legal advice and other legal services regarding the corporate, regulatory, financing and transactional requirements of clients in these areas.

94 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 15

Korea Seung Soo Choi

JIPYONG Seungmin Jasmine Jung

the operation of ICN systems, data or programs, without a justifiable 1 Criminal Activity cause. Any violation shall be subject to imprisonment of not more than seven years or a penalty of not more than KRW 70 million. 1.1 Would any of the following activities constitute a Possession or use of hardware, software or other tools used to criminal offence in your jurisdiction? If so, please commit cybercrime (e.g. hacking tools) provide details of the offence, the maximum penalties available, and any examples of prosecutions in your The use of hardware, software or other tools used to commit jurisdiction: cybercrime (e.g. hacking tools) is prohibited under the Network Act. Any violation shall be subject to imprisonment of not more than Hacking (i.e. unauthorised access) seven years or a penalty of not more than KRW 70 million. Under the Act on Promotion of Information and Communications Identity theft or identity fraud (e.g. in connection with access Network Utilization and Information Protection, etc. (the “Network devices) Act”), it is prohibited for anyone to infiltrate another’s information Under the Personal Information Protection Act (“PIPA”), anyone communication network (“ICN”) without authorised access or who commits, or aids and abets, the illegitimate acquisition beyond the scope of authorised access. Any violation shall be of personal information, being processed by another party for subject to imprisonment of not more than five years or a penalty subsequent provision to a third party for commercial gain or for of not more than KRW 50 million. In a recent court decision, illegitimate purposes, shall be subject to imprisonment of not more the defendant who infiltrated another’s ICN in order to distribute than 10 years or a penalty of not more than KRW 100 million. malware was subject to imprisonment of 18 months. Also, under the Network Act, it is prohibited for anyone to collect Under the Electronic Financial Transactions Act (the “EFTA”), any another person’s information, or induce the provision of another unauthorised access of electronic financial systems shall be subject person’s information, through the ICN by deceptive means. Any to imprisonment of not more than 10 years or a penalty of not more violation shall be subject to imprisonment of not more than three than KRW 100 million. years or a penalty of not more than KRW 30 million. Denial-of-service attacks Electronic theft (e.g. breach of confidence by a current or former Under the Network Act, it is prohibited to cause disruption of an employee, or criminal copyright infringement) ICN by intentionally disturbing network operations with large Any theft of the company’s critical information by a company’s volumes of signal/data or superfluous requests. Any violation shall employee or former employee shall be punished under the Criminal be subject to imprisonment of not more than five years or a penalty Act as a breach of fiduciary duty or under the Act on Prevention of of not more than KRW 50 million. Unfair Competition and Protection of Trade Secrets as divulging Also, under the EFTA, any attacks on electronic financial systems of trade secrets. Any such theft shall be subject to imprisonment using programs such as a computer virus, logic bomb or email bomb of not more than 10 years or a penalty of not less than KRW 30 with the intention of destroying data on, or disrupting the operation of, million under the Criminal Act and imprisonment of not more than electronic financial systems shall be subject to imprisonment of not five years or a penalty of not more than KRW 50 million under the more than 10 years or a penalty of not more than KRW 100 million. Act on Prevention of Unfair Competition and Protection of Trade Secrets. Any infringement of the employer’s copyright shall be Phishing subject to imprisonment of not more than five years or a penalty of For the regulation of phishing crimes, the Special Act On The not more than KRW 50 million. Prevention Of Loss Caused By Telecommunications-Based There have been several cases where a former employer was Financial Fraud And Refund For Loss (the “Special Act on Financial criminally prosecuted for taking, without permission, material assets Fraud”) has been enacted. Under the Special Act on Financial or intellectual property rights of the employer upon termination of Fraud, anyone found guilty of phishing crimes shall be subject to employment. imprisonment of not more than 10 years or a penalty of not more than KRW 100 million. Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT Infection of IT systems with malware (including ransomware, system, infrastructure, communications network, device or data spyware, worms, trojans and viruses) Under the Network Act, it is prohibited for anyone to damage Under the Network Act, it is prohibited for anyone to transmit or another person’s information processed, stored or transmitted distribute malware that can damage, destroy, alter, falsify or disrupt

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 95 © Published and reproduced with kind permission by Global Legal Group Ltd, London JIPYONG Korea

through the ICN or to infringe, exploit or disclose another person’s confidential information. 2 Applicable Laws Under the EFTA, anyone who falsifies or alters access means shall be subject to imprisonment of not more than seven years or a penalty 2.1 Please cite any Applicable Laws in your jurisdiction of not more than KRW 50 million. applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation Failure by an organisation to implement cybersecurity measures and management of Incidents. This may include, Under PIPA and its Enforcement Decree, personal information for example, laws of data protection, intellectual processors have the obligation to implement technical, managerial and property, breach of confidence, privacy of electronic physical measures in order to procure security, such as establishing communications, information security, and import / Korea export controls, among others. internal control plans and storing access records to ensure personal information is not lost, stolen, leaked, falsified, altered or damaged. In the event personal information is lost, stolen, leaked, falsified, The following are Applicable Laws in Korea: Personal Information altered or damaged due to a person’s failure to implement such Protection Act (“PIPA”); Act On The Protection Of Information And measures, such person shall be subject to imprisonment of not more Communications Infrastructure (the “PICIA”); Act on Promotion than two years or a penalty of not more than KRW 20 million. of Information and Communications Network Utilization and Information Protection, etc. (the “Network Act”); Electronic Financial Transactions Act (the “EFTA”); Credit Information Use 1.2 Do any of the above-mentioned offences have and Protection Act (the “Credit Information Act”); Act on the extraterritorial application? Protection, Use, etc. of Location Information; Act On Prevention Of Divulgence And Protection Of Industrial Technology; and Special As of yet, there are no regulations regarding extraterritorial Act On The Prevention Of Loss Caused By Telecommunications- application of the above offences. Based Financial Fraud And Refund For Loss (the “Special Act on There is, however, a prohibition of the overseas transfer of personal Financial Fraud”). information. Under PIPA, personal information processers are prohibited from entering into contracts regarding the overseas 2.2 Are there any cybersecurity requirements under transfer of personal information with terms in violation of PIPA. Applicable Laws applicable to critical infrastructure “Overseas transfer” is a broad concept dealing with the “actual” in your jurisdiction? For EU countries only, how transfer of personal information and does not only include the (and according to what timetable) is your jurisdiction provision of personal information to third parties, but also includes expected to implement the Network and Information (i) the delegation of personal information processing to a third party Systems Directive? Please include details of any located outside of Korea, and (ii) the overseas transfer of personal instances where the implementing legislation in your jurisdiction is anticipated to exceed the requirements information due to business transfers or mergers. of the Directive.

1.3 Are there any actions (e.g. notification) that might Under the PICIA, managerial organisations have the obligation to mitigate any penalty or otherwise constitute an establish and implement managerial measures, including physical exception to any of the above-mentioned offences? and technical measures (such as prevention, backup, recovery, etc.), to safely protect the critical ICN infrastructure facilities and In relation to criminal prosecution of personal information leakage managerial data. accidents, the responsible party may be discharged from liability if Under the Network Act, any ICN service provider must take requisite measures for procuring security have been implemented protective measures to procure the security of ICN used in the or if due care has been exercised and supervision has been properly provision of ICN services security and the reliability of information. conducted.

2.3 Are organisations required under Applicable Laws, 1.4 Are there any other criminal offences (not specific or otherwise expected by a regulatory or other to cybersecurity) in your jurisdiction that may arise authority, to take measures to monitor, detect, prevent in relation to cybersecurity or the occurrence of an or mitigate Incidents? If so, please describe what Incident (e.g. terrorism offences)? Please cite any measures are required to be taken. specific examples of prosecutions of these offences in a cybersecurity context. Organisations that operate and manage collective ICN facilities (“Collective ICN Facility Operator”) for the ICN service of third Under the Act On The Protection Of Information And parties must take the following protection measures (as prescribed Communications Infrastructure (the “PICIA”), it is prohibited under the Enforcement Decree of the Network Act) for the secure to disrupt or paralyse critical ICN infrastructure facilities such as operation of ICN facilities: electronic control or managerial systems related to national security, government administration, military defence, policing, finance, (i) technical and managerial measures for access control and telecommunication, transportation and energy. Any violation shall monitoring of unauthorised access to ICN facilities; be subject to imprisonment of not more than 10 years or a penalty of (ii) physical and technical measures for the protection of ICN not more than KRW 100 million. facilities from natural disasters and threats, such as terrorist attacks, and for procuring the continuous and secure operation of ICN facilities;

96 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London JIPYONG Korea

(iii) hiring and assignment of personnel for the secure management of any leakage of personal information, it must notify the owner of of ICN facilities; the leaked personal information, without delay, of the following: (iv) establishment and implementation of internal control (i) the type of personal information that has been leaked; measures (including emergency plans) for the secure (ii) the timing and circumstances of the leakage; management of ICN facilities; and (iii) the actions that the owner of the personal information can (v) establishment and implementation of technical and managerial take to minimise any damages resulting from the leakage; measures to prevent the dissemination of infiltration incidents. (iv) the protective response measures taken by the personal information processor and relief procedures; and 2.4 In relation to any requirements identified in question (v) the name and contact of the department to which the owner of 2.3 above, might any conflict of laws issues the leaked personal information (who has incurred damages) Korea arise? For example, conflicts with laws relating can file a report. to the unauthorised interception of electronic communications or import / export controls of Under the Credit Information Act, in the event of any credit encryption software and hardware. information leakage, the above items must be notified to the owner of such credit information. No conflict of law issues have arisen yet. 2.8 Do the responses to questions 2.5 to 2.7 change if the 2.5 Are organisations required under Applicable Laws, or information includes: (a) price sensitive information; otherwise expected by a regulatory or other authority, (b) IP addresses; (c) email addresses (e.g. an email to report information related to Incidents or potential address from which a phishing email originates); (d) Incidents to a regulatory or other authority in your personally identifiable information of cyber threat jurisdiction? If so, please provide details of: (a) the actors; and (e) personally identifiable information of circumstance in which this reporting obligation is individuals who have been inadvertently involved in triggered; (b) the regulatory or other authority to an Incident? which the information is required to be reported; (c) the nature and scope of information that is required No, the responses do not differ. to be reported (e.g. malware signatures, network vulnerabilities and other technical characteristics identifying an Incident or cyber attack methodology); 2.9 Please provide details of the regulator(s) responsible and (d) whether any defences or exemptions exist by for enforcing the requirements identified under which the organisation might prevent publication of questions 2.3 to 2.7. that information.

The Ministry of the Interior and Safety, the Ministry of Science and Under the Network Act, the ICN provider or a Collective ICN ICT, the Financial Services Commission, and KISA. Facility Operator must report any “infiltration incidents” (defined as incidents due to attacks on the ICN or the related information system through hacking, a computer virus, logic bomb, email bomb, denial 2.10 What are the penalties for not complying with the of service, high-powered electromagnetic wave, etc.) to the Ministry requirements identified under questions 2.3 to 2.8? of Science and ICT or Korea Internet and Security Agency (“KISA”) immediately upon the occurrence of such infiltration incident. If the requirements under Applicable Laws are not complied with, Under PIPA, in the event of any leakage of personal information the relevant authorities may impose a monetary fine. For example, which concerns 10,000 or more persons, the personal information a business that fails to provide notice of a credit information leakage processor must report such leakage and subsequent measures, Incident shall be subject to a monetary fine of not more than KRW without delay, to the Ministry of Interior and Safety or KISA. 50 million.

2.6 If not a requirement, are organisations permitted by 2.11 Please cite any specific examples of enforcement Applicable Laws to voluntarily share information action taken in cases of non-compliance with the related to Incidents or potential Incidents with: (a) above-mentioned requirements. a regulatory or other authority in your jurisdiction; (b) a regulatory or other authority outside your Order the submission of relevant materials and inspections, a jurisdiction; or (c) other private sector organisations corrective order, criminal charges, etc. or trade associations in or outside your jurisdiction?

Although not obligated, it would be possible for organisations to 3 Specific Sectors voluntary share information related to Incidents with regulatory authorities. 3.1 Does market practice with respect to information security (e.g. measures to prevent, detect, mitigate 2.7 Are organisations required under Applicable Laws, or and respond to Incidents) vary across different otherwise expected by a regulatory or other authority, business sectors in your jurisdiction? Please include to report information related to Incidents or potential details of any common deviations from the strict legal Incidents to any affected individuals? If so, please requirements under Applicable Laws. provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the nature and scope of information that is required to be reported. There are certain variances under Applicable Laws. Under PIPA, the requirements for information security measures to be adopted Under PIPA, once a personal information processer becomes aware by personal information processors differ based on the size of the corporation. Moreover, the requirements for protective measures

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 97 © Published and reproduced with kind permission by Global Legal Group Ltd, London JIPYONG Korea

under the Network Act for ICN service providers and under the Credit Information Act for financial institutions are generally stricter 4.3 Are companies (whether listed or private) subject than the common requirements. to any specific disclosure requirements in relation to cybersecurity risks or Incidents (e.g. to listing authorities, the market or otherwise in their annual 3.2 Are there any specific legal requirements in relation reports)? to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the Under the Network Act, in order to analyse the cause of the telecommunications sector? infiltration incident, the Minister of Science and ICT can order the ICN provider and the Collective ICN Facility Operator to:

Korea With regards to the financial services sector, the Credit Information (i) retain relevant material such as records of access to the ICN; Act and the EFTA prescribe specific legal requirements for financial institutions. (ii) submit the relevant material; and With regards to the telecommunications sector, the following (iii) allow physical access to the business site to investigate the cause of the infiltration incident. companies need to obtain a certification as to whether it satisfies the prescribed technical and physical protective measures for the security and reliability of ICNs: 4.4 Are companies (whether public or listed) subject to (i) companies such as telecommunication providers or companies any other specific requirements under Applicable who provide information through the telecommunication Laws in relation to cybersecurity? provider’s ICN, whose annual revenue or income is not less than KRW 150 billion; or The government may enforce measures against ICN service (ii) companies such as telecommunication providers or companies providers or its users to prevent an offshore leakage of material who provide information through the telecommunication information related to national industry, the economy and science/ provider’s ICN, whose revenue for the preceding fiscal year technology through ICN overseas disclosure. is not less than KRW 10 billion or whose average volume of daily users for a three-month period is not less than 1 million. 5 Litigation 4 Corporate Governance 5.1 Please provide details of any civil actions that may be brought in relation to any Incident and the elements of 4.1 In what circumstances, if any, might a failure by that action that would need to be met. a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to In the event the owner of personal information incurs damages a breach of directors’ duties in your jurisdiction? due to the violation of PIPA by the personal information processor, such owner of personal information can claim damages against the Unless there are special circumstances, the Representative Director personal information processor. The personal information processor or the CPO (or CISO) shall be liable for any breach of the protective will be liable unless it can prove that there was no wilful misconduct measures prescribed under PIPA, the Network Act and the Credit or negligence attributable to it. If the owner of personal information Information Act. incurs damages arising from the loss, theft, leak, falsification, alteration or damage of personal information caused by the wilful 4.2 Are companies (whether listed or private) required misconduct or gross negligence of the personal information under Applicable Laws to: (a) designate a CISO; processor, the court may award up to treble damages. Also, the (b) establish a written Incident response plan or owner of the personal information may seek statutory damages policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform up to KRW 3 million in the event loss, theft, leak, falsification, penetration tests or vulnerability assessments? alteration or damage of personal information is caused by the wilful misconduct or gross negligence of the personal information Under the Network Act, ICN service providers with not less than processor. In such case, the personal information provider will be 1,000 employees must appoint a CISO at the senior management liable unless it can prove that there was no wilful misconduct or level to ensure the security of the ICN system and the secure negligence attributable to it. management of data. The CISO is responsible for the following: (i) the establishment and management/operation of information 5.2 Please cite any specific examples of cases that protection procedures; have been brought in your jurisdiction in relation to (ii) the analysis/evaluation and improvement of any vulnerabilities Incidents. in information protection; (iii) the prevention and response to infiltration incidents; In 2014, there was a large-scale leakage of personal information (iv) the establishment of preventive measures for information from three major credit card companies. The victims of the leakage, protection and the architecture/implementation of security as the plaintiff, brought a case against the credit card companies and measures; the court awarded damages in the amount of KRW 10 thousand to (v) the assessment of preventive security measures for each of the plaintiffs for each Incident of leakage. information protection; (vi) the encryption of critical information and assessments of the 5.3 Is there any potential liability in tort or equivalent adequacy of secure servers; and legal theory in relation to an Incident? (vii) the performance of other information protection measures prescribed under Applicable Laws. In cases regarding tort liability, the plaintiff has the burden of proof

98 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London JIPYONG Korea

with respect to the tort of the defendant. However, in cases claiming damages for leakage of personal information or credit information, 7.2 Are there any Applicable Laws (e.g. whistle-blowing the defendant has the burden of proof to show that the Incident is laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents not attributable to the defendant. In other words, the burden of proof by an employee? is reversed.

There are no specific requirements under Applicable Laws. 6 Insurance 8 Investigatory and Police Powers

6.1 Are organisations permitted to take out insurance Korea against Incidents in your jurisdiction? 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable Under the Credit Information Act, certain financial institutions Laws in your jurisdiction (e.g. antiterrorism laws) that have the obligation to take measures, such as taking out insurance, may be relied upon to investigate an Incident. joining a cooperative, or setting aside a reserve to procure funds for damages that may arise due to credit information leakage. The following authorities have investigatory powers of law enforcement: National Intelligence Service; National Police Agency 6.2 Are there any regulatory limitations to insurance Cyber Bureau; Forensic Science Investigation Department of the coverage against specific types of loss, such as Supreme Prosecutors’ Office; Financial Supervisory Service; and business interruption, system failures, cyber extortion KISA. or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover? 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT The Financial Supervisory Service has set a minimum insurance systems for law enforcement authorities or to provide coverage limit for the liability of financial institutions against credit law enforcement authorities with encryption keys? information leakage. For example, in the case of banks, such limit is KRW 2 billion. There are no specific requirements under Applicable Laws.

7 Employees

7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for the purposes of preventing, detection, mitigating and responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents by employees to their employer?

Under the Act On The Promotion Of Workers’ Participation And Cooperation, any installation of monitoring facilities require consultation with the Employee and Employer Council. The Employee and Employer Council is a body established within a company for the purpose of promoting the workers’ welfare and the advancement of the company through the participation and cooperation of both the employee and employer.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 99 © Published and reproduced with kind permission by Global Legal Group Ltd, London JIPYONG Korea

Seung Soo Choi Seungmin Jasmine Jung JIPYONG JIPYONG 10F, KT&G Seodaemun Tower 10F, KT&G Seodaemun Tower 60 Chungjeong-ro, Seodaemun-gu 60 Chungjeong-ro, Seodaemun-gu Seoul 03740 Seoul 03740 Korea Korea

Tel: +82 2 6200 1759 Tel: +82 2 6200 1712 Email: [email protected] Email: [email protected] URL: www.jipyong.com/en URL: www.jipyong.com/en Korea

Mr. Seung Soo Choi is a Partner and Head of the IT/IP Practice Ms. Seungmin Jasmine Jung is a Partner and Senior Foreign Attorney Group at JIPYONG. Mr. Choi has advised and represented IT at JIPYONG. Ms. Jung has expertise in financial transactions, fintech companies and start-ups on copyright, patent and IP cases and has and technology law with extensive experience in structured finance, also handled a variety of litigations over the last 20 years, covering acquisition/project finance, public/private fund investments, licensing, civil, criminal and commercial cases. With his significant amount of copyright, trademark, cybersecurity and data privacy matters. working-level experience, he is recognised as the leading expert in the Prior to joining JIPYONG, Ms. Jung was the Head of Legal at areas of intellectual properties and IT, patents, confidential business Web Services Korea where she specialised in cloud computing and information, related to copyrights and trademarks. data privacy. Ms. Jung started her legal career as an associate at Mr. Choi is well-acquainted with laws relating to cultural art and the New York law firm of Hughes, Hubbard & Reed and subsequently entertainment/media businesses and personal information protection. worked at Shin & Kim and Franklin Templeton Investments. Ms. Jung Mr. Choi actively participates in various academic societies and is a frequent guest lecturer at conferences on legal issues surrounding lectures courses on international entertainment law, motion pictures technology of the 4th Industrial Revolution and also teaches this law, art law, data privacy law, communication law, media law at subject at Yonsei University. Combining her law firm and in-house Chung-Ang University Law School. Mr. Choi is also a well-recognised experience, Ms. Jung is highly regarded by clients for her practical mediator in the area of entertainment at the Korean Commercial advice and hands-on approach. Arbitration Board. Ms. Jung is a member of the New York Bar. Ms. Jung has a J.D. Mr. Choi is a member of the Korean bar and received a LL.B. from from Columbia Law School and a B.A. in political science from Yonsei Seoul National University. University.

JIPYONG is one of Korea’s leading full-service law firms. We pride ourselves on our global reach and outlook, the depth and breadth of our practice groups and the extensive experience of our lawyers. With our network of 12 international offices and desks in China, Russia, Vietnam, Indonesia, Myanmar, Cambodia, Laos and Iran, etc., we provide a one-stop destination for legal and consulting services to our clients. JIPYONG has a strong base of domestic and international clients who rely on us for not only our local market knowledge and expertise but for our innovative, business- minded solutions. In addition to our pursuit of professional excellence and proactively serving the needs of clients, JIPYONG shares an unwavering commitment to high ethical standards, pro bono work and community service.

100 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 16

Kosovo Sokol Elmazaj

Boga & Associates Delvina Nallbani

However, each criminal activity that aims to misuse computer 1 Criminal Activity systems or computer data should be considered individually to establish whether it constitutes a criminal offence provided for by 1.1 Would any of the following activities constitute a the Cyber Crime Law or any other applicable law. criminal offence in your jurisdiction? If so, please Infection of IT systems with malware (including ransomware, provide details of the offence, the maximum penalties spyware, worms, trojans and viruses) available, and any examples of prosecutions in your jurisdiction: We have not identified a criminal offence provided by the Cyber Crime Law or other applicable laws that would constitute infection Law No. 03/L –166 “On prevention and fight of the cyber crime” of IT systems with malware. However, each criminal activity (“Cyber Crime Law”) provides for criminal offences related to the that aims to misuse computer systems or computer data should be misuse of computer systems and computer data, although it does not considered individually to establish whether it constitutes some provide a literal denomination of the criminal offences listed below. other criminal offence provided for by the Cyber Crime Law or any other applicable law. Hacking (i.e. unauthorised access) Possession or use of hardware, software or other tools used to Subject to the Cyber Crime Law, unauthorised access to computer commit cybercrime (e.g. hacking tools) systems constitutes a criminal offence punishable by imprisonment for up to three years. Unauthorised actions are classified actions Pursuant to the Cyber Crime Law, the illegal production, sale, performed by a person: (i) who is not authorised by law or contract; import, distribution or making available, in any form, of any (ii) who exceeds the limits of his/her authorisation; and/or (iii) has no equipment or computer program designed and adapted for the permit and is not competent and qualified to use, administer or control a purpose of committing any criminal offence is punishable by computer system or conduct scientific research on a computer system. imprisonment from one to four years. If such an offence is committed for the purpose of obtaining Further, the illegal production, sale, import, distribution or making computer data or violates computer security measures, penalties available, in any form, of passwords, access codes or other computer provided by law are higher and such offences are punishable by information that would allow full or partial access to a computer imprisonment for up to four years and five years, respectively. system for the purpose of committing any criminal offence shall be punishable by imprisonment from one to five years. In addition, the Criminal Code (Law No. 04/L-082) provides for the criminal offence of unauthorised access into computer systems. In this In addition, the illegal possession of equipment, computer programs, regard, whoever, without authorisation and in order to gain unlawful passwords, access codes or computer information for the purpose material benefit for himself or another person or to cause damage to of committing any criminal offence is punishable by imprisonment another person, alters, publishes, suppresses or destroys computer data from one to six years. or programs, or in any other way enters another’s computer system, is An attempt to commit this criminal offence is also punishable by punished by a fine and up to three years of imprisonment. If the offence imprisonment, ranging from three months to one year. results in material gain exceeding the amount of 10,000 Euros or Identity theft or identity fraud (e.g. in connection with access material damage exceeding the amount of 10,000 Euros, the perpetrator devices) shall be punished by a fine and by imprisonment of up to five years. We have not identified any criminal offence provided for by the Denial-of-service attacks Cyber Crime Law or other applicable laws that would constitute The serious hindrance of the functioning of computer systems, identity theft or identity fraud. However, as mentioned above, such performed by entering information, transferring, changing, removing criminal activities should be assessed individually. or destroying computer data or limiting unauthorised limit to access Electronic theft (e.g. breach of confidence by a current or former to such data, is stipulated as a criminal offence pursuant to the Cyber employee, or criminal copyright infringement) Crime Law, and the perpetrator is liable to imprisonment for up to Pursuant to the Criminal Code (Law No. 04/L-082), an act of three years. Such offence shall be punished by imprisonment for up avoiding any of the effective technological measures to safeguard to five years if committed by a member of a criminal organisation. technology or the removal or alteration of electronic rights for data Phishing management, as provided for by the Law “On copyright and related We have not identified a criminal offence provided by the Cyber rights”, shall be punishable by imprisonment for up to three years. Crime Law or other applicable laws that would represent phishing.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 101 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Kosovo

Subject to the Law “On copyright and related rights” (Law No. 04/L- computer systems to which access is restricted or completely 065), violation of the rights protected by this law would be considered forbidden, the owners and administrators of such a computer if a person processes, imports for distribution, sells, lends, advertises for system are obliged to clearly and automatically warn the user of this sale or lease or keeps for commercial technological purposes a computer computer system, and to provide him/her with information, as well program, or carries out services without authorisation, and if such as conditions of use, or forbiddance to use this computer system actions: (i) are advertised or traded especially for the purpose of avoiding and legal consequences for unauthorised access to this computer effective technological measures; (ii) have evident commercial purpose system. Failure to comply with such an obligation is considered a or have been used solely for avoiding effective technological measures; misdemeanour and the perpetrator is punished with a fine ranging and (iii) are designed, produced, adapted or processed primarily with from 500 to 5,000 Euros. the purpose of avoiding effective technological measures. An effective

Kosovo technological measure is considered as any technology, computer program or other means intended to prevent or remove a violation of a 1.4 Are there any other criminal offences (not specific protected right. Pursuant to the Criminal Code (Law No. 04/L-082), an to cybersecurity) in your jurisdiction that may arise in relation to cybersecurity or the occurrence of an act of avoiding any of the effective technological measures to safeguard Incident (e.g. terrorism offences)? Please cite any technology or the removal or alteration of electronic rights for data specific examples of prosecutions of these offences management shall be punishable by imprisonment for up to three years. in a cybersecurity context. Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT The Criminal Code provides that issuing blank or false cheques and system, infrastructure, communications network, device or data the misuse of bank or credit cards constitutes a criminal offence. In addition to the criminal offences listed above, the Cyber Crime Such an offence is defined as an act committed for the purpose of Law also provides for the following criminal offences related to gaining unlawful material benefit for the perpetrator or for another computer systems and computer data: the unauthorised entry of person, by issuing or placing into circulation cheques for which the data; change or deletion of computer data; and the unauthorised perpetrator knows are not covered by material means. The placing limitation of access to such a data resulting in inauthentic data. of false cheques or counterfeit credit cards is punished by a fine and Also, causing a loss in assets to another person by entering imprisonment for up to three years. In relation to prosecution of this information, changing or deleting computer data by means of criminal offence in a cybersecurity context, there is a case pending access limitation to such a data, or any other interference into the before Kosovo courts where the defendant has been prosecuted for functioning of a computer system with the purpose of ensuring violation of the Cyber Crime Law, specifically for the possession economic benefits for himself or for someone else, shall be or use of passwords, hardware, software or other tools to commit punishable with up to 10 years of imprisonment. cybercrime. Failure by an organisation to implement cybersecurity measures We have not identified such a criminal offence provided for by the 2 Applicable Laws applicable legislation.

2.1 Please cite any Applicable Laws in your jurisdiction 1.2 Do any of the above-mentioned offences have applicable to cybersecurity, including laws applicable extraterritorial application? to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, The abovementioned laws that stipulate criminal offences apply to the for example, laws of data protection, intellectual Kosovo territory. In addition, subject to article 115 of the Criminal property, breach of confidence, privacy of electronic Code (Law No. 04/L-082), the criminal legislation of the Republic communications, information security, and import / of Kosovo will also apply to persons who have committed such export controls, among others. criminal offences outside the territory of Kosovo, if, according to an international agreement by which Kosovo is bound, such criminal The Applicable Laws relevant to cybercrime are listed below: offences should be prosecuted even though committed abroad. Law No. 03/L –166 “On prevention and fight of the cyber crime”; Criminal legislation of the Republic of Kosovo shall also apply to Law No. 04/L-082 “Criminal Code of The Republic Of Kosovo”, as any Kosovo citizen or a foreigner who commits a criminal offence amended by Law No. 04/L-129 and Law No. 04/L-273; Law No. 03/L- outside the territory of the Republic of Kosovo if the criminal offence 050 “On the establishment of the Kosovo security council”; Law No. is also punishable in the country where the offence was committed. 04/L-145 “On information society government bodies”; Law No. 04/ In case of foreigners, these provisions shall apply if the foreigner is L-094 “On the information society services”; Law No. 04/L-109 “On found in the territory of Kosovo or has been transferred to Kosovo. electronic communications”; Law No. 05/L-030 “On interception of However, the criminal proceedings against a Kosovo citizen or a electronic communication”; Law No. 03/L –172 “On the protection of foreigner for criminal offences committed outside Kosovo territory personal data”; Law No. 04/L-076 “On police”; Law No. 03/L-142 “On will not be undertaken if the perpetrator has fully served the public peace and order”; Law No. 03/L063 “On Kosovo intelligence punishment imposed in another jurisdiction, has been acquitted by agency”; Law No. 04/L-149 “On the execution of penal sanctions”, a final judgment and/or released from punishment or punishment as amended by Law No. 05/L-129; Law No. 04/L-065 “On copyright has become statute-barred and in cases where criminal proceedings and related rights”; Law No. 03/L-183 “On the implementation of may only be initiated upon the request of the injured party and such international sanctions”; Law No. 04/L-213 “On international legal a request has not been filed. cooperation in criminal matters”; Law No. 04/L-052 “On international agreements”; Law No. 04/L-072 “On controlling and supervising state borders”, as amended by Law No. 04/L-214; Law No. 04/L-093 “On 1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an banks, microfinance institutions and non bank financial institutions”; exception to any of the above-mentioned offences? Law No. 04/L-064 “On Kosovo agency on forensic”; Law No. 04/L- 198 “On the trade of strategic goods”; Law No. 04/L –004 “On private Subject to article 8 of the Cyber Crime Law, for a category of security services”; Law No. 03/L-046 “On the Kosovo security force”;

102 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Kosovo

Code No. 03/L-109 “Customs and excise code of Kosovo”; Law No. measures for surveillance, detection, prevention or mitigation of an 04/L-099 “On amending and supplementing the customs and excise Incident by authorised authorities in the cybercrime area. code in Kosovo”; and Law No. 03/L –178 “On classification of information and security clearances”. 2.5 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, 2.2 Are there any cybersecurity requirements under to report information related to Incidents or potential Applicable Laws applicable to critical infrastructure Incidents to a regulatory or other authority in your in your jurisdiction? For EU countries only, how jurisdiction? If so, please provide details of: (a) the (and according to what timetable) is your jurisdiction circumstance in which this reporting obligation is expected to implement the Network and Information triggered; (b) the regulatory or other authority to Systems Directive? Please include details of any which the information is required to be reported; (c) Kosovo instances where the implementing legislation in your the nature and scope of information that is required jurisdiction is anticipated to exceed the requirements to be reported (e.g. malware signatures, network of the Directive. vulnerabilities and other technical characteristics identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by Kosovo is not an EU member; however, the Ministry of Internal which the organisation might prevent publication of Affairs has adopted the State Strategy for Cyber Security and the that information. Action Plan for 2016 to 2019, drafted based on European Union practices and policies, in addition to the assessments of law There is no obligation to report information related to Incidents enforcement agencies and governmental institutions. to a special authority in Kosovo. However, the Cyber Crime Law The Kosovo Government has also made the Kosovo Police provides that the Ministry of Justice in cooperation with the Ministry available as a permanent contact point for international cooperation of Internal Affairs shall continuously maintain and supplement the in the field of cybercrime. In this regard, the Kosovo Police should database on cybercrime. ensure ongoing international cooperation and assistance in the field In principle, in order to report any criminal offence, a criminal of cybercrime, order data retention and confiscation of equipment complaint may be filed by any person to the police station in the area containing data, as well cooperate with all competent Kosovo where the crime was committed or to the competent state prosecutor in authorities while undertaking execution actions. writing, by technical means of communication or orally. For practical reasons, criminal offences are typically reported to the police station. 2.3 Are organisations required under Applicable Laws, After receiving information of a suspected criminal offence, the police or otherwise expected by a regulatory or other shall investigate whether there is reasonable suspicion that a criminal authority, to take measures to monitor, detect, prevent offence prosecuted ex officio has been committed. The police shall or mitigate Incidents? If so, please describe what investigate a criminal complaint and shall take all the necessary steps measures are required to be taken. (i.e. to locate the perpetrator, to prevent, detect and preserve traces and other evidence, to collect all the information that may be of use The Cyber Crime Law provides that authorities and public in criminal proceedings, etc.). In order to perform these tasks, the institutions with competence in this area, service providers, non- police are authorised, under the provisions of the Criminal Procedure governmental organisations and civil society representatives Code (Law No. 04/L-123), to gather information from individuals, should carry out activities and programmes for the prevention of to take all the necessary steps to establish the identity of the persons, cybercrime and develop policies, practices, measures, procedures and to interview witnesses or possible suspects, etc. and minimum standards for the security of computer systems and should also organise information campaigns on cybercrime and Based on such collected information, the police drafts the criminal risks for computer system users. complaint and submits it to the competent state prosecutor. The public prosecutor is obliged to act according to the criminal The Ministry of Justice, the Ministry of Internal Affairs, the complaint, i.e. to initiate proceedings (file an indictment) or to Ministry of Transport and Communications, the Ministry of Public dismiss the criminal complaint. Services, and the Kosovo Intelligence Services shall develop special training programmes for personnel for the purpose of preventing and fighting cybercrime in accordance with specific competencies. 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information It is to be noted that the Government of Kosovo has presented a draft related to Incidents or potential Incidents with: (a) Law on Cyber Security which should be enacted within 2018. This a regulatory or other authority in your jurisdiction; law should specify the obligations and safety measures to be taken by (b) a regulatory or other authority outside your the responsible natural or legal persons in the field of cybersecurity. jurisdiction; or (c) other private sector organisations or trade associations in or outside your jurisdiction?

2.4 In relation to any requirements identified in question 2.3 above, might any conflict of laws issues The applicable legislation is silent in this regard. arise? For example, conflicts with laws relating to the unauthorised interception of electronic 2.7 Are organisations required under Applicable Laws, or communications or import / export controls of otherwise expected by a regulatory or other authority, encryption software and hardware. to report information related to Incidents or potential Incidents to any affected individuals? If so, please We have not identified any provisions that could lead to conflicts of provide details of: (a) the circumstance in which laws issues. However, in certain cases, the provisions of Law No. this reporting obligation is triggered; and (b) the 05/L -030 “On interception of electronic communications”, which nature and scope of information that is required to be govern the procedures and conditions for authorised interception reported. of electronic communications, may come into conflict with the Subject to the Cyber Crime Law, the prosecutor is obliged to notify

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 103 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Kosovo

in writing, by the end of the investigations, the persons who are under investigation. 3 Specific Sectors

2.8 Do the responses to questions 2.5 to 2.7 change if the 3.1 Does market practice with respect to information information includes: (a) price sensitive information; security (e.g. measures to prevent, detect, mitigate (b) IP addresses; (c) email addresses (e.g. an email and respond to Incidents) vary across different address from which a phishing email originates); (d) business sectors in your jurisdiction? Please include personally identifiable information of cyber threat details of any common deviations from the strict legal actors; and (e) personally identifiable information of requirements under Applicable Laws. individuals who have been inadvertently involved in

Kosovo an Incident? There is no consolidated practice in the area of cybercrime to make this assessment. The applicable legislation does not address this issue.

3.2 Are there any specific legal requirements in relation 2.9 Please provide details of the regulator(s) responsible to cybersecurity applicable to organisations for enforcing the requirements identified under in: (a) the financial services sector; and (b) the questions 2.3 to 2.7. telecommunications sector?

The State Prosecutor and the Courts are the institutions responsible There are no specific requirements as regards to cybersecurity in for the prosecution and punishment of perpetrators of criminal different organisations. However, as regards to the telecommunication offences and for the confiscation of property acquired through sector, there are specific obligations for the purpose of criminal criminal offences. proceedings for entrepreneurs of public electronic communications Also, listed below are institutions relevant to the cybercrime area: services and networks based on the Law “On electronic communications” (Law No. 04/L-109). As regards to the financial ■ The Ministry of Internal Affairs is responsible for the drafting sector, financial institutions in Kosovo are bound by the provisions and monitoring of policies and legislation in the field of overall security and cybersecurity. of the Law “On the prevention of money laundering and combating financing of terrorism” (Law No. 05/L-096), which provides measures ■ The Kosovo Police, as a law enforcement agency, has the and procedures for detecting and preventing criminal offences of primary responsibility in combating all forms of cybercrime within the Cybercrime Sector and for implementing specific money laundering and combating terrorist financing. supporting structures. The Kosovo Police also serves as a contact point for international cooperation in the field of cybercrime. 4 Corporate Governance ■ The Kosovo Security Council Secretariat, as an integral part of the Kosovo Security Council, prepares periodic reports for 4.1 In what circumstances, if any, might a failure by the Government of the Republic of Kosovo and the Kosovo a company (whether listed or private) to prevent, Security Council dealing with security policy issues. mitigate, manage or respond to an Incident amount to ■ The Kosovo Intelligence Agency identifies threats that a breach of directors’ duties in your jurisdiction? endanger Kosovo’s security, such as the threat to territorial integrity, institutional integrity, constitutional order, stability We have not identified such circumstances based on the applicable and economic development, as well as threats to global legislation. security to the detriment of Kosovo. ■ The National Agency for the Protection of Personal Data 4.2 Are companies (whether listed or private) required ensures that controllers respect their obligations regarding under Applicable Laws to: (a) designate a CISO; the protection of personal data and that data subjects are (b) establish a written Incident response plan or informed about their rights and obligations in accordance policy; (c) conduct periodic cyber risk assessments, with the Law “On protection of personal data”. The Ministry including for third party vendors; and (d) perform of Justice, the Ministry for the Kosovo Security Force, the penetration tests or vulnerability assessments? Ministry of Economic Development, the Ministry of Foreign Affairs, the Ministry of Finance, as well as the Regulatory There is no such responsibility provided under the Applicable Laws Authority of Electronic Data and Postal Communications and the Information Society Agency contribute to cybersecurity for companies. in their relevant fields. 4.3 Are companies (whether listed or private) subject to any specific disclosure requirements in relation 2.10 What are the penalties for not complying with the to cybersecurity risks or Incidents (e.g. to listing requirements identified under questions 2.3 to 2.8? authorities, the market or otherwise in their annual reports)? There are no penalties provided for by the applicable legislation. No, they are not. 2.11 Please cite any specific examples of enforcement action taken in cases of non-compliance with the 4.4 Are companies (whether public or listed) subject to above-mentioned requirements. any other specific requirements under Applicable Laws in relation to cybersecurity? We are not aware of any enforcement actions taken in this area. No, they are not.

104 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Kosovo

5 Litigation 7.2 Are there any Applicable Laws (e.g. whistle-blowing laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents 5.1 Please provide details of any civil actions that may be by an employee? brought in relation to any Incident and the elements of that action that would need to be met. The Law “On witness protection” (Law No. 04/L-015) may limit the reporting of Incidents. Such a law provides for special and Civil actions that may be brought would be those of claiming urgent measures and procedures for witness protection if there is a compensation of damages in virtue of the Law “On obligations serious threat to a person and the person’s close relatives and if that relationship” (Law No. 04/L-077). In that case, the culpability of person accepts to cooperate closely with the Courts or investigatory Kosovo a person that has caused damages in relation to any Incident should authorities. be proven. Defence measures may be applied before, during and after criminal proceedings for the person considered to be endangered, with regard 5.2 Please cite any specific examples of cases that to the investigation of the following criminal offences: have been brought in your jurisdiction in relation to Incidents. i. A criminal offence against Kosovo, its citizens and its inhabitants. From the review of some of the published decisions of the Basic ii. A criminal offence against international law. Courts and the Supreme Court adopted during 2016 and 2017, we iii. A criminal offence against the economy. have not identified any decision adopted in this respect. Based on iv. A criminal offence against official duty. media reports, there have been several cases of prosecution for v. A criminal offence for which a punishment of five or more possession or use of passwords, software or other tools to commit years of imprisonment is prescribed by law. cybercrime, prosecuted in connection with the criminal offence of of banks and credit cards. 8 Investigatory and Police Powers

5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident? 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable There are no such liabilities provided under Kosovo law. Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident.

6 Insurance Pursuant to the Criminal Procedure Code (Law No. 04/L-123), the state prosecutor may undertake investigative actions or authorise the police to undertake investigative actions regarding the collection of 6.1 Are organisations permitted to take out insurance evidence. In the latter case, the police shall investigate criminal against Incidents in your jurisdiction? offences and shall take all the steps necessary to locate the perpetrator, to prevent the perpetrator or his/her accomplice from Such a type of insurance does not exist in practice. hiding or fleeing, to detect and preserve traces and other evidence of the criminal offence and objects which might serve as evidence, 6.2 Are there any regulatory limitations to insurance and to collect all the information that may be of use in the criminal coverage against specific types of loss, such as proceedings. business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover? 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide There are no such regulatory limitations provided by the Applicable law enforcement authorities with encryption keys? Laws. There are no such requirements. 7 Employees

7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for the purposes of preventing, detection, mitigating and responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents by employees to their employer?

There are no such requirements provided by the applicable legislation.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 105 © Published and reproduced with kind permission by Global Legal Group Ltd, London Boga & Associates Kosovo

Sokol Elmazaj Delvina Nallbani Boga & Associates Boga & Associates Nene Tereza Str. Entry 30 Nene Tereza Str. Entry 30 No. 5 Pristina No. 5 Pristina Kosovo Kosovo

Tel: +381 38 223 152 Tel: +381 38 223 152 Email: [email protected] Email: [email protected] URL: www.bogalaw.com URL: www.bogalaw.com Kosovo Sokol joined Boga and Associates in 1996. Delvina is a Senior Associate at Boga & Associates, which she joined in 2012. He is a Partner of the firm and Country Manager for Kosovo. Her practice is mainly focused on providing legal advice to clients on He has extensive expertise in corporate, mergers and acquisitions, a wide range of corporate, business and banking matters. She also project financing, privatisation, real estate projects, energy, provides assistance in advising investors on a number of transactions, telecommunication, and dispute resolution. He is continuously including mergers and acquisitions, and privatisations. involved in providing legal advice to numerous project-financing transactions, mainly on concessions and privatisations, with a focus Delvina graduated in Law at the University of Zagreb, and is a member on energy and infrastructure, both in Albania and Kosovo. of the Kosovo Bar Association Sokol also conducted a broad range of legal due diligences for She is fluent in Croatian and English. international clients considering to invest in Albania or Kosovo in the fields of industry, telecommunications, banking, real estate, etc. He is an authorised trademark attorney and has an expertise in trademark filing strategy and trademark prosecution, including IP and litigation issues. Sokol is continuously ranked as a Leading Lawyer in the well-known guides Chambers Global, Chambers & Partners and IFLR1000. Sokol graduated in Law at the University of Tirana in 1996 and is admitted to practice in Albania and Kosovo. He is also an arbiter listed in the roster of the American Chamber of Commerce of Kosovo. He is fluent in English and Italian.

Boga & Associates, established in 1994, has emerged as one of the premier law firms in Albania, earning a reputation for providing the highest quality of legal, tax and accounting services to its clients. The firm also operates in Kosovo (Pristina) offering a full range of services. Until May 2007, the firm was a member firm of KPMG International and the Senior Partner/Managing Partner, Mr. Genc Boga, was also the Senior Partner/Managing Partner of KPMG Albania. The firm’s particularity is linked to the multidisciplinary services it provides to its clients, through an uncompromising commitment to excellence. Apart from the widely consolidated legal practice, the firm also offers the highest standards of expertise in tax and accounting services, with keen sensitivity to the rapid changes in the Albanian and Kosovo business environment. The firm delivers services to leading clients in major industries, banks and financial institutions, as well as to companies engaged in insurance, construction, energy and utilities, entertainment and media, mining, oil and gas, professional services, real estate, technology, telecommunications, tourism, transport, infrastructure and consumer goods. The firm is continuously ranked as a “top tier firm” by The Legal 500, by Chambers and Partners for Corporate/Commercial, Dispute Resolution, Projects, Intellectual Property, Real Estate, as well as by IFLR in Financial and Corporate Law. The firm is praised by clients and peers as a “law firm with high-calibre expertise”, “the market-leading practice”, “a unique legal know-how”, distinguished “among the elite in Albania” and described as “accessible, responsive and wise”.

106 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 17

Malaysia

Christopher & Lee Ong Deepak Pillai

an offence, regardless of whether the communication ensued and 1 Criminal Activity whether or not the person initiating such communication disclosed their identity. 1.1 Would any of the following activities constitute a A person found guilty of an offence under section 233(1)(b) is liable criminal offence in your jurisdiction? If so, please to a fine not exceeding RM50,000 or imprisonment not exceeding provide details of the offence, the maximum penalties one year, or both, and shall also be liable to a further fine of RM1,000 available, and any examples of prosecutions in your for every day that the offence is continued after conviction. jurisdiction: To date, there are no reported cases under section 233(1)(b) of the Hacking (i.e. unauthorised access) CMA. Yes. Under section 3 of the Computer Crimes Act 1997 (“CCA”), Phishing it is an offence if a person knowingly and intentionally accesses a There are no specific offences with regard to phishing. However, computer without authorisation and causes a computer to perform other statutory provisions may be applicable in tackling phishing any function with the intent to secure access to any program or data offences. held in any computer. Under section 416 of the Malaysian Penal Code, any person is said A person found guilty of an offence under section 3 is liable to a to “cheat by personation”, if he cheats by pretending to be some fine not exceeding RM50,000 or imprisonment not exceeding five other person, or by knowingly substituting one person for another, or years, or both. representing that he or any other person is a person other than he or In PP v Vishnu Devarajan [2016] 1 LNS 1066, the accused such other person really is. The offence of cheating by personation was charged under section 3 of the CCA for accessing without is punishable with imprisonment for a term which may extend to authorisation the servers of a broadcast centre and the server seven years and/or a fine. database of a Malaysian radio network company. However, all To date, there are no reported cases specifically in relation to charges were dropped due to technical and procedural errors in the phishing. prosecution of the case. Infection of IT systems with malware (including ransomware, Section 4 of the CCA creates a further offence against persons spyware, worms, trojans and viruses) who commit a hacking offence under section 3 with the intent to: Infection of IT systems with malware is an offence punishable under (i) commit an offence involving fraud or dishonesty which causes the CCA. Under section 5 of the CCA, it is an offence for a person injury under the Malaysian Penal Code (the main penal statute in to do any act which he knows will cause unauthorised modification Malaysia) (the “Penal Code”); or (ii) facilitate the commission of the contents of any computer. of such an offence whether by himself or any other person. A A person found guilty of an offence under section 5 is liable to a fine person found guilty under section 4 is liable to a fine not exceeding not exceeding RM100,000 or imprisonment not exceeding 10 years RM150,000 or imprisonment not exceeding 10 years, or both. or both if the act was done with the intention of causing injury. In Basheer Ahmad Maula Sahul Hameed v PP [2016] 6 CLJ 422, In PP v Roslan and Anor [2016] 1 LNS 651, the accused who the two accused persons, who were husband and wife, where the worked as a Systems Analyst in the IT Department of the Malaysian wife worked in a bank, were convicted under section 4(1) of the Hajj Pilgrims Fund Board was convicted under section 5(1) of the CCA for using a debit card belonging to an airplane accident victim CCA for modifying pilgrims records in the organisation’s database to withdraw cash from an ATM and for transferring money from without authorisation. several other victims’ online banking accounts without authorisation. In PP v Vishnu Devarajan [2016] 1 LNS 1066, the accused was Denial-of-service attacks charged under section 5 of the CCA for, amongst others, carrying There is no specific provision which provides for denial-of-service out the following without authorisation: downloading and launching attacks. However, under section 233(1)(b) of the Communications software; running and stopping certain processes on servers; and and Multimedia Act 1998 (“CMA”), a person who continuously, running certain programs on the database server of a broadcast repeatedly or otherwise initiates a communication using any centre. However, all charges were dropped due to technical and applications services with the intent to annoy, abuse, threaten or procedural errors in the prosecution of the case. harass any person at any numbered or electronic address commits

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 107 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

Possession or use of hardware, software or other tools used to an offence to: use any apparatus or device with the intent to obtain commit cybercrime (e.g. hacking tools) information regarding the contents, sender or addressee of any Under section 236 of the CMA, it is an offence for a person to possess communication without an approval by a registered certifying agency or use any counterfeit access devices, unauthorised access devices (section 231 of the CMA); possess or create a system designed to (e.g. lost, stolen, expired or obtained with the intention to defraud), fraudulently use or obtain any network facilities, network service, any device-making equipment intended to make counterfeit access applications service or content applications service (section 232(2) devices, or any other equipment or device modified or altered or of the CMA); intercept, attempt to intercept, or procure any other intended to alter or modify such other equipment or device in order person to intercept or attempt to intercept, any communications to obtain unauthorised access to any network services, etc. (section 234 of the CMA); and extend, tamper with, adjust, alter, remove, destroy or damage any network facilities or any part thereof Possession or use of the above is an offence and the offender would Malaysia (section 235 of the CMA). be liable to a fine not exceeding RM500,000 or to imprisonment not exceeding five years, or both. A person who is found liable for any of the above offences under the CMA may upon conviction be held liable to a maximum fine ranging Under section 240 of the CMA, it is an offence to distribute or from RM50,000 to RM300,000 or imprisonment not exceeding two advertise any communications equipment or device for interception to three years, or both. of communication. An offence under this section would render the offender liable to a fine not exceeding RM100,000 or to In relation to personal data, organisations are required to ensure the security of individuals’ personal data (section 9 of the Personal Data imprisonment not exceeding two years, or both. Protection Act 2010, the “PDPA”), and in this regard are required To date, there are no reported cases either under section 236 or to comply with the minimum security standards prescribed by the section 240 of the CMA. Personal Data Protection Standards 2015 (the “PDP Standards”). Identity theft or identity fraud (e.g. in connection with access Non-compliance with section 9 of the PDPA may expose the devices) offender to a fine not exceeding RM100,000 or imprisonment not The Penal Code contains provisions on cheating by personation. exceeding two years or both, whereas non-compliance with any of Although not cyber-specific, section 416 of the Penal Code (as the security standards under the PDP Standards may result in the discussed above) may apply to identity theft. Under section 416 of offender being held liable to a fine not exceeding RM250,000 or the Penal Code, it is an offence to “cheat by personation”, i.e. where a imprisonment not exceeding two years, or both. person cheats by pretending to be some other person, or by knowingly To date, there are no reported cases prosecuted under any of the substituting one person for another, or representing that he or any abovementioned provisions of the CMA or PDPA. other person is a person other than he or such person really is. Failure by an organisation to implement cybersecurity measures To date, while there has been news of individuals committing There is currently no legislation which imposes a blanket identity theft or fraud, such cases have usually been tried on the requirement in respect of implementing cybersecurity measures. basis of contravening national registration regulations (in relation The closest is the PDPA which only applies to organisations to impersonating or theft of identification cards). There have been involved in commercial transactions and expressly excludes the no reported cases for actions on identity theft or identity fraud Government of Malaysia. specifically in the context of cybersecurity or cybercrimes. Organisations that are involved in processing personal data are Electronic theft (e.g. breach of confidence by a current or former required to implement minimum security standards as prescribed employee, or criminal copyright infringement) by the PDP Standards, or such other standards as prescribed by the Under Malaysian law, the right to bring an action for breach of Personal Data Protection Commissioner (the “PDP Commissioner”) confidence stems from common law, or pursuant to the contracts of from time to time. employment which generally contain confidentiality clauses and as Certain sectors are additionally subject to the guidelines requiring such would not constitute a criminal offence. the implementation of certain cybersecurity measures, for example: Copyright owners have the right to bring an action for copyright (a) in the capital market industry, capital market entities are infringement either as a civil or criminal offence. Section 41 of subject to cybersecurity requirements as set out in the the Copyright Act 1987 sets out a range of offences for copyright Guidelines on Management of Cyber Risk issued by the infringement, which include making for sale or hire, distributing, Securities Commission of Malaysia (“SC”); and and exhibiting in public any infringing copy during the subsistence (b) in the banking and financial sector, banks and financial of copyright in a work or performer’s right. institutions are subject to the requirements as set out in the Guidelines on Management of IT Environment (GPIS 1) In Chuah Gim Seng & More Again v SO [2009] 10 CLJ 65, the issued by the Central Bank of Malaysia or Bank Negara appellants were found guilty and convicted for the sale of copies of Malaysia (“BNM”). pirated films. The penalty imposed was RM2,000 for each copy for each charge and in default a four-month jail term for failure to pay for each charge. 1.2 Do any of the above-mentioned offences have extraterritorial application? In PP v Haw Swee Po [2011] 5 LNS 23, the accused was tried for possession and use (other than for private and domestic use) of Yes. The CCA, CMA, and to a certain extent, the Penal Code 3,300 copies of seven films in DVD format. The court sentenced (in relation to terrorism and offences against the state) have the accused to 14 months’ imprisonment. extraterritorial application. Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data 1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an Activities which adversely affect or threaten the security, exception to any of the above-mentioned offences? confidentiality, integrity or availability of IT systems, infrastructures, etc. are prohibited or regulated under the CMA. For example, it is For organisations that are subject to cybersecurity obligations

108 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

or requirements (e.g. PDPA, sector-specific cybersecurity network services; prohibits the use and possession of counterfeit requirements), there are no specific actions specified in the statutes access devices; prohibits use of equipment or device in order to or guidelines which might mitigate the penalty which would obtain unauthorised access to any network services; and prohibits otherwise be incurred by reason of any breach or non-compliance by interception of any communications unless with lawful authority. the organisation. However, it is reasonable to infer that cooperation Computer Crimes Act 1997 (CCA) with the relevant regulators or enforcement authorities, or active The CCA criminalises: the act of gaining unauthorised access into steps taken to mitigate the loss or damage caused by any of the computers or networks; spreading of malicious codes (e.g. viruses, offences, may serve to mitigate the severity of penalty to be imposed worms and Trojan horses); and unauthorised modification of any by the regulators or enforcement authorities. program or data on a computer as well as wrongful communication of any means of access to a computer to an unauthorised person. Malaysia 1.4 Are there any other criminal offences (not specific Depending on the type of offence committed, the fine for a convicted to cybersecurity) in your jurisdiction that may arise offence ranges from RM25,000 to RM150,000 or imprisonment of in relation to cybersecurity or the occurrence of an three to ten years or both. The case Basheer Ahmad Maula Sahul Incident (e.g. terrorism offences)? Please cite any Hameed v PP [2016] 6 CLJ 422 (as discussed in ‘Hacking’ in specific examples of prosecutions of these offences in a cybersecurity context. question 1.1 above) is an example of an offence under the CCA. Penal Code It is generally an offence (even though not specific to cybersecurity) In cases where computer-/Internet-related crime activities are to commit or facilitate terrorism activities, e.g. where there is involved, but do not specifically fall within the ambit of any of financing of terrorism, or participation or indication of support to the aforementioned statutes (for example, online fraud, cheating, terrorist groups or activities (section 130J of the Penal Code). criminal defamation, intimidation, gambling, pornography, etc.), In the context of cyberterrorism, sub-section (2)(k) of section 130J such offences may be charged under the Penal Code, which is the specifically provides that “support” to a terrorist group extends to main statute that deals with a wide range of criminal offences and the act of “using social media or any other means to: procedures in Malaysia. (i) advocate for or to promote a terrorist group, support for a Personal Data Protection Act 2010 (PDPA) terrorist group or the commission of a terrorist act; or The PDPA regulates the processing of personal data in commercial (ii) further or facilitate the activities of a terrorist group”. transactions and applies to anyone who processes and has control While Malaysian enforcement authorities have regularly taken over or authorises the processing of any personal data in respect of steps to block or remove known terrorist websites, there have commercial transactions. been no reported cases in respect of cyberterrorism under the The most relevant PDPA principle in the context of cybersecurity abovementioned section 130J(2)(k) of the Penal Code. would be the Security Principle i.e. appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing of personal data and accidental 2 Applicable Laws loss, misuse, modification or unauthorised disclosure of personal data. 2.1 Please cite any Applicable Laws in your jurisdiction The Personal Data Protection Commissioner has also issued applicable to cybersecurity, including laws applicable subsidiary legislation pursuant to the PDPA, among which are the to the monitoring, detection, prevention, mitigation Personal Data Protection Regulations 2013 (the “Regulations”) and and management of Incidents. This may include, the Personal Data Protection Standard 2015 (the PDP Standards), for example, laws of data protection, intellectual which provide specific requirements regarding security standards property, breach of confidence, privacy of electronic communications, information security, and import / expected of data users. export controls, among others. Copyright Act 1987 (“Copyright Act”) The Copyright Act generally protects copyrights, including trade As at the date of publication of this Guide, there is no single secrets, intellectual property in devices or data, etc. Where any legislation in Malaysia in respect of cybersecurity. However, in technological protection measure is applied to any copyright, it is an June 2017, the Malaysian Home Minister announced that a new offence under the Copyright Act to circumvent such technological cybersecurity bill will be drafted and tabled in Parliament, in order protection measures (section 36A of the Copyright Act). No person shall to combat cybercrimes, including recruitment and financial sourcing offer such technology or device which allows for the circumvention by terrorist groups, money laundering and online gambling. of such technological protection measures, and non-compliance with Notwithstanding the above, the current laws which relate to the provision would be an offence and the person guilty of the offence cybersecurity in Malaysia include: may be held liable to a fine not less than RM2,000 and not more than Communications and Multimedia Act 1998 (CMA) RM20,000 or imprisonment not exceeding five years, or both. The CMA provides for and regulates the converging areas of Strategic Trade Act 2010 (“Strategic Trade Act”) communications and multimedia. In particular, the CMA regulates The Strategic Trade Act 2010 is the legislation that controls the various activities carried out by licensees (i.e. network facilities export, trans-shipment, transit and brokering of strategic items providers, network service providers, applications service providers and technology, as well as activities that will or may facilitate the and content applications service providers) as well as those utilising design, development, production and delivery of weapons of mass the services provided by the licensees. One of the objects of the destruction. The Strategic Trade Act, which is consistent with CMA is to ensure information security and network reliability and Malaysia’s international obligations on national security, prohibits integrity in Malaysia. The CMA: requires licensees to use best the import or export of strategic items, including items deemed as endeavour to prevent network facilities or network services from ‘strategic technology’ (i.e. controlled items as determined by the being used for the commission of any offence under Malaysian Minister of International Trade and Industry in Malaysia, such as laws; prohibits fraudulent or improper use of network facilities or encryption technology) (section 9 of the Strategic Trade Act).

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 109 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

applications services or content applications services from being 2.2 Are there any cybersecurity requirements under used in, or in relation to, the commission of any offence under any Applicable Laws applicable to critical infrastructure law of Malaysia. in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction Apart from the above, several sector-specific standards and expected to implement the Network and Information guidelines also require organisations to apply security measures. Systems Directive? Please include details of any Some examples of these are Guidelines on Internet Insurance instances where the implementing legislation in your for the Insurance Sector, BNM Guidelines on the Provision of jurisdiction is anticipated to exceed the requirements Electronic Banking (e-banking) Services, BNM Guidelines on of the Directive. Data Management and Management Information System (MIS) Framework for the Banking Sector, and the Securities Commission Malaysia The Malaysian Government, under the National Cyber Security Malaysia’s Guidelines on Management of Cyber Risk. These Policy (“NCSP”) has identified ten critical sectors in Malaysia standards and guidelines will be further discussed below. known as the Critical National Information Infrastructure (“CNII”) which are required to be protected to a level that is commensurate with the risks faced. These CNII sectors are: 2.4 In relation to any requirements identified in question 2.3 above, might any conflict of laws issues ■ National Defence and Security; arise? For example, conflicts with laws relating ■ Banking and Finance; to the unauthorised interception of electronic ■ Information and Communications; communications or import / export controls of encryption software and hardware. ■ Energy; ■ Transportation; No such issues have arisen thus far in Malaysia. ■ Water; ■ Health Services; 2.5 Are organisations required under Applicable Laws, or ■ Government; otherwise expected by a regulatory or other authority, ■ Emergency Services; and to report information related to Incidents or potential ■ Food and Agriculture. Incidents to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the While there are no minimum protective measures in general and circumstance in which this reporting obligation is across sectors to protect data and information technology systems triggered; (b) the regulatory or other authority to from Incidents (save for security requirements in relation to which the information is required to be reported; (c) personal data under the PDPA), the government of Malaysia has the nature and scope of information that is required stipulated ISO/IEC 27001 Information Security Management to be reported (e.g. malware signatures, network vulnerabilities and other technical characteristics Systems (“ISMS”) as the baseline standard for information security identifying an Incident or cyber attack methodology); and has proposed for all CNII sectors (as listed above) to be ISMS- and (d) whether any defences or exemptions exist by certified. Such standards have been incorporated in certain sector- which the organisation might prevent publication of specific guidelines/handbooks. Penalties for failure to undertake that information. such protective measures would be as prescribed by the respective standards/guidelines. There are generally no applicable laws in Malaysia that require organisations to report information related to Incidents or potential 2.3 Are organisations required under Applicable Laws, Incidents to a regulatory or other authority. or otherwise expected by a regulatory or other However, certain sector-specific guidelines have been issued authority, to take measures to monitor, detect, prevent imposing such requirements. Some examples are as follows: or mitigate Incidents? If so, please describe what measures are required to be taken. ■ Banking Sector: BNM’s Guidelines on Management of IT Environment (“GPIS 1”) outline the minimum responsibilities and requirements for mitigating risks pertaining to the IT The PDPA regulates the processing of personal data in the context environment. Under the Guidelines, banks are required to of commercial transactions, including for the purpose of ensuring report to BNM on any serious security breaches, system the security of such data. Under the Regulations, organisations that down-time and degradation in system performance that process personal data (i.e. data users under the PDPA) are required critically affects the bank/financial institution immediately to develop a security policy to ensure that personal data is protected upon detection by providing ‘initial information/observation’ from any loss, misuse, modification, unauthorised or accidental and the subsequent formal report within two days; and access or disclosure, alteration or destruction. ■ Capital Market: Securities Commission Malaysia’s Guidelines on Management of Cyber Risk sets out the roles Further to the above, the PDP Standards prescribe a list of and responsibilities of capital market entities, policies and minimum security standards to be complied with by the data procedures that should be developed and implemented, users (e.g. prohibition of the use of removable media devices or requirements for managing cyber risk and reporting cloud computing services for transfer or storage of personal data, requirements to the Securities Commission Malaysia. Under unless with written authorisation from the top management of the the said Guidelines, the capital market entities must report organisation, ensuring the organisation’s backup/recovery system to the Securities Commission Malaysia on any detection of and anti-virus software are regularly updated to protect personal a cyber Incident impacting the entity’s information assets or data from data intrusion or security breach; contractually bind third systems on the same day of the Incident. The entities are also party data processors in respect of data processing activities, etc.). required to report any cyber breaches to the board of directors and periodically update the board on emerging cyber threats From the perspective of the CMA in turn, section 263 requires and their potential impact to the entity. all network facilities or network service providers to use their best endeavours to prevent network facilities or network services,

110 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

Sector/Subject Relevant Statute/ Regulator 2.6 If not a requirement, are organisations permitted by Matter Regulations Applicable Laws to voluntarily share information Malaysian related to Incidents or potential Incidents with: (a) Information Security/ Communications Communications and a regulatory or other authority in your jurisdiction; Network Reliability and Multimedia Multimedia Act 1998 (b) a regulatory or other authority outside your and Integrity Commission jurisdiction; or (c) other private sector organisations (MCMC) or trade associations in or outside your jurisdiction? Personal Data Protection Personal Data Personal Data Department/ While there are no general restrictions with regards to voluntary Protection Act 2010 sharing of information pertaining to an Incident, this is subject Commissioner’s Office to sector-specific regulations and regulatory oversight which Malaysia Penal Code, Royal Malaysian may constrain an organisation from sharing such information. Penal Offences Computer Crimes Act Police Additionally, where the information involves personal data, the 1997 organisation needs to make sure that the disclosure of the said Central Bank of Banking and Malaysia or Bank personal data must fall within the exceptions under the PDPA. Financial Sector Negara Malaysia Guidelines Sector-Specific (BNM) Regulations 2.7 Are organisations required under Applicable Laws, or Securities Securities otherwise expected by a regulatory or other authority, Commission Commission to report information related to Incidents or potential Guidelines Malaysia (SC) Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the 2.10 What are the penalties for not complying with the nature and scope of information that is required to be requirements identified under questions 2.3 to 2.8? reported.

Penalties for failure to comply with any of the abovementioned While there is no general requirement under Applicable Laws for requirements are dependent upon the respective statutes, regulations organisations to report information relating to Incidents or potential or guidelines, for example: Incidents to affected individuals, certain sector-specific guidelines require organisations to implement policies or procedures to inform ■ non-compliance with the PDPA may result in the organisation, the relevant stakeholders of the Incident (e.g. the SC Guidelines on upon conviction, to be liable to a maximum fine ranging from RM100,000 to RM500,000 or imprisonment term ranging Management of Cyber Risk requires the relevant entity to implement from one to three years, or both; communication procedures that will be activated by the entity in ■ non-compliance with the provisions under the CMA may the event of a cyber breach, which include reporting procedures, result in the organisation, upon conviction, to be liable to a information to be reported, communication channels, list of internal maximum fine ranging from RM50,000 to RM500,000 or and external stakeholders and communication timeline). imprisonment term ranging from one to five years, or both; ■ contravention with the provisions under the CCA or Penal 2.8 Do the responses to questions 2.5 to 2.7 change if the Code would subject the organisation to enforcement by the information includes: (a) price sensitive information; Royal Malaysian Police, and may expose the organisation (b) IP addresses; (c) email addresses (e.g. an email to liability involving a fine ranging from RM25,000 to address from which a phishing email originates); (d) RM150,000 or imprisonment of three to ten years, or both; or personally identifiable information of cyber threat ■ non-compliance with the relevant sector-specific guidelines actors; and (e) personally identifiable information of may expose the organisation to enforcement actions by the individuals who have been inadvertently involved in relevant regulators (e.g. BNM or the SC), and may subject an Incident? the organisation to regulatory sanctions such as warning, public or private reprimands, order to mitigate remedy the No, they do not. non-compliance, or even imposition of a monetary penalty. In cases involving severe non-compliance, the regulators may commence prosecution against the organisation. 2.9 Please provide details of the regulator(s) responsible for enforcing the requirements identified under questions 2.3 to 2.7. 2.11 Please cite any specific examples of enforcement action taken in cases of non-compliance with the Regulators responsible for enforcing requirements are generally above-mentioned requirements. either sector-specific or subject-matter specific, including but not limited to: There are no reported cases in Malaysian law journals in relation to any non-compliance of the abovementioned requirements. From the regulatory perspective, regulators may impose regulatory sanctions on their licensees. These regulatory sanctions may be issued either privately (e.g. BNM) or publicly (e.g. MCMC) by regulators, depending on the regulator. A listing of investigations and prosecutions is available on MCMC’s official website.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 111 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

Commission or any other authority, as far as reasonably necessary, 3 Specific Sectors in preventing the committing or attempted committing of an offence under any written law of Malaysia, or otherwise in enforcing the 3.1 Does market practice with respect to information laws of Malaysia, including the protection of the public revenue and security (e.g. measures to prevent, detect, mitigate preservation of national security. and respond to Incidents) vary across different business sectors in your jurisdiction? Please include details of any common deviations from the strict legal 4 Corporate Governance requirements under Applicable Laws.

4.1 In what circumstances, if any, might a failure by

Malaysia As stated in questions 2.3 and 2.5 above, apart from the PDP a company (whether listed or private) to prevent, Standards which prescribe a list of minimum security standards mitigate, manage or respond to an Incident amount to to be complied with by data users, cybersecurity obligations and a breach of directors’ duties in your jurisdiction? requirements vary across different sectors and are imposed in sector-specific legislation, regulations, standards and/or guidelines. Failure by a company to prevent, mitigate, manage or respond to an Incident would potentially give rise to breach of directors’ duties. 3.2 Are there any specific legal requirements in relation In the event of any breach or non-compliance of statutory to cybersecurity applicable to organisations requirements by the organisation, the directors may also be held in: (a) the financial services sector; and (b) the jointly or severally liable for such breach or non-compliance. telecommunications sector? Under section 133 of the PDPA, it is expressly provided that any Financial services sector: commission of offence by the body corporate may also render the officers of the body corporate (e.g. directors, chief executive officer, Guidelines on Internet Insurance: managers, etc., who were responsible for the management of the The Guidelines state that an internet insurance system security affairs of the body corporate) to be charged severally or jointly with arrangement should minimally achieve data privacy and the body corporate, and in such instances may also be found to have confidentiality, data integrity, authentication; and non-repudiation committed the offence. and network and access controls. Insurers are required to put in Directors may also be found liable for such failure under the place critical technologies and to have a thorough and documented relevant sector-specific standards or guidelines. For example, security procedure in relation to the risk exposures and needs of its under the banking and financial sector, the Guidelines on Data internet insurance, such as: Management and MIS Framework issued by BNM provide that (a) latest critical technologies available such as firewalls, senior management and the board of directors must play a key intrusion detection systems, anti-virus or virus-protection, role in the development of a data management and information encryption, virtual private networks (VPN), public key system framework; under capital market sector, the Guidelines infrastructure (PKI) and payment protocols; and on Management of Cyber Risk issued by the SC set out the roles (b) security procedures such as User ID and passwords, time and responsibilities of the board of directors and management in stamping, reconciliation of all transactions, segregation of the oversight and management of cyber risk. These provide that roles and responsibilities, audit trails and testing. directors are subject to certain responsibilities and consequently BNM Guidelines on the Provision of Electronic Banking may be held responsible for any non-compliance thereof. (e-banking) Services: In the Guidelines on E-Banking, security standards to be applied 4.2 Are companies (whether listed or private) required are based on the risk management of different e-banking types. under Applicable Laws to: (a) designate a CISO; The Guidelines set out different minimum security standards for (b) establish a written Incident response plan or different types of banking services. For example, in transactional policy; (c) conduct periodic cyber risk assessments, services which present the greatest risk in e-banking (as it links to including for third party vendors; and (d) perform the financial institution’s internal networks and computer systems penetration tests or vulnerability assessments? that hold critical account information and other information assets), the Guidelines require utilisation of the highest level of protection There is no general requirement under Malaysian laws for including strong authentication and encrypted transmission of companies to: (a) designate a CISO; (b) establish a written Incident highly sensitive data. response plan or policy; (c) conduct periodic cyber risk assessments; Bank Negara Guidelines on Data Management and Management and (d) perform penetration tests or vulnerability assessments. Information System (MIS) Framework: Requirements are generally sector-specific and in accordance with the relevant standards or guidelines (e.g. SC Guidelines These Guidelines set out several principles and elaborate on the on Management of Cyber Risk requires cyber risk policies and specific safeguards to be applied for each principle. Among the procedures to be implemented by the organisation, and sets out safeguards required are that banks/ financial institutions are to obtain the required contents of such policies and procedures as well as an the MS ISO/IEC 27001 Information Security Management Systems Incident response template). (ISMS) certification for critical systems, particularly the payment and settlement systems, to ensure that safeguards and security measures implemented over data and IT systems are effective. 4.3 Are companies (whether listed or private) subject to any specific disclosure requirements in relation Telecommunication Sector: to cybersecurity risks or Incidents (e.g. to listing There are currently no specific cybersecurity obligations imposed authorities, the market or otherwise in their annual on licensees under the CMA. However, under section 263 of the reports)? CMA, the Commission or other authority may make requests in writing to its licensees requesting the licensees to assist the Companies are not subject to general disclosure requirements

112 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

in relation to cybersecurity risks or Incidents (whether to listing authorities, the market or otherwise in their annual reports). 6 Insurance Disclosure requirements in relation to cybersecurity risks or Incidents are sector-specific. For example, the Guidelines on 6.1 Are organisations permitted to take out insurance Management of Cyber Risk, issued by the Securities Commission against Incidents in your jurisdiction? Malaysia, requires capital market entities to develop and implement cyber risk policies and procedures, which must include the strategy Yes, organisations are permitted to take out cyber risk insurance and measures to manage cyber risk encompassing prevention, against Incidents in Malaysia. Cyber risk insurance may either be detection and recovery from a cyber breach. first-party coverage (i.e. to insure against loss and damage sustained by the insured, i.e. the organisation itself) or third-party coverage (i.e. to insure against liability for loss, damage or personal injury Malaysia 4.4 Are companies (whether public or listed) subject to caused to a third person, namely the customers or clients of the any other specific requirements under Applicable Laws in relation to cybersecurity? organisation).

Apart from the Applicable Laws (as set out at question 2.1 above), 6.2 Are there any regulatory limitations to insurance companies would also be subject to specific requirements in relation coverage against specific types of loss, such as to cybersecurity under the relevant sector-specific standards or business interruption, system failures, cyber extortion guidelines. or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover?

5 Litigation There are no known regulatory limitations in respect of cyber risk insurance coverage. However, risk exposure due to the company’s or organisation’s own negligence or wilful default will likely be 5.1 Please provide details of any civil actions that may be excluded by the insurer from the scope of insurance policy coverage. brought in relation to any Incident and the elements of that action that would need to be met. 7 Employees In the event of an Incident, the company or organisation may be subject to civil actions on grounds of breach of contract or breach of statutory duties under the Applicable Laws (as set out at question 7.1 Are there any specific requirements under Applicable 2.1 above). Law regarding: (a) the monitoring of employees for the purposes of preventing, detection, mitigating and In order to bring a claim on grounds of breach of contract, the responding to Incidents; and (b) the reporting of cyber claiming party must establish that there was a contractual duty risks, security flaws, Incidents or potential Incidents in respect of cybersecurity (e.g. duty to protect confidential by employees to their employer? information or personal data), that there was a breach of such duty, and the loss or damage occasioned by such breach. A breach of There are no specific requirements under the Applicable Laws statutory duty in itself would give rise to a right to commence civil requiring the monitoring of employees and for the employees to be action, although the quantum of damages would be dependent on under obligation to report cyber risks, security flaws, Incidents, etc. the extent of loss or damage suffered by the claiming party. The to the employer. However, sector-specific guidelines may prescribe company or organisation may also be liable under tort, as set out in that employees be made aware of and understand the cyber risk question 5.3 below. policies procedures, the possible impact of cyber threats, as well as their roles in managing such threats (Guidelines on Management of Cyber Risk, issued by the Securities Commission Malaysia). 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to Incidents. 7.2 Are there any Applicable Laws (e.g. whistle-blowing laws) that may prohibit or limit the reporting of cyber An example would be Dynacraf Industries Sdn Bhd v Lee Kooi risks, security flaws, Incidents or potential Incidents Khoon [2008] 3 ILR 265 where an employer commenced action by an employee? against a dismissed employee for alleged unauthorised interception and disclosure of electronic communication (in this case, another There are no known Applicable Laws which may prohibit or employee’s private emails), in contravention with section 234 of the limit the reporting of cyber risks, security flaws, Incidents by an CMA (interception of communication). Apart from the foregoing, employee. In fact, the Whistleblower Protection Act 2010 (“WPA”) civil actions on grounds of copyright infringement and breach of was passed to encourage and facilitate the disclosures of improper confidence have been brought in Malaysian courts. conduct of companies or organisations by protecting the informants making such disclosures. It is further provided under section 6(5) of the WPA that any provision in any contract of employment which 5.3 Is there any potential liability in tort or equivalent purports to preclude the employee from making a disclosure of legal theory in relation to an Incident? improper conduct shall be to that extent void. In the event of an Incident, the company or organisation may also potentially be exposed to tortious liability on grounds of negligence, as the aggrieved party may allege loss or damage as a result of the company’s or organisation’s breach of duty of care in relation to cybersecurity.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 113 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

■ power to require the attendance of persons acquainted with 8 Investigatory and Police Powers the case; ■ examination of persons acquainted with the case; and 8.1 Please provide details of any investigatory powers of ■ power to institute prosecution, with consent in writing of the law enforcement or other authorities under Applicable Public Prosecutor. Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident. 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT The Royal Malaysian Police, MCMC and other relevant regulatory systems for law enforcement authorities or to provide authorities are granted wide investigatory powers under the relevant law enforcement authorities with encryption keys?

Malaysia statutes (as set out at question 2.9 above). In general, the law enforcement or regulatory authorities are While there are no legal requirements under the Applicable Laws for authorised under the relevant statutes to exercise the following organisations to implement backdoors in IT systems specifically for investigatory powers during an investigation: law enforcement authorities, several cybersecurity-related statutes ■ power to investigate the relevant persons; provide the need for law enforcement authorities to be provided with ■ search and seizure, by warrant or without warrant; the relevant encryption keys, passwords, decryption codes, software ■ request for access to computerised data; or hardware or any other means required in order to have access to computerised data during the course of investigations (section 249 ■ power to intercept communications; of the CMA; section 10 of the CCA). ■ power to require the production of records, accounts, computerised data, documents, etc., and to make such inquiry as may be necessary to ascertain if the relevant statutory provisions have been complied with;

114 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Christopher & Lee Ong Malaysia

Deepak Pillai Christopher & Lee Ong Level 22 Axiata Tower, No. 9 Jalan Stesen Sentral 5 Kuala Lumpur Sentral, 50470 Kuala Lumpur Malaysia

Tel: +60 3 2267 2675 Email: [email protected] URL: www.christopherleeong.com

Deepak has practised exclusively in the areas of Telecommunications Malaysia & Technology law and Personal Data Protection for two decades and is acknowledged as a leading Telecommunications & Technology lawyer in Malaysia. Deepak advises clients on matters relating to IT contracts, electronic commerce, online financial services, outsourcing, telecommunications, IT security, personal data protection and digital media. He advises a wide array of international, private and public sector clientele in addressing the commercial, regulatory and policy issues relating to information and communications technology law, ranging from negotiating complex information technology contracts to advising public sector agencies on proposed technology related legislation and policies. Described in the The Legal 500 over the years as “the most recognised IT specialist in Malaysia”, and “pioneering the practice of IT law as a discrete area of law in Malaysia”. Deepak has been listed by the Asia Pacific Legal 500 as a leading individual in the area of IT and Telecommunications since 2001 to the current date.

Christopher & Lee Ong (“CLO”) is one of Malaysia’s established and respected law firms, providing high-quality advice to clients across the commercial spectrum, with extensive experience in handling complex deals and disputes involving large local and multinational corporations, and governments and their agencies, as well as smaller local enterprises. CLO’s technology, media & telecommunications (TMT) practice group is one of the most established and respected practices in the Asia Pacific region. With clients ranging from state governments and statutory boards to multinational corporations in the telecommunications, computer hardware and software sectors, the firm has been involved in many of the largest and most complex IT and telecommunications projects in recent years. The firm regularly advises clients on matters relating to IT contracts, electronic and mobile commerce, online financial services, outsourcing, telecommunications, cybersecurity, personal data protection, as well as regulatory and policy issues relating to information and communications technology law. The firm’s TMT practice group was recently awarded the Technology, Media and Telecommunications Law Firm of the Year 2017 by Asian Legal Business at the Malaysian Law Awards 2017.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 115 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 18

Mexico Begoña Cancino

Creel, García-Cuéllar, Aiza y Enríquez, S.C. Oscar Arias

Infection of IT systems with malware (including ransomware, 1 Criminal Activity spyware, worms, trojans and viruses) The Federal Criminal Code does not provide any definition for 1.1 Would any of the following activities constitute a this criminal offence; however, this type of behaviour is similar to criminal offence in your jurisdiction? If so, please hacking. The aforementioned penalties are applicable in this case. provide details of the offence, the maximum penalties available, and any examples of prosecutions in your In case the criminal offence is committed against the state, the jurisdiction: relevant authority shall impose a prison sentence of one year to four years, as well as a fine of approximately MN$16,000.00 to There is no definition in Mexican law for the terms “cybercrime” MN$48,024.00. and “cybersecurity”; however, the Federal Criminal Code regulates Possession or use of hardware, software or other tools used to illegal behaviours committed through electronic means that could commit cybercrime (e.g. hacking tools) be identified as cybercrimes by the use of electronic means for their The Federal Criminal Code provides this criminal offence as commission. “hacking”, which is described above. Regarding examples of jurisdiction in Mexico, according to Article Identity theft or identity fraud (e.g. in connection with access 16 of the Political Constitution of the United Mexican States devices) (“Mexican Constitution”), no one shall be molested in his person, The Credit Institutions Law provides that a person who produces, family, home, papers or possessions (including private information), manufactures, reproduces, copies, prints, sells, trades or alters any except by written order of a competent authority, duly grounded in credit card, debit card, cheques or, in general, any other payment law and fact, which sets forth the legal cause of the proceeding. In instrument, including electronic devices, issued by credit institutions, this regard, any non-consented access to private information may without authorisation of the holder, shall be imposed a prison be sanctioned by law; thus, only a federal judicial authority may sentence of three to nine years, by the relevant authority, as well as authorise any investigation regarding criminal offences. a fine of approximately MN$2,401,200.00 to MN$24,012,000.00. Hacking (i.e. unauthorised access) In addition, the Federal Criminal Code provides that a person who, Article 211bis of the Federal Criminal Code provides that whoever, with or without authorisation, modifies, destroys or causes loss of without authorisation, modifies, destroys or causes loss of information contained in credit institutions’ systems or computer information contained in systems or computer equipment protected equipment protected by a security mechanism shall be imposed a by a security mechanism shall be imposed a prison sentence of prison sentence of six months to four years, by the relevant authority, six months to two years, by the relevant authority, as well as a as well as a fine of approximately MN$8,004.00 to MN$24,012.00. fine of approximately MN$8,004.00 to MN$24,012.00. The Moreover, a person who without authorisation knows or copies aforementioned penalty could be duplicated in case the information information in credit institutions’ computer systems or equipment is used for one’s own benefit or to benefit a third party. protected by a security mechanism shall be imposed a prison sentence Denial-of-service attacks of three months to two years, as well as a fine of approximately The Federal Criminal Code does not provide any definition, or MN$4,002.00 to MN$24,012.00. similar definition, for this criminal offence. All the penalties aforementioned could be duplicated if the criminal Phishing offence is committed by any counsellor, official, employee or The Federal Criminal Code does not provide any definition for service provider of any credit institution. phishing; however, such criminal offence could be considered as Electronic theft (e.g. breach of confidence by a current or former fraud. According to Article 386 of the Federal Criminal Code, a employee, or criminal copyright infringement) person commits fraud when he/she, with the intent of obtaining a As mentioned, the Credit Institutions Law provides that any person financial gain, handles information through deceit, takes advantage who produces, manufactures, reproduces, copies, prints, sells, of errors, or misleads a person. trades or alters, any credit card, debit card, cheque or, in general, In such case, the relevant authority shall impose a prison sentence any other payment instrument, including electronic devices, issued of three days to 12 years, as well as a fine of approximately by credit institutions, without authorisation of the holder, shall be MN$2,400.00 to MN$24,012.00, depending on the value in each imposed a prison sentence of three to nine years, as well as a fine case. of approximately MN$2,401,200.00 to MN$24,012,000.00. The

116 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Creel, García-Cuéllar, Aiza y Enríquez, S.C. Mexico

penalties aforementioned could be duplicated if the criminal offence is committed by any counsellor, official, employee or service 1.4 Are there any other criminal offences (not specific provider of any credit institution. to cybersecurity) in your jurisdiction that may arise in relation to cybersecurity or the occurrence of an Any other activity that adversely affects or threatens the Incident (e.g. terrorism offences)? Please cite any security, confidentiality, integrity or availability of any IT specific examples of prosecutions of these offences system, infrastructure, communications network, device or data in a cybersecurity context. Yes: espionage; conspiracy; crimes against means of communication; tapping of communications; acts of corruption; As mentioned, the Federal Criminal Code also regulates as a criminal extortion; and money laundering could be considered as threats offence the act of sabotage or unlawful interference with: roads,

to the security, confidentiality, integrity or availability of any IT public services, or state services; steel, electric or basic industries; Mexico system, infrastructure, communications network, device or data. and centres of production or distribution of weapons, ammunition or military equipment, with the aim of disrupting the economic life of Failure by an organisation to implement cybersecurity measures the country or affect their ability to defend. Considering the absence of a specific law which regulates Also, the relevant Code protects means of communication cybersecurity in Mexico, there are no minimum protective measures such as telegrams, telephone lines, radio communications, that organisations must implement to protect data and information telecommunication networks, as any component of an installation technology systems from cyber threats; however, the Federal Law of production of magnetic or electromagnetic energy or its means on Protection of Personal Data held by Private Parties (“Data of transmission. Protection Law”) provides that data controllers have to implement diverse technical, physical and organisational measures in order to In addition, the Federal Criminal Code provides that persons who protect information against damage, loss, alteration, destruction, manufacture, import, sell or lease any device or system, or commit use, or unauthorised access or processing. any act with the purpose of decoding any encrypted/protected satellite signal without the legitimate authorisation of the licensed distributor, shall be imposed a prison sentence of six months to four 1.2 Do any of the above-mentioned offences have years. extraterritorial application? On the other hand, the Law on Negotiable Instruments and Credit Operations sanctions diverse actions that affect any kind of financial Yes; however, Mexico has not yet adopted international standards payment instrument (e.g., credit or service cards) or the information related to cybersecurity. contained on them.

1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an 2 Applicable Laws exception to any of the above-mentioned offences?

Yes, in the following cases: 2.1 Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable 1) The Federal Law Against Organized Crime provides: (a) to the monitoring, detection, prevention, mitigation that in the investigation of a crime in which it is assumed on and management of Incidents. This may include, good grounds that a member of organised crime is involved, for example, laws of data protection, intellectual it is possible to tap private communications; and (b) the property, breach of confidence, privacy of electronic obligation of concessionaires, authorised entities and any communications, information security, and import / person holding a means or system that could be intercepted, export controls, among others. to cooperate with the authorities, prior to a judicial order. 2) The General Law to Prevent and Sanction Kidnapping Crimes ■ The Mexican Constitution; provides the possibility to intercept private communications. ■ The FTBL; 3) The National Security Law, in case of an immediate threat ■ The Data Protection Law, its Regulations, Recommendations, to national security, provides that the Mexican Government Guidelines and similar regulations on data protection; must request a judicial warrant to intercept private ■ The Federal Law on Transparency and Access to Public communications for national security purposes. Information; 4) The Federal Telecommunications and Broadcasting Law ■ The General Law on Transparency and Access to Public (“FTBL”), according to Articles 189 and 190, provides that: Information; (i) concessionaires; (ii) authorised entities; and (iii) service providers of applications or contents, are required to: a) allow ■ General Standards as the Mexican Official Standard the corresponding competent authorities to control and tap Regarding the Requirements that shall be Observed when private communications; and b) provide the support that such Keeping Data Messages; authorities request, in terms of the applicable law. ■ The Law on Negotiable Instruments and Credit Operations; In addition to the federal legislation provided above, there are state ■ The Mexican Federal Tax Code; laws that allow the interception of individual communications prior ■ The Credit Institutions Law; to any request from the relevant state authorities (Public Prosecutor ■ The Sole Circular for Banks; of the corresponding state) to a federal judge. ■ The Industrial Property Law; Intervention of private communications is not allowed in: electoral ■ The Mexican Copyright Law; tax; commercial; civil; labour; or administrative matters, or in the ■ The Federal Criminal Code; case of communications between the arrested and his/her counsel. ■ The National Security Law;

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 117 © Published and reproduced with kind permission by Global Legal Group Ltd, London Creel, García-Cuéllar, Aiza y Enríquez, S.C. Mexico

■ The Federal Labour Law; and Public Information Access provides, in Article 70 Section ■ The Federal Law for the Federal Police; XLVII, that authorities shall provide access and keep updated, for ■ The National Development Plan 2013–2018; statistical purposes, the list of requests made to telecommunications concessionaires, service providers or Internet applications related to ■ The National Programme of Public Security 2014–2018; and the interception of private communications, access to the registry of ■ The National Programme of Security 2014–2018. communications, and the real-time geo-location of communication equipment that contain the object, temporary scope and the legal 2.2 Are there any cybersecurity requirements under provisions on which the requirement it supports, if that is the case, Applicable Laws applicable to critical infrastructure mentioning if a judicial warrant was granted. in your jurisdiction? For EU countries only, how On the other hand, Data Privacy Laws do not provide a penalty for Mexico (and according to what timetable) is your jurisdiction expected to implement the Network and Information failure to comply with the rules on reporting threats or breaches; Systems Directive? Please include details of any nevertheless, the National Institute for Access to Public Information instances where the implementing legislation in your and Data Protection (“INAI”) is empowered to evaluate if the cause jurisdiction is anticipated to exceed the requirements that originated a data breach was caused by a failure of compliance of the Directive. or negligence. By the interpretation of the Mexican Constitution, organisations The authors are not aware of any. must cooperate with Government Agencies regarding Incidents; however, no law establishes specific requirements to report Incidents 2.3 Are organisations required under Applicable Laws, or potential Incidents. or otherwise expected by a regulatory or other authority, to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what 2.6 If not a requirement, are organisations permitted by measures are required to be taken. Applicable Laws to voluntarily share information related to Incidents or potential Incidents with: (a) a regulatory or other authority in your jurisdiction; As mentioned, there are no minimum protective measures that (b) a regulatory or other authority outside your organisations must implement to protect data and information jurisdiction; or (c) other private sector organisations technology systems from cyber threats; however, the Data Privacy or trade associations in or outside your jurisdiction? Law provides that data controllers have to implement diverse technical, physical and organisational measures in order to protect Please refer to our answer in question 2.5. information against damage, loss, alteration, destruction, use, or unauthorised access or processing. 2.7 Are organisations required under Applicable Laws, or In addition to the foregoing, there are certain specific mandatory otherwise expected by a regulatory or other authority, security measures that certain industries must adopt to protect their to report information related to Incidents or potential customers’ data. Banking laws and regulations provide that banks Incidents to any affected individuals? If so, please must implement certain security measures in electronic banking provide details of: (a) the circumstance in which transactions and require the use of several passwords depending on this reporting obligation is triggered; and (b) the nature and scope of information that is required to be the amount and nature of the transaction. reported.

2.4 In relation to any requirements identified in question There is no obligation to report any Incidents or potential Incidents; 2.3 above, might any conflict of laws issues however, Data Protection Law provides that security breaches that arise? For example, conflicts with laws relating materially affect the property or moral rights of data owners will be to the unauthorised interception of electronic reported immediately by the data controller to the data owner, so communications or import / export controls of encryption software and hardware. that the latter can take appropriate action to defend its rights.

The authors are not aware of any. 2.8 Do the responses to questions 2.5 to 2.7 change if the information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email 2.5 Are organisations required under Applicable Laws, or address from which a phishing email originates); (d) otherwise expected by a regulatory or other authority, personally identifiable information of cyber threat to report information related to Incidents or potential actors; and (e) personally identifiable information of Incidents to a regulatory or other authority in your individuals who have been inadvertently involved in jurisdiction? If so, please provide details of: (a) the an Incident? circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) No, the responses to questions 2.5 to 2.7 do not change. the nature and scope of information that is required to be reported (e.g. malware signatures, network 2.9 Please provide details of the regulator(s) responsible vulnerabilities and other technical characteristics for enforcing the requirements identified under identifying an Incident or cyber attack methodology); questions 2.3 to 2.7. and (d) whether any defences or exemptions exist by which the organisation might prevent publication of that information. The INAI is in charge of: (i) guaranteeing people’s right of access to government public information; (ii) protecting the personal data There is no obligation to report Incidents or potential Incidents in possession of the federal government and individuals; and (iii) to the authorities; however, the General Law on Transparency resolving denials of access to information that the dependencies or entities of the federal government have formulated.

118 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Creel, García-Cuéllar, Aiza y Enríquez, S.C. Mexico

The Federal Telecommunications Institute (“IFT”) is in charge of In relation to information security, data protection officers shall regulating telecommunications and broadcasting services. adopt measures to guarantee due processing of personal data, privileging the interests of the data owners and their reasonable expectation of privacy. 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? The measures that the data protection officer shall adopt, and that may be related to cybersecurity, include the following: (i) issuing policies The Applicable Laws are silent in this regard. and programmes, which shall be mandatory within the organisation; (ii) implementing training programmes; (iii) implementing a monitoring and surveillance system and internal or external audits to 2.11 Please cite any specific examples of enforcement verify compliance with privacy policies; (iv) assigning resources for action taken in cases of non-compliance with the Mexico the implementation of programmes and policies related to privacy; above-mentioned requirements. (v) implementing a risk-detection programme to identify privacy risks when launching new products, services, technologies and This is not applicable in our jurisdiction. business models as well as risk-mitigation strategies; (vi) periodically reviewing security policies and programmes to determine whether 3 Specific Sectors amendments are needed; (vii) performing compliance checks; and (viii) implementing personal data-tracking systems to trace which data are collected and where they are stored. 3.1 Does market practice with respect to information The Data Protection Law does not provide a specific sanction for security (e.g. measures to prevent, detect, mitigate data protection officers, responsible personnel and directors. and respond to Incidents) vary across different business sectors in your jurisdiction? Please include details of any common deviations from the strict legal 4.2 Are companies (whether listed or private) required requirements under Applicable Laws. under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or Yes. According to the Data Protection Law, the data controllers policy; (c) conduct periodic cyber risk assessments, have to implement diverse technical, physical and organisational including for third party vendors; and (d) perform measures in order to protect information against damage, loss, penetration tests or vulnerability assessments? alteration, destruction, use, or unauthorised access or processing. Regarding personal data, all data controllers must designate a data On the other hand, the Federal Criminal Code and the Law on protection officer or department; however, the Applicable Laws are Negotiable Instruments and Credit Operations provide several silent in cybersecurity matters. sanctions in order to avoid criminal offences regarding cybersecurity.

4.3 Are companies (whether listed or private) subject 3.2 Are there any specific legal requirements in relation to any specific disclosure requirements in relation to cybersecurity applicable to organisations to cybersecurity risks or Incidents (e.g. to listing in: (a) the financial services sector; and (b) the authorities, the market or otherwise in their annual telecommunications sector? reports)?

Yes. Regarding financial services, the Law on Negotiable The applicable laws are silent in this regard. Instruments and Credit Operations and the Credit Institutions Law, including the Federal Criminal Code, are applicable in order to avoid cybercrimes. 4.4 Are companies (whether public or listed) subject to any other specific requirements under Applicable The FTBL and the Federal Criminal Code are applicable in this Laws in relation to cybersecurity? matter. The applicable laws are silent in this regard. 4 Corporate Governance 5 Litigation 4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to 5.1 Please provide details of any civil actions that may be a breach of directors’ duties in your jurisdiction? brought in relation to any Incident and the elements of that action that would need to be met. There are no specific laws in Mexico related to cybersecurity responsibilities or liabilities of personnel and directors. Nevertheless, According to Article 32 of the Federal Criminal Code, organisations and in accordance with the Data Protection Law, every private and companies are civilly liable for the damages caused to third party, individual or organisation that processes personal information parties by crimes committed by their partners, managers and (data controller), has the obligation to appoint a data person or directors. The state is similarly liable for the crimes committed by department (data protection officer) who will be a representative its public officials. for the organisation in privacy and data protection matters and in The Federal Civil Code provides a standard of civil liability charge, within the organisation, of the correct processing of personal established in Article 1910, which provides that a party that illegally data (including verification of security measures), as well as of causes harm to another person shall be obliged to repair the damage, processing requests from data owners for the exercise of their rights unless he/she proves that the damage was produced as a consequence to access, rectification, suppression or rejection. of the victim’s guilt or negligence.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 119 © Published and reproduced with kind permission by Global Legal Group Ltd, London Creel, García-Cuéllar, Aiza y Enríquez, S.C. Mexico

5.2 Please cite any specific examples of cases that 7.2 Are there any Applicable Laws (e.g. whistle-blowing have been brought in your jurisdiction in relation to laws) that may prohibit or limit the reporting of cyber Incidents. risks, security flaws, Incidents or potential Incidents by an employee? The authors are not aware of any. The authors are not aware of any.

5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident? 8 Investigatory and Police Powers Mexico The authors are not aware of any. 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable 6 Insurance Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident.

6.1 Are organisations permitted to take out insurance The Applicable Laws empower the following authorities to against Incidents in your jurisdiction? investigate an Incident: (i) the General Attorney Office; (ii) Public Prosecutors; (iii) the INAI; and (iv) the IFT. Yes, organisations are permitted to take out insurance against Public Prosecutors in Mexico are in charge of investigating cyber Incidents in our jurisdiction. activities and to resolve them, a cyber police has been created to follow up on crimes or unlawful activities committed through the 6.2 Are there any regulatory limitations to insurance Internet. Complaints directed to the cyber police can be submitted coverage against specific types of loss, such as via its website, by phone, or through a Twitter or email account; in business interruption, system failures, cyber extortion addition, the Federal Police have created a scientific division called or digital asset restoration? If so, are there any legal the National Centre For Cyber-Incidents Response, specialised in limits placed on what the insurance policy can cover? providing assistance to the victims or claimants of cyber threats and cyber attacks. The authors are not aware of any. In the case of data protection, the INAI may conduct investigations to follow up personal data matters. Regarding telecommunications, 7 Employees the IFT is in charge of this sector.

7.1 Are there any specific requirements under Applicable 8.2 Are there any requirements under Applicable Laws Law regarding: (a) the monitoring of employees for for organisations to implement backdoors in their IT the purposes of preventing, detection, mitigating and systems for law enforcement authorities or to provide responding to Incidents; and (b) the reporting of cyber law enforcement authorities with encryption keys? risks, security flaws, Incidents or potential Incidents by employees to their employer? The Applicable Laws are silent in this regard.

There are no specific requirements; however, the Data Protection Law provides that a person who is involved with personal data is obligated to establish and maintain physical and technical administrative security measures and in case of any breach, such employee must notify the data protection officer.

120 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Creel, García-Cuéllar, Aiza y Enríquez, S.C. Mexico

Begoña Cancino Oscar Arias Creel, García-Cuéllar, Aiza y Enríquez, S.C. Creel, García-Cuéllar, Aiza y Enríquez, S.C. Tamarindos 60 Tamarindos 60 Bosques de las Lomas Bosques de las Lomas Mexico Mexico

Tel: +52 55 4748 0679 Tel: +52 55 8525 1953 Email: [email protected] Email: [email protected] URL: www.creel.mx URL: www.creel.mx Mexico Begoña Cancino is a partner in the Mexico City office. Her practice Oscar Arias is an associate at Creel, García-Cuéllar, Aiza y Enríquez focuses on Intellectual Property, Data Privacy, Regulatory and S.C., where he specialises in Intellectual Property and Data Privacy. Administrative Litigation. From the standard IP front, Ms. Cancino Mr. Arias’ experience includes obtaining registrations and protection counsels clients from all kinds of industries with the protection and of all sorts of Intellectual Property rights, as well as the negotiation of enforcement of their IP rights in Mexico, assisting also with the transfer technology transfer, technical assistance, licence, and franchise and of IP portfolios within the context of complex corporate transactions settlement agreements. He has also worked on Intellectual Property involving all sort of IP rights (such as trademarks, copyrights and litigious matters – infringement, nullity and cancellation actions – appellations of origin). Ms. Cancino also provides assistance with her with regard to trademarks, slogans, trade names, industrial designs, legal advice on regulatory and advertising, assessing our clients to copyrights and patents, particularly in the pharmaceutical field. comply with all applicable provisions with COFEPRIS and PROFECO. Additionally, he has participated in the litigation and consultancy of She has represented clients in all sort of administrative litigation health regulations and public acquisitions. proceedings, in general, concerning advertising, health, environmental and, of course, IP matters, before administrative authorities and federal judicial courts. Pursuant to the data privacy aspects, Ms. Cancino has counselled clients from multiple industries in the drafting and implementation of internal policies, privacy notices and specific legal concerns, not only regarding client daily operations, but also within the context of cross-border transactions and internal investigations for compliance.

Creel, García-Cuéllar, Aiza y Enríquez is an award-winning, full-service corporate law firm. It has over 80 years of experience in providing international and domestic clients with technical excellence, knowledge of the market and unparalleled client service. The firm is a strategic service provider to clients with the most complex and demanding transactions and projects, affording them certainty and peace of mind. The firm provides innovative solutions to many of the largest, most intricate, first-ever market-leading deals in Mexico. We are a full-service corporate law firm, specialising in the following practice areas and industries: antitrust and competition; arbitration and dispute resolution; banking and finance; bankruptcy and restructuring; capital markets; corporate and commercial; employment and labour; energy and natural resources; environmental; infrastructure; insurance and reinsurance; intellectual property; mergers and acquisitions; private equity; pro bono; project development and finance; real estate; social security; tax; telecommunications; and transportation.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 121 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 19

Nigeria Olajumoke Lambo

Udo Udoma & Belo-Osagie Godson Ogheneochuko

Identity theft or identity fraud (e.g. in connection with access 1 Criminal Activity devices) Section 22 of the Cybercrimes Act makes this an offence. Depending 1.1 Would any of the following activities constitute a on the circumstances of the offence, the maximum punishment is criminal offence in your jurisdiction? If so, please seven years’ imprisonment or a =N=5,000,000.00 fine or both. provide details of the offence, the maximum penalties available, and any examples of prosecutions in your In June 2017, the Economic and Financial Crimes Commission jurisdiction: (“EFCC”) arraigned a suspect for impersonating the former Chairman of the EFCC. Yes, the activities listed below constitute offences under the Cybercrimes Electronic theft (e.g. breach of confidence by a current or former (Prohibition, Prevention, Etc.) Act 2015 (“Cybercrimes Act”). employee, or criminal copyright infringement) Hacking (i.e. unauthorised access) This is not expressly specified as an offence, but Section 31 of It is an offence, under Sections 6 and 8 of the Cybercrimes Act, the Cybercrimes Act will be breached if an employee does not for any person to intentionally and unlawfully access a computer relinquish access rights and codes to the employer without lawful system. The punishment depends on the fraudulent action that is reason. The punishment is three years’ imprisonment or a fine of committed by the offender after access is gained, but the maximum =N=3,000,000.00 or both. penalty is seven years’ imprisonment or a fine of =N=7,000,000.00 Any other activity that adversely affects or threatens the or both. security, confidentiality, integrity or availability of any IT In July 2017, it was reported that four persons had been charged by system, infrastructure, communications network, device or data a court for the alleged hacking of the website of the West African Yes. Some of which include: Examinations Council. Wilful misdirection of electronic messages: maximum punishment Denial-of-service attacks of three years’ imprisonment or a fine of =N=1,000,000.00 or both This is an offence under Section 8 of the Cybercrimes Act. The (Section 11 of the Cybercrimes Act). maximum punishment is imprisonment for a term of two years and Computer-related forgery: maximum punishment is imprisonment a fine of =N=5,000,000.00. We are not aware of any prosecution for of three years or a fine of not less than =N=7,000,000.00 or both denial-of-service attacks. (Section 13 of the Cybercrimes Act). Phishing Computer-related fraud: the punishment varies depending on the This is punishable under Sections 32(1) and 36(1) of the Cybercrimes specific crime, but the maximum punishment is a prison termof Act. The punishment is three years’ imprisonment or a fine of seven years and a fine of =N=10,000,000.00 (Section 14 of the =N=1,000,000.00 or both. Cybercrimes Act). In 2012, prior to enactment of the Cybercrimes Act, the Federal Fraudulent issuance of e-instructions by persons charged with High Court sentenced a 25-year-old undergraduate to 20 years’ the responsibility of using a computer or other electronic devices imprisonment on four counts, including an attempt to obtain money for financial transactions is an offence under Section 20 of the by false pretence, which is an offence under the Criminal Code Act Cybercrimes Act. The maximum punishment is seven years’ in Nigeria. imprisonment. Infection of IT systems with malware (including ransomware, : depending on the circumstances, the maximum spyware, worms, trojans and viruses) punishment is 10 years’ imprisonment or a minimum fine of =N=25,000,000.00 (Section 24 of the Cybercrimes Act). This is an offence under Section 32(3) of the Cybercrimes Act. The punishment is three years’ imprisonment or a fine of Cybersquatting: the maximum punishment is two years’ =N=1,000,000.00 or both. imprisonment or a maximum fine of =N=5,000,000.00 or both a fine and imprisonment (Section 25 of the Cybercrimes Act). Possession or use of hardware, software or other tools used to commit cybercrime (e.g. hacking tools) Manipulation of ATM/POS terminals by persons with intent to defraud is an offence under Section 30 of the Cybercrimes Act. The This is a breach of Section 28 of the Cybercrimes Act. The punishment is five years’ imprisonment or a =N=5,000,000.00 fine punishment is imprisonment for a maximum term of three years or a or both. In addition, any employee of a financial institution found fine of not more than =N=7,000,000.00 or both.

122 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Udo Udoma & Belo-Osagie Nigeria

to have connived with another person to perpetrate fraud using an ATM/POS device shall be guilty of an offence and upon conviction 2 Applicable Laws sentenced to seven years’ imprisonment without an option of a fine. Electronic cards-related fraud is an offence under Section 33 of the 2.1 Please cite any Applicable Laws in your jurisdiction Cybercrimes Act. The maximum punishment for a wide range of applicable to cybersecurity, including laws applicable offences under this Section is seven years’ imprisonment and/or a to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, fine of not more than =N=10,000,000.00. for example, laws of data protection, intellectual Failure by an organisation to implement cybersecurity measures property, breach of confidence, privacy of electronic A service provider (defined as: “(i) any public or private entity that communications, information security, and import /

export controls, among others. Nigeria provides to users of its services, the ability to communicate by means of a computer system, electronic communication devices, mobile ■ The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015. networks; and (ii) any other entity that processes or stores computer data on behalf of such communication service or users of such ■ The Terrorism Prevention Act 2011 (as amended). service”) is required by Section 40 of the Cybercrimes Act to comply ■ Guidelines for the Provision of Internet Service (“NCC with a Judge’s order to “intercept, collect, record, permit or assist Internet Service Guidelines”) issued by the Nigerian competent authorities with the collection or recording of content Communication Commission (“NCC”). data and/or traffic data associated with specified communications transmitted by means of a computer system” and to generally assist 2.2 Are there any cybersecurity requirements under with the identification, apprehension and prosecution of offenders. Applicable Laws applicable to critical infrastructure Any service provider that contravenes this Section commits an in your jurisdiction? For EU countries only, how offence and shall be liable on conviction to a fine of not more than (and according to what timetable) is your jurisdiction =N= 10,000,000.00. Directors, officers and managers of the service expected to implement the Network and Information Systems Directive? Please include details of any providers may also be held liable and imprisoned for a maximum instances where the implementing legislation in your term of three years or a maximum fine of =N=7,000,000.00 or both. jurisdiction is anticipated to exceed the requirements Section 37 of the Cybercrimes Act will also be breached where a of the Directive. financial institution executes customers’ electronic transactions without conducting KYC checks. Yes. An order by the President, designating certain computer systems, computer networks, computer programs, computer data or traffic data as critical infrastructure, may prescribe minimum 1.2 Do any of the above-mentioned offences have extraterritorial application? standards, guidelines, rules or procedure regarding the protection, preservation, transfer and control of such data (Section 3 of the Cybercrimes Act). The provisions of the Cybercrimes Act apply only in Nigeria, but where an offence is committed outside Nigeria and the victim of the offence is a citizen or resident of Nigeria or the alleged offender is in 2.3 Are organisations required under Applicable Laws, Nigeria and not extradited to any other country for prosecution, the or otherwise expected by a regulatory or other Federal High Court will have jurisdiction over the matter. (Section authority, to take measures to monitor, detect, prevent 50 (1) of the Cybercrimes Act.) or mitigate Incidents? If so, please describe what measures are required to be taken.

1.3 Are there any actions (e.g. notification) that might Service providers and financial institutions are required to keep mitigate any penalty or otherwise constitute an appropriate records, conduct the relevant checks and safeguard the exception to any of the above-mentioned offences? confidentiality of data. As mentioned previously, service providers must also provide lawful assistance to law enforcement authorities. No, there are no actions that might mitigate any penalty or constitute Licensees of the NCC may also be required by the NCC to acquire an exception. interception capabilities for interception of certain information.

1.4 Are there any other criminal offences (not specific 2.4 In relation to any requirements identified in question to cybersecurity) in your jurisdiction that may arise 2.3 above, might any conflict of laws issues in relation to cybersecurity or the occurrence of an arise? For example, conflicts with laws relating Incident (e.g. terrorism offences)? Please cite any to the unauthorised interception of electronic specific examples of prosecutions of these offences communications or import / export controls of in a cybersecurity context. encryption software and hardware.

Under Section 5 of the Terrorism Prevention Act 2011 (as amended) None that we are aware of. (the “TPA”), any person who knowingly, in any manner, directly or indirectly solicits or renders support for the commission of an act of terrorism or to a terrorist group, commits an offence and is liable on conviction to imprisonment for a term of not less than 20 years. Support is defined to include incitement to commit a terrorist act through the internet, or any electronic means.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 123 © Published and reproduced with kind permission by Global Legal Group Ltd, London Udo Udoma & Belo-Osagie Nigeria

the provisions of the Cybercrimes Act, while the NCC is responsible 2.5 Are organisations required under Applicable Laws, or for enforcing the provisions of the NCC Internet Service Guidelines. otherwise expected by a regulatory or other authority, With respect to the Terrorism Prevention Act 2011, the Attorney- to report information related to Incidents or potential General of the Federation supervises the implementation and Incidents to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the administration of the Act, while the law enforcement and security circumstance in which this reporting obligation is agencies are responsible for the enforcement of the Act. triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) the nature and scope of information that is required 2.10 What are the penalties for not complying with the to be reported (e.g. malware signatures, network requirements identified under questions 2.3 to 2.8?

Nigeria vulnerabilities and other technical characteristics identifying an Incident or cyber attack methodology); Please see our responses to questions 2.3 to 2.8 above. and (d) whether any defences or exemptions exist by which the organisation might prevent publication of that information. 2.11 Please cite any specific examples of enforcement action taken in cases of non-compliance with the above-mentioned requirements. Yes. Any person or institution that operates a computer system or a network must immediately (i.e. no later than seven days after the occurrence) report any attacks, intrusions and other disruptions that We are not aware of any enforcement actions that have been taken could hinder the functioning of another computer system or network for non-compliance with the above-mentioned requirements. to the National Computer Emergency Response Team Coordination Center (“CERT”). To the best of our knowledge, the information 3 Specific Sectors provided to the CERT is not published.

3.1 Does market practice with respect to information 2.6 If not a requirement, are organisations permitted by security (e.g. measures to prevent, detect, mitigate Applicable Laws to voluntarily share information and respond to Incidents) vary across different related to Incidents or potential Incidents with: (a) business sectors in your jurisdiction? Please include a regulatory or other authority in your jurisdiction; details of any common deviations from the strict legal (b) a regulatory or other authority outside your requirements under Applicable Laws. jurisdiction; or (c) other private sector organisations or trade associations in or outside your jurisdiction? Market practice with respect to information security does not There are no restrictions in the Cybercrimes Act, but it is advisable for significantly vary across different business sectors in Nigeria. financial institutions to notify the Central Bank of Nigeria (“CBN”) of The Cybercrimes Act prescribes the minimum standards that are the intention to engage in such information sharing before doing so. applicable across all business sectors in Nigeria and incorporates, within its ambit, data protection/information security. It was passed into law in 2015 to provide the much-needed legislation to govern 2.7 Are organisations required under Applicable Laws, or the growing menace of cybercrimes and it also sought to consolidate otherwise expected by a regulatory or other authority, all other sector-specific regulations that have cybercrimes provisions to report information related to Incidents or potential into one cohesive legislation. Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the nature and 3.2 Are there any specific legal requirements in relation scope of information that is required to be reported. to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the There are no requirements for affected individuals to be informed of telecommunications sector? any Incidents, but, in our opinion, the individuals are owed a duty of care and should be informed if the potential impact of an Incident (a) Obligations imposed on financial institutions: can be mitigated by actions that may be taken by the affected person, (i) Sections 19 and 37 of the Cybercrimes Act require e.g. stolen passwords, compromised accounts, etc. financial institutions to: ■ not vest a single employee with both posting and 2.8 Do the responses to questions 2.5 to 2.7 change if the access authorisation rights; information includes: (a) price sensitive information; (b) ■ implement effective counter-fraud measures to IP addresses; (c) email addresses (e.g. an email address safeguard customers’ sensitive information; from which a phishing email originates); (d) personally ■ verify the identity of customers carrying out electronic identifiable information of cyber threat actors; and (e) financial transactions before the issuance of cards and personally identifiable information of individuals who other related electronic devices; have been inadvertently involved in an Incident? ■ apply KYC principles on customers before executing customers’ electronic transfer, payment, debit and No, the responses do not change. issuance orders; and ■ provide clear legal authorisation of any unauthorised 2.9 Please provide details of the regulator(s) responsible debit on a customer’s account or reverse such debit for enforcing the requirements identified under within 72 hours. questions 2.3 to 2.7. (ii) In addition, banks and other financial institutions are required by Section 44 of the Cybercrimes Act to The law enforcement authorities in collaboration with the Office of contribute a levy of 0.005% of all electronic transactions the National Security Adviser (“NSA”) are responsible for enforcing

124 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Udo Udoma & Belo-Osagie Nigeria

carried out by them into the National Cybersecurity Fund (the “Fund”). 4.2 Are companies (whether listed or private) required (iii) Section 14 of the TPA places an obligation on financial under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or institutions to report suspicious transactions relating to policy; (c) conduct periodic cyber risk assessments, terrorism to the Financial Intelligence Unit within 72 hours including for third party vendors; and (d) perform of such transactions. The TPA defines “acts of terrorism” penetration tests or vulnerability assessments? to include an act which is deliberately done with malice aforethought and which involves or causes destruction to a government or public facility, a transport system, an Financial institutions are required to conduct regular checks to infrastructure facility, including an information system. ensure the integrity of the networks and computer systems, in

This obligation arises when the financial institution has addition to maintaining a dedicated fraud desk to provide support Nigeria sufficient reason to suspect that the funds involved in the to customers on electronic fraud and block or place restrictions on transaction: customers’ accounts upon receipt of fraud complaints, etc. ■ are derived from legal or illegal sources, but are Service providers must report any cyber attacks or similar actions intended to be used for any act of terrorism; to the CERT. There are no requirements in the cybersecurity ■ are proceeds of a crime related to terrorist financing; or regulations for designation of a Chief Information Security Officer. ■ belong to a person, entity or organisation considered as a terrorist or a terrorist organisation. 4.3 Are companies (whether listed or private) subject (iv) All banks and payment service providers are mandated to any specific disclosure requirements in relation by the CBN to maintain a dedicated fraud desk to provide to cybersecurity risks or Incidents (e.g. to listing support to customers on electronic fraud and block or authorities, the market or otherwise in their annual place restrictions on customers’ accounts upon receipt of reports)? fraud complaints, etc. (b) Obligations of telecommunications companies: Please see our response to question 2.5 regarding mandatory reports (i) Based on the definition stated previously, companies in to the CERT. the telecommunications sector fall within the category of entities described as ‘service providers’. They are thus required to: 4.4 Are companies (whether public or listed) subject to any other specific requirements under Applicable ■ preserve, hold or retain any traffic data, subscriber Laws in relation to cybersecurity? information, non-content information, and content data, at the request of the relevant regulatory authority or any law enforcement agency; and No, companies are not subject to any other specific requirements. ■ comply with any request by a law enforcement agency for the release of any information kept by the service 5 Litigation provider. (ii) In addition, telecommunications companies are required by Section 44 of the Cybercrimes Act to contribute a levy 5.1 Please provide details of any civil actions that may be of 0.005% of all electronic transactions carried out by brought in relation to any Incident and the elements of them into the Fund. that action that would need to be met. (iii) Section 40 of the Cybercrimes Act also mandates all service providers (which include telecommunications The laws governing cybersecurity in Nigeria do not contain companies) to disclose information requested by any provisions for civil actions that may be brought for Incidents, but a law enforcement agency or otherwise render assistance court may grant civil remedies to a victim and against a convict in howsoever in any inquiry or proceeding under the Act. a criminal action (such as compensation or an order of restitution). A victim of an Incident, could also, under general common law 4 Corporate Governance principles, file a civil action after the criminal action has been concluded. The type of civil action that may be brought will depend on the type of wrong that has been committed. For instance, a 4.1 In what circumstances, if any, might a failure by victim of an Incident that results from a contractual relationship a company (whether listed or private) to prevent, could bring an action for breach of contract or confidentiality/duty mitigate, manage or respond to an Incident amount to of care and seek damages. The victim must, however, prove that a a breach of directors’ duties in your jurisdiction? valid contract existed between the parties and the contract has been breached. If a company that is a computer-based service provider or vendor does any act with intent to defraud and, by virtue of its position as a service provider, forges or illegally uses security codes of customers 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to to gain a financial or material advantage, it would be a breach of Incidents. a director’s duty if commission of the offence resulted from his connivance, instigation or neglect. Please see our response to question 1.1 above. The failure by a service provider to comply with the terms of Section 40 of the Cybersecurity Act (discussed in response to question 1.1 above) could also result in criminal liability for a director or other 5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident? officers of the company.

There is potential liability in tort, depending on the nature of the Incident.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 125 © Published and reproduced with kind permission by Global Legal Group Ltd, London Udo Udoma & Belo-Osagie Nigeria

6 Insurance 8 Investigatory and Police Powers

6.1 Are organisations permitted to take out insurance 8.1 Please provide details of any investigatory powers of against Incidents in your jurisdiction? law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that There are no laws that prohibit or restrict organisations in Nigeria may be relied upon to investigate an Incident. from taking out insurance against Incidents, neither are there any laws that make it mandatory for them to do so. Section 41 of the Cybercrimes Act provides that the office of the NSA shall be the coordinating body for all security and enforcement Nigeria agencies under the Act. 6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as Section 39 of the Cybercrimes Act empowers a Judge to order a business interruption, system failures, cyber extortion service provider to intercept, collect or record content data or traffic or digital asset restoration? If so, are there any legal data associated with specified communications transmitted by limits placed on what the insurance policy can cover? means of a computer where there are reasonable grounds to suspect that the content of such electronic communication is reasonably No, there are no regulatory limitations to insurance coverage against required for the purposes of a criminal investigation or proceedings. specific types of loss. The Judge may also authorise a law enforcement officer to collect or record such data through application of technical means. In addition, Section 45 of the Cybercrimes Act provides that a law 7 Employees enforcement officer may apply ex parte to a Judge in chambers for the issuance of a warrant for the purpose of obtaining electronic 7.1 Are there any specific requirements under Applicable evidence in a related crime investigation. Law regarding: (a) the monitoring of employees for Under the TPA, Section 24 provides that the NSA or the Inspector the purposes of preventing, detection, mitigating and General of Police may apply to the court for the issuance of a responding to Incidents; and (b) the reporting of cyber warrant for the purposes of a terrorism investigation. Such warrant risks, security flaws, Incidents or potential Incidents by employees to their employer? may authorise the NSA or the Inspector General of Police to enter any premises, search and seize any relevant materials found in the premises. There are no specific requirements under the Cybercrimes Act in relation to the monitoring of employees for the purpose of In order to issue this warrant, the court must be satisfied that the preventing, detecting, mitigating and responding to Incidents. There warrant is sought for the purpose of a terrorist investigation and are also no specific requirements regarding the reporting of cyber there are reasonable grounds for believing that there is material on risks, security flaws, Incidents or potential Incidents by employees the premises which may be relevant to the terrorist investigation. to their employer. Several sections of the Cybercrimes Act, however, set out specific 8.2 Are there any requirements under Applicable Laws actions of employees of government organisations and private for organisations to implement backdoors in their IT organisations that constitute offences under the Act. These include: systems for law enforcement authorities or to provide law enforcement authorities with encryption keys? (i) committing an act which the employee is not authorised to do by virtue of his contract of service or intentionally permitting or tampering with computers; Please see our response to questions 1.1 and 2.3 above regarding (ii) intentionally hiding or detaining any electronic mails, the obligations imposed by Section 40 of the Cybercrimes Act and messages, electronic payment, credit and debit card found by the NCC’s power to require its licensees to acquire interception the employee or delivered to him in error and which to his capabilities. knowledge ought to be delivered to another person; Under the TPA, law enforcement agencies also have the power to (iii) diverting electronic mails with intent to defraud; and apply for a court order to compel communication service providers (iv) conniving with other persons to perpetrate fraud using to intercept specified communications, provided that they obtain the computer systems or a network, automated teller machines or requisite approvals of the Attorney-General and the NSA. A Judge point-of-sales devices. could also, by an order, require a telecommunications provider to In addition, all employees in the public and private sectors are intercept and retain specified communication received or transmitted mandated to surrender all codes and access rights to their employers by that service provider, or authorise the relevant law enforcement immediately upon disengagement from their employment. agency to enter any premises and install and subsequently remove any device with which a communication or communications of a specified description may be intercepted and/or retained, for 7.2 Are there any Applicable Laws (e.g. whistle-blowing purposes of intelligence gathering. laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents by an employee?

No, there are no such Applicable Laws.

126 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Udo Udoma & Belo-Osagie Nigeria

Olajumoke Lambo Godson Ogheneochuko Udo Udoma & Belo-Osagie Udo Udoma & Belo-Osagie St. Nicholas House (10th & 13th floors) St. Nicholas House (10th & 13th floors) Catholic Mission Street Catholic Mission Street Lagos Lagos Nigeria Nigeria

Tel: +234 1 4622 308-10 Tel: +234 1 4622 308-10 Email: [email protected] Email: [email protected] URL: www.uubo.org URL: www.uubo.org Nigeria Mrs. Jumoke Lambo, a Partner, heads the Business Advisory unit Mr. Godson Ogheneochuko is a Senior Associate in the firm of the firm and is the co-head of the firm’s Telecommunications with specialisations in a range of corporate matters including team. She also oversees the firm’s company secretarial practice. telecommunications, acquisitions, aviation and real estate transactions. Commended in Who’s Who Legal 2012 as one of Nigeria’s foremost He is a core member of the team that advises telecommunications Corporate/M&A lawyers, she has over two decades of experience operators in all areas of their operations including acquisition of licences in telecommunications law, employment law, immigration law and and other telecommunications assets, real property acquisitions and general corporate practice with an emphasis on legislative drafting, leasing, data protection and interception of communication. mergers and acquisitions, foreign investment, corporate restructuring, He is a core member of the team that advises multinational regulatory compliance and due diligence. Her specialisations include telecommunications operators in all areas of their operations foreign investment, communications, employment law, capital market including regulatory compliance and real property acquisitions. As transactions and regulatory compliance. part of his telecommunications practice, he advises and represents She has assisted various operators within and outside the various clients in negotiations with regulatory authorities, and assists telecommunications and broadcasting sectors with establishing and with procuring operational and regulatory permits relevant to their doing business in Nigeria. She also advises a variety of investors businesses and transactions in Nigeria. In addition to his work in the with acquisitions of interests in Nigerian companies and regulatory practice areas mentioned above, Godson regularly advises the firm’s compliance. clients in connection with cybersecurity, the collection, processing, storage and transfer of personal information under the applicable laws Her work has also been noted in the International Financial Law in Nigeria. Review’s Expert Guides. She is a fellow of the Centre for International Legal Studies (“CILS”) and sits on the Board of Advisors for the Godson has been a contributor to the World Bank Doing Business Lazarski LL.M. Programme, a partnership between the Lazarski Reports (“Registering Property in Nigeria”) since 2009, the International University of Warsaw, Poland and the CILS. She is a member of the Law Office Newsletters (Telecoms and Media) from 2012–2014, and Nigerian National Committee of the International Lawyers for Africa. the International Comparative Legal Guide to: Telecoms, Media and Internet Laws and Regulations since 2013. She has written and presented papers on a wide range of topics.

Udo Udoma and Belo-Osagie (“UUBO”) has been described in international rankings as one of Nigeria’s “Magic Triangle” law firms – a description underscored by one of the highest ratios of internationally-recognised partners per firm in the Nigerian legal market. As a firm, we seek to provide timely, practical, sophisticated and responsive legal solutions based on a philosophy of consistently striving to structure accessible, commercially- oriented advice tailored to the needs of each client. Although a full-service firm, we are especially well regarded in our niche specialisations which include: private equity; energy, electric power and natural resources; banking, finance and capital markets; corporate restructuring (including mergers and acquisitions); project finance; foreign direct investments; telecommunications; taxation; and labour and employment. Together with our litigation, alternative dispute resolution and company secretarial departments, we are able to provide proactive and cost-effective legal services throughout Nigeria and to clients outside Nigeria. The firm was awarded the title of law firm of the year in 2014 by Who’s Who Legal and has been ranked in Tier 1 by the Chambers and Partners ranking for its Banking and Finance and Corporate Commercial Practice. Over the years, the firm has been consistently ranked in Tier 1 by theIFLR 1000 rankings in at least three practice areas including Capital Markets, Mergers and Acquisitions, and Banking and Project Finance practices. In the latest rankings, UUBO was ranked Tier 1 in the Banking, Capital Markets and Mergers and Acquisitions practices.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 127 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 20

Pakistan

Josh and Mak International Aemen Zulfikar Maluka

■ Hacking of Account/Email Address. 1 Criminal Activity ■ Fraudulent Emails. ■ Fraud Through Mobile Messages Regarding Winning of 1.1 Would any of the following activities constitute a Vehicle. criminal offence in your jurisdiction? If so, please ■ Misuse of Information on the Internet. provide details of the offence, the maximum penalties available, and any examples of prosecutions in your ■ Lottery Award Cases. jurisdiction: ■ Electronic Money Laundering and Tax Evasion. ■ Electronic Vandalism, Terrorism and Extortion. Hacking (i.e. unauthorised access) ■ Sales and Investment Fraud. Yes. ■ Illegal Interception of Telecommunications. Denial-of-service attacks ■ Telecommunications Piracy. Yes. ■ Electronic Funds Transfer Fraud. Phishing ■ Theft of Telecommunications Services. Yes. ■ Communications in Furtherance of Criminal Conspiracies. Infection of IT systems with malware (including ransomware, ■ Dissemination of Offensive Materials. spyware, worms, trojans and viruses) Yes. 1.2 Do any of the above-mentioned offences have extraterritorial application? Possession or use of hardware, software or other tools used to commit cybercrime (e.g. hacking tools) The police or the FIA can contact foreign agencies to ensure co- Yes. operation. Pakistan generally ensures co-operation via Interpol or Identity theft or identity fraud (e.g. in connection with access other inter-police measures. devices)

Yes. 1.3 Are there any actions (e.g. notification) that might Electronic theft (e.g. breach of confidence by a current or former mitigate any penalty or otherwise constitute an employee, or criminal copyright infringement) exception to any of the above-mentioned offences? Yes. The normal defences of duress, lack of knowledge and incapacity Any other activity that adversely affects or threatens the are available. security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data Yes. 1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise Failure by an organisation to implement cybersecurity measures in relation to cybersecurity or the occurrence of an This depends upon how sensitive the nature of the material being Incident (e.g. terrorism offences)? Please cite any handled by the organisation is. Such an act would be mostly seen as specific examples of prosecutions of these offences in a cybersecurity context. a contractual breach and not a criminal offence.

Common areas of cybercrimes in Pakistan include: Illegal VoIP and telephone exchanges are now illegal in Pakistan ■ Mobile/Credit Card/Balance Transfer Fraud. under Sections 36 and 37 of the Electronic Transactions Act, 2002 ■ Bank Fraud – Credit Cards/ATM/Loan. and the Pakistan Telecommunications Act, 1996. A while back there ■ Mobile/Phone/Threatening Through SMS/Calls. was a scandal involving illegal telephone exchanges in Pakistan ■ Tracing of IP/Email Address. which were involved in routing calls via a computer network and were allegedly used by terrorists to access sensitive military ■ Threatening/Abusive Messages and Emails. information. Illegal VoIP exchanges became a cause of national ■ Hacking/Illegal Access of Websites. concern because of illegitimate operators involved in the illegal

128 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Josh and Mak International Pakistan

termination and origination of international traffic using VoIP. With WLL (Wireless Local Loop) phones or mobile SIMs. This traffic the advent of technologies such as DSL and VSAT combined with may then be distributed onwards using WLL and mobile numbers. the easy availability of VoIP equipment, these individuals used Grey routes are arrangements that fall outside the regular course of VoIP exchanges to terminate/originate international traffic and then business between the licensed telecom companies in Pakistan. As distribute it to the destined telephone numbers. The result was such, if any criminal activities take place over such routes, there handsome tax-free profits, an increase in cybercrime and masking can be no accountability of the licensed telecom companies. On the of criminal activities. The most recent arrest took place earlier in other hand, as we will review in question 2.4 below, it is possible 2017 after the Pakistan Telecommunication Authority (PTA), which to note that privacy and encryption is a problem in Pakistan due to aims to control grey traffic, unearthed an illegal VoIP exchange the interference of local intelligence agencies and their notorious comprising of 11 gateways in the city of Lahore. Such exchanges collaboration with the U.S. NSA and other international intelligence are raided through FIA co-operation and in this case an illegal VoIP agencies. This has led to many concerns by MNCs operating in Pakistan exchange comprising of 11 gateways along with other equipment Pakistan regarding whether the client data that they hold here will (switches, SIMs, laptops and 3G/4G wireless devices) were be adequately protected. It is for this reason that Pakistan is not recovered. Four persons were arrested and are now the custody of considered a ‘safe’ country for data retention or processing by the FIA for further investigations. Apart from facilitating terrorism, jurisdictions like the EU. such grey traffic causes a loss to the state’s tax revenues.

2.4 In relation to any requirements identified in question 2 Applicable Laws 2.3 above, might any conflict of laws issues arise? For example, conflicts with laws relating to the unauthorised interception of electronic communications or import / export controls of 2.1 Please cite any Applicable Laws in your jurisdiction encryption software and hardware. applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, Interception of cyber communication across Pakistani networks is for example, laws of data protection, intellectual pervasive and many forms are also unlawful now. While there have property, breach of confidence, privacy of electronic been many scandals in the past regarding phone tapping and email communications, information security, and import / hacking resulting in , the difficult part for constitutional export controls, among others. rights is that since 2004 network providers have been required to comply with requests for interception and access to network data ■ Prevention of Electronic Crimes Ordinance, 2007. as a standard condition of the PTA’s award of operating licences ■ Electronic Transactions Ordinance, 2002 and 2008. to phone companies (as per Pakistan’s Mobile Cellular Policy) ■ Pakistan Telecommunication (Re-organization) Act, 1996. (Pakistan Ministry of Information Technology, 2004). Read ■ Wireless Telegraphy Act, 1933. along with the constitutional provision for privacy in Pakistan, ■ Telegraph Act, 1885. it becomes a dilemma; the Constitution of Pakistan Privacy is a fundamental premise of Pakistan’s domestic law. Article 14(1) of ■ Federal Investigation Agency Act, 1974. the Constitution reads that “[t]he dignity of man and, subject to ■ Payments & Electronic Fund Transfers Act, 2007. law, the privacy of home, shall be inviolable”. As a fundamental constitutional right, the right to privacy is meant to take precedence 2.2 Are there any cybersecurity requirements under over any other inconsistent provisions of domestic law. Article Applicable Laws applicable to critical infrastructure 8 of the Constitution provides that “[a]ny law, or any custom or in your jurisdiction? For EU countries only, how usage having the force of law, in so far as it is inconsistent with the (and according to what timetable) is your jurisdiction rights conferred [under the Constitution], shall, to the extent of such expected to implement the Network and Information inconsistency, be void”. This basic constitutional right is routinely Systems Directive? Please include details of any instances where the implementing legislation in your flouted in the name of national security. The Anti-Terrorism Act, jurisdiction is anticipated to exceed the requirements 1997, for instance, especially authorises a wide range of officers of the Directive. to enter and search premises without a warrant upon reasonable suspicion that such premises contains written material, recordings, This is not applicable in our jurisdiction. property or other articles in connection with terrorism. Another concern is how state surveillance is supported by the 2.3 Are organisations required under Applicable Laws, Investigation for Fair Trials Act, 2013. This act allows for access or otherwise expected by a regulatory or other to data, emails, telephone calls and any form of computer or mobile authority, to take measures to monitor, detect, prevent phone-based communication, subject to judicial warrant. However, or mitigate Incidents? If so, please describe what a warrant can be requested wherever an official has ‘reasons to measures are required to be taken. believe’ that a citizen is, or is ‘likely to be associated’ with, or even ‘in the process of beginning to plan’ an offence under Pakistani law. The PTA is required to monitor grey traffic over VoIP exchanges This makes the entire process extremely vague and dubious, and for criminal and terrorist activities. This a key example of the very much likely to cause ‘state authorised’ data breaches which are Telecommunications Act and the Electronic Transactions Act imposed upon companies operating in Pakistan. The Prevention of stepping in to prevent the problem of grey traffic, which is Electronic Crimes Act, 2016 is yet another example of the extremely defined as the use of illegal exchanges for making international dangerous state interference into data records of individuals and calls and bypassing the legal routes and exchanges. These illegal companies which can take place. exchanges include: VoIP (Voice-Over Internet Protocol) which uses a computer; GSM (Global System for Mobile) gateways;

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 129 © Published and reproduced with kind permission by Global Legal Group Ltd, London Josh and Mak International Pakistan

(b) No. 2.5 Are organisations required under Applicable Laws, or (c) No. otherwise expected by a regulatory or other authority, to report information related to Incidents or potential (d) No. Incidents to a regulatory or other authority in your (e) No. jurisdiction? If so, please provide details of: (a) the In all the scenarios above except (a), the agencies would use the circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to laws under question 2.4 in order to extract information as soon as which the information is required to be reported; (c) possible, even without using court orders. the nature and scope of information that is required to be reported (e.g. malware signatures, network vulnerabilities and other technical characteristics 2.9 Please provide details of the regulator(s) responsible Pakistan identifying an Incident or cyber attack methodology); for enforcing the requirements identified under and (d) whether any defences or exemptions exist by questions 2.3 to 2.7. which the organisation might prevent publication of that information. These would be the local courts, the FIA, the National Accountability Bureau, the National Response Centre for Cyber Crimes (NR3C) (a) See question 2.4 above. and the local police. (b) This can be the FIA, Ministry of Interior or the Intelligence Services depending on the nature of the Incident 2.10 What are the penalties for not complying with the (c)/(d) This is extremely rare due to the extremely secretive way in requirements identified under questions 2.3 to 2.8? which the intelligence agencies work. However, there have been scandals in the past where intelligence agencies were The penalties are criminal and civil in nature as per question 2.4 publicly rebuked for tapping and intercepting communications above. by judges. In theory, it would be possible to get a stay order against the agency or government organisation requesting data records which are not justified or really required. 2.11 Please cite any specific examples of enforcement However, getting data records from credit and bank institutions may action taken in cases of non-compliance with the prove to be difficult, and the agency may be required to get a court order. above-mentioned requirements.

The government has the power to arrest/seize company operations 2.6 If not a requirement, are organisations permitted by and/or extract information by force as per the laws under question Applicable Laws to voluntarily share information 2.4 above. related to Incidents or potential Incidents with: (a) a regulatory or other authority in your jurisdiction; (b) a regulatory or other authority outside your jurisdiction; or (c) other private sector organisations 3 Specific Sectors or trade associations in or outside your jurisdiction? 3.1 Does market practice with respect to information (a) See questions 2.4 and 2.5 above. security (e.g. measures to prevent, detect, mitigate (b) See question 2.4 above. and respond to Incidents) vary across different (c) This would ideally involve credit check agencies and debt business sectors in your jurisdiction? Please include collection agencies. details of any common deviations from the strict legal requirements under Applicable Laws.

2.7 Are organisations required under Applicable Laws, or This is the only area of business where agencies have been more otherwise expected by a regulatory or other authority, sparing in exercising their powers. Unless the breach is significant, to report information related to Incidents or potential or it involves national security, they will avoid interfering without Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which warrants or court orders. Again, getting warrants is fairly easy this reporting obligation is triggered; and (b) the based on the lax position of the laws. nature and scope of information that is required to be reported. 3.2 Are there any specific legal requirements in relation to cybersecurity applicable to organisations (a) This is generally in case of issues of national security and in: (a) the financial services sector; and (b) the terrorism. telecommunications sector? (b) This would involve full facilitation of the agency in helping apprehend the possible suspects involved. (a) This is done yearly by the State Bank through circulars and guidance for commercial banks, development financial institutions and microfinance banks to continuously improve 2.8 Do the responses to questions 2.5 to 2.7 change if the their cybersecurity controls to enable them to anticipate, information includes: (a) price sensitive information; withstand, detect and respond to such attacks. (b) IP addresses; (c) email addresses (e.g. an email address from which a phishing email originates); (d) (b) The NR3C (FIA) and the Pakistan Telecommunications personally identifiable information of cyber threat Authority do this. actors; and (e) personally identifiable information of individuals who have been inadvertently involved in an Incident?

(a) Yes.

130 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Josh and Mak International Pakistan

[as amended]. The court recognised that electronically generated 4 Corporate Governance evidence, specifically its admissibility and scope, was important due to the increasing levels of cybercrime in Pakistan; that is the reason 4.1 In what circumstances, if any, might a failure by the legislature, in its wisdom, has provided a different criterion about a company (whether listed or private) to prevent, the admissibility of evidence, as in such cases, without any wire, one mitigate, manage or respond to an Incident amount to can have the facility of connections all over world, as the whole a breach of directors’ duties in your jurisdiction? business of the world is going on through the Internet and email. The court recognised that the legislature had amended provisions of This would result in a civil action and there would be a remedy Article 2(e) of Qanun-e-Shahadat, 1984, in terms of Section 29 of available to those affected only. the Electronic Transactions Ordinance, 2002, and various changes

have been made in the definition clause. All documents prepared, Pakistan produced or generated through modern devices were now admissible 4.2 Are companies (whether listed or private) required under Applicable Laws to: (a) designate a CISO; as evidence, especially as proof of data breaches. (b) establish a written Incident response plan or In another case, 2016 PLD 318, Adnan Hafeez vs the State, the policy; (c) conduct periodic cyber risk assessments, court applied Section 497 of the Electronic Transactions Ordinance including for third party vendors; and (d) perform (LI of 2002), Sections 36 and 37 of the Penal Code (XLV of 1860) penetration tests or vulnerability assessments? and Sections 420 and 109, and examined a combined case of cybercrime, cheating and abetment, bail, grant of hacking, recovery This depends on the sensitivity of their data and their personal of electronic equipment and tampering/destroying of evidence. undertakings to the state. The accused was apprehended red-handed from the office of a travel agency where he was working. From the possession of the 4.3 Are companies (whether listed or private) subject accused, three laptop computers, one mobile phone and one portable to any specific disclosure requirements in relation Internet device were taken into custody by the Federal Investigation to cybersecurity risks or Incidents (e.g. to listing Agency. The laptop computers were sent to the Forensic Science authorities, the market or otherwise in their annual Laboratory from where it was proved that multiple SSL IDs reports)? assigned to different travel agents were found in the recovered laptop computers of the accused. The SSL IDs could only be used The exceptions would be terrorism and national security and now, by authorised travel agents, but were illegally being accessed by more recently, money laundering. laptops found in possession of the accused. The prosecution had collected substantial evidence connecting the accused with the 4.4 Are companies (whether public or listed) subject to commission of the offence. Apprehension existed that if bail were any other specific requirements under Applicable granted to the accused, he would tamper with the evidence and even Laws in relation to cybersecurity? destroy it. The accused was a technical expert and mastermind of a gang who had been hacking IDs of various travel agents. The co- There are no requirements, just guidelines. accused would also be able to destroy evidence if the petitioner was allowed to get in contact with his co-accused, and the hectic efforts of the Federal Investigation Agency in tracing the culprits of such 5 Litigation serious scam would suffer a serious setback. All business dealings and transactions were done internationally through the Internet, therefore cybercrime could not be taken lightly. The High Court 5.1 Please provide details of any civil actions that may be brought in relation to any Incident and the elements of observed that the legislature should consider enhancing sentences that action that would need to be met. for such crime; bail was refused in these circumstances.

Breach of trust, breach of privacy and breach of constitutional 6 Insurance rights. It may also lead to injunctions and stay orders to prevent interception by state agencies. 6.1 Are organisations permitted to take out insurance against Incidents in your jurisdiction? 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to Incidents. This may be something insurance companies may allow; however, given the high risk of data Incidents, the premium is likely to be We are unable to cite any specific examples. high. The official website of the Islamabad High Court was recently hacked and very little was done about it for many days.

5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident? 6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as business interruption, system failures, cyber extortion The concern for such Incidents has given an uplift to the rules or digital asset restoration? If so, are there any legal governing evidence. For example, in 2009 PLD 254, Alamgir limits placed on what the insurance policy can cover? Khalid Chugtai vs State, the role of electronically generated evidence and its admissability was an issue as per Sections 3, 5 This is still a developing area of law in our jurisdiction. and 29 of Sched.-II Qanun-e-Shahadat (10 of 1984), Article 2(e)

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 131 © Published and reproduced with kind permission by Global Legal Group Ltd, London Josh and Mak International Pakistan

7 Employees 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide 7.1 Are there any specific requirements under Applicable law enforcement authorities with encryption keys? Law regarding: (a) the monitoring of employees for the purposes of preventing, detection, mitigating and responding to Incidents; and (b) the reporting of cyber Yes, each organisation has its own rules regulated by the risks, security flaws, Incidents or potential Incidents governing body; for example, the State Bank, the FIA and the by employees to their employer? Telecommunications Authority.

Pakistan Yes, for both (a) and (b).

7.2 Are there any Applicable Laws (e.g. whistle-blowing Aemen Zulfikar Maluka laws) that may prohibit or limit the reporting of cyber Josh and Mak International risks, security flaws, Incidents or potential Incidents GF-13, Tower A, The Centaurus by an employee? Plot 1 Jinnah Avenue, F-8 Islamabad, 44000 Pakistan This is not applicable in our jurisdiction, although in state Tel: +92 51 844 2922 departments such Incidents are kept confidential until the matter is Mob: +92 304 873 4889 dealt with to avoid unnecessary hype. Email: [email protected] URL: www.joshandmakinternational.com

8 Investigatory and Police Powers Barrister Aemen Zulfikar Maluka (a member of Lincoln’s Inn) has an LL.M. in Oil and Gas from the University of Aberdeen in Scotland, and another LL.M. in Corporate and Media Law from the University of 8.1 Please provide details of any investigatory powers of London. She is a member of the Islamabad Bar Association and an law enforcement or other authorities under Applicable advocate of the High Court, Punjab Bar Council. She has drafted and Laws in your jurisdiction (e.g. antiterrorism laws) that advised several local and international companies and organisations may be relied upon to investigate an Incident. regarding hydrocarbon, mining and energy projects. Her area of expertise is the vetting, editing and drafting of legal and technical energy and mining documents. See the answers to questions 2.4 to 2.7 above.

The firm, which is listed inThe Legal 500, prides itself in the provision of efficient and innovative solutions to its clients’ commercial, legal, regulatory and structural challenges. The firm’s extremely enterprising team gives quick responses to online queries reinforcing its zeal for excellence. The lawyers at Josh & Mak have the ability to provide effective responses to client queries, and this is what distinguishes them from other local consultancy firms. The firm’s approach is not only novel and innovative but also attuned to the demands of the international corporate sector. The associates and partners at Josh and Mak International want clients to rely on them for realistic and incisive advice about their legal matters. The firm’s specialisations include legal advisory in matters such as energy and petroleum, telecommunications, internet and media, intellectual property, dispute resolution and taxation, to name a few.

132 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 21

Philippines Leland R. Villadolid Jr.

Angara Abello Concepcion Regala & Cruz Law Offices Arianne T. Ferrer

Infection of IT systems with malware (including ransomware, 1 Criminal Activity spyware, worms, trojans and viruses) Yes, the infection of IT systems with malware is a criminal offence. 1.1 Would any of the following activities constitute a It may be punished as hacking under the ECA or as an offence criminal offence in your jurisdiction? If so, please against the confidentiality, integrity and availability of computer provide details of the offence, the maximum penalties data and systems under the CPA. available, and any examples of prosecutions in your jurisdiction: Under the ECA, the infection of IT systems with malware is punishable by a maximum fine of an amount commensurate to the Hacking (i.e. unauthorised access) damage incurred and imprisonment for a period between six months and three years. Under the CPA, the same act is punishable by a Yes, hacking is a criminal offence under Republic Act No. 8792 or maximum fine in an amount commensurate to the damage incurred the Electronic Commerce Act (“ECA”). Hacking is defined as (1) and/or imprisonment of prision mayor. If the act is committed the unauthorised access into or interference with computer systems, against critical infrastructure of the Philippines, the penalty is a servers, or other information and communication systems, (2) the maximum fine in an amount commensurate to the damage incurred unauthorised access to corrupt, alter, steal, or destroy electronic data and/or imprisonment for a period between 12 years and one day and using computers or other information and communication systems 20 years (reclusion temporal). without the computer or system owner’s knowledge and consent, or (3) the introduction of computer viruses resulting in the corruption, Criminal cases are pending prosecution before the courts. alteration, theft, or loss of such data. Possession or use of hardware, software or other tools used to Hacking is punished by a maximum fine in an amount commensurate commit cybercrime (e.g. hacking tools) to the damage incurred. A mandatory penalty of imprisonment Yes, the possession of cybercrime tools is a criminal offence. The between six months and three years shall be meted out in either case. possession of a device (including a computer program) that may be Hacking, when it involves illegal access or interception, data used to perpetrate any offence under the CPA, when coupled with the interference, or system interference that affects the confidentiality, intent to use such device unlawfully, is punishable by a maximum integrity, and availability of electronic data or computer systems, is fine of PHP 500,000.00 and/or imprisonment of prision mayor. also punished as a criminal offence under Republic Act No. 10175 Criminal cases are pending prosecution before the courts. or the Cybercrime Prevention Act of 2012 (“CPA”) by a maximum Identity theft or identity fraud (e.g. in connection with access fine in an amount commensurate to the damage incurred. An devices) additional penalty of imprisonment of six years and one day to 12 Identity theft, when defined as the intentional acquisition, use, years (prision mayor) may also be imposed. transfer, possession, alteration, or deletion of identifying information Criminal cases are pending prosecution before the courts. belonging to another natural or juridical person without right, is a Denial-of-service attacks criminal offence under the CPA. Identity theft is punishable by a Yes, a denial-of-service attack (“DOS attack”) is a criminal offence maximum fine in an amount commensurate to the damage incurred under the CPA because it involves system interference that affects and/or imprisonment of prision mayor. the availability of electronic data or computer systems. The unauthorised or fraudulent use of an access device (any card, Criminal cases are pending prosecution before the courts. plate, code, account number, electronic serial number, personal identification number, telecommunications service, equipment or Phishing instrument, or other means of account access that may be used to Yes, phishing is penalised under the CPA as an offence relating to obtain anything of value or to initiate a fund transfer) belonging computer-related forgery, fraud and/or identity theft. An attempt to another natural person is prohibited under Republic Act No. to obtain sensitive information such as usernames, passwords, and 8484 or the Access Devices Regulation Act of 1998 (“ADRA”). It credit card details (and, indirectly, money), often for malicious is punishable by a maximum fine of PHP 10,000.00 or twice the reasons, by masquerading as a trustworthy entity in an electronic value obtained (whichever is greater) and imprisonment for a period communication, (phishing) is punishable by a maximum fine of PHP between six years and 10 years. If the perpetrator was previously 200,000.00 and/or imprisonment of prision mayor. convicted of another offence under the ADRA, he shall be meted Criminal cases are pending prosecution before the courts. out the maximum fine and/or imprisonment for a period between 12

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 133 © Published and reproduced with kind permission by Global Legal Group Ltd, London Angara Abello Concepcion Regala & Cruz Law Offices Philippines

years and 20 years. Notably, “identity theft” or “identity fraud” is Philippines jurisdiction over cybercrimes committed by Filipino not expressly defined under the ADRA. citizens, regardless of the place of commission. Criminal cases are pending prosecution before the courts. Section 6 of the DPA provides for extraterritorial application Electronic theft (e.g. breach of confidence by a current or former over acts committed by Filipino citizens or entities with a link to employee, or criminal copyright infringement) the Philippines, e.g., entities that do business in the Philippines, Criminal copyright infringement is covered by Sections 177, 193, collect or store personal information in the Philippines, or enter 203, 208 and 211 in relation to Section 217 of the Intellectual into contracts in the Philippines, as well as acts committed against Property Code. The penalty for infringement of electronic data or Filipino citizens or residents. through electronic means is one degree higher than imprisonment For other laws defining and punishing offences involving for a period between one year and three years and a fine between cybersecurity that do not expressly provide for extraterritorial

Philippines PHP 50,000.00 and PHP 150,000.00. application, Article 14 of the Civil Code applies (penal laws only Though a case that deals squarely with criminal copyright cover acts or omissions committed within Philippine territory, infringement of electronic data has yet to reach the Supreme Court, subject to customary or conventional international law). criminal copyright infringement was discussed in the context of a news video in ABS-CBN Corporation v. Gozun. In that case, the 1.3 Are there any actions (e.g. notification) that might Supreme Court held that audio-visual work, like a news video, mitigate any penalty or otherwise constitute an is protected from the moment of its creation, regardless of its exception to any of the above-mentioned offences? “mode or form of expression”. Accordingly, the unauthorised reproduction, distribution, or communication of audio-visual work Applicable Laws do not provide actions that mitigate or absolve through electronic means would be punishable as criminal copyright a perpetrator from criminal liability arising from cybersecurity infringement. offences. However, for offences punishable under the Revised One notes that Section 30 of the ECA limits a service provider’s Penal Code (“RPC”) and committed with a cybercrime element, the liability for criminal copyright infringement to instances when the rules on mitigating, justifying, and exempting circumstances found service provider (1) had actual knowledge of the unlawful act, (2) in Articles 11 through to 13 of the RPC apply. received financial benefit from the unlawful act, and (3) did not Notably, notification is itself an obligation under the DPA, such that directly commit or cause another person to commit the unlawful failure to notify the proper authority of an Incident may amount to act. Unlawful acts include any activity that adversely affects or a violation of the DPA. threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data. Offences against the confidentiality, integrity, and availability of 1.4 Are there any other criminal offences (not specific electronic data and computer systems, e.g., illegal access, illegal to cybersecurity) in your jurisdiction that may arise interception, data interference, system interference, misuse of in relation to cybersecurity or the occurrence of an Incident (e.g. terrorism offences)? Please cite any devices, and cyber-squatting, are punishable under the CPA. specific examples of prosecutions of these offences Except for misuse of devices, these offences are punishable by a in a cybersecurity context. maximum fine of the amount commensurate to the damage incurred or imprisonment of prision mayor. For an offence involving misuse All crimes defined and punished under the RPC and special penal of devices, the penalty is a maximum fine of PHP 500,000.00 and/or laws, when committed through information and communication imprisonment of prision mayor. systems and technology, shall be covered by the CPA. The general Further, when these offences are committed by a natural person on effect is that the penalties shall be increased one degree higher than behalf of a juridical person (provided that the natural person was the imposable penalties under the RPC and special penal laws. authorised and acted within the scope of such authority), the juridical Incidents can be considered terrorism when (1) they are performed to person shall be given a maximum fine of PHP 10,000,000.00. accomplish the following: piracy or mutiny, rebellion or insurrection, Any other activity that adversely affects or threatens the coup d’état, murder, kidnapping and serious illegal detention, and security, confidentiality, integrity or availability of any IT other crimes of destruction enumerated in Section 3 of Republic Act system, infrastructure, communications network, device or data No. 9372 or the Human Security Act of 2007 (“HSA”), and (2) they Any activity that adversely affects or threatens security, cause widespread and extraordinary fear and panic among the public confidentiality, integrity or availability of computer data or systems in order to coerce the government to give in to an unlawful demand. is punished under Section 4(a) of the Cybercrime Prevention Act. Failure by an organisation to implement cybersecurity measures 2 Applicable Laws Yes, a juridical person’s failure to take appropriate measures to protect its computer systems, servers, or information and communication systems may be a criminal offence. 2.1 Please cite any Applicable Laws in your jurisdiction Under Republic Act No. 10173 or the Data Privacy Act of 2012 applicable to cybersecurity, including laws applicable (“DPA”), a juridical person, who allowed a crime involving personal to the monitoring, detection, prevention, mitigation data to occur through fault or negligence, shall have its rights as a and management of Incidents. This may include, for example, laws of data protection, intellectual data subject suspended or revoked. The DPA’s implementing rules property, breach of confidence, privacy of electronic and regulations state that failure to implement security measures for communications, information security, and import / the protection of personal data may lead to civil and criminal liability. export controls, among others.

1.2 Do any of the above-mentioned offences have The ECA, ADR, DPA, CPA, Republic Act No. 10844 or the Creation extraterritorial application? of the Department of Information and Communications Technology Act (“DICTA”), Republic Act No. 10627 or the Anti- Act Section 21 of the CPA gives Regional Trial Courts (“RTC”) in the (“ABA”), Republic Act No. 8293 as amended by Republic Act No.

134 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Angara Abello Concepcion Regala & Cruz Law Offices Philippines

10372 or the Intellectual Property Code (“IPC”), and their respective system and identifying the duties and responsibilities of employees implementing rules and regulations. who have access to personal data; (4) ensuring that employees Other laws, orders, rules, and regulations related to cybersecurity are: keep information confidential even after leaving their positions; Supreme Court Administrative Matter No. 01-7-01-SC or the Rules on (5) developing, implementing, and reviewing the procedure for Electronic Evidence; Republic Act No. 10867 or the National Bureau personal data collection, access management, system monitoring, of Investigation Reorganization and Modernization Act; Executive and protocols to be taken after Incidents occur as well as policies Order No. 189 or the Creation of the National Cyber-Security Inter- for the exercise of rights by data subjects, the retention of personal Agency Committee; and the HSA with respect to Sections 3 and 7. data, and the processing of information only for declared, specified, and legitimate purposes; and (6) ensuring that personal information processors take measures in accordance with the DPA. 2.2 Are there any cybersecurity requirements under Suggested physical security measures are: (1) implementing policies Applicable Laws applicable to critical infrastructure Philippines and procedures to monitor and limit access to facilities where in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction electronic data can be used; (2) designing facilities to ensure privacy expected to implement the Network and Information of personal information processors; (3) clearly defining duties, Systems Directive? Please include details of any responsibilities, and schedules of personal information processors instances where the implementing legislation in your such that only those performing their official duties have access to jurisdiction is anticipated to exceed the requirements electronic data at a given time; and (4) implementing policies and of the Directive. procedures to prevent mechanical destruction of files and equipment and to secure against natural disasters, power disturbances, external There is yet no specific law enacted. However, the DICT launched access, and other reasonably expected threats. a national cybersecurity strategy framework that will ensure the Suggested technical security measures are: (1) ensuring ability to protection of critical infrastructure from cyber attacks through restore availability and access to personal data in a timely manner effective coordination with law enforcement agencies. National in the event of an Incident; (2) testing, assessing, and evaluating Cybersecurity Plan 2022, which seeks to safeguard the ICT the effectiveness of security measures regularly; (3) encrypting environment of the country through the establishment of a robust personal data for storage and while in transit; and (4) implementing cybersecurity infrastructure, is intended to ensure the continuous authentication processes and other technical security measures that operation of the country’s critical infrastructure, public and military control and limit access to information. networks, to implement cyber-resiliency measures to enhance the In determining whether a juridical person has taken reasonable ability to respond to threats before, during and after cyber attacks, and appropriate security measures, the NPC shall consider the and to implement a public awareness campaign on cybersecurity nature of the personal data that requires protection, the risks posed measures. by the processing, the size of the organisation and complexity of its operations, current data privacy best practices, and the cost of 2.3 Are organisations required under Applicable Laws, security implementation. or otherwise expected by a regulatory or other authority, to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what 2.4 In relation to any requirements identified in question measures are required to be taken. 2.3 above, might any conflict of laws issues arise? For example, conflicts with laws relating to the unauthorised interception of electronic Under the DPA, a juridical person must take reasonable and appropriate communications or import / export controls of organisational, physical and technical measures to protect personal encryption software and hardware. information from unlawful destruction, alteration, disclosure, access, and other unlawful processing. These measures must include: (1) The Supreme Court has yet to hear and resolve any conflict-of-laws safeguards to protect the juridical person’s computer network against specifically in relation to cybersecurity. The DPA does not cover use of or interference with the network’s functionality or availability; personal information that was collected in a foreign jurisdiction in (2) security policy for processing of personal information; (3) process a manner that complies with Applicable Laws of that jurisdiction. for identifying and accessing reasonably foreseeable vulnerabilities However, security measures must still be undertaken when there is in the network and for taking preventive and corrective action against processing of personal information, regardless of the place of collection. Incidents; (4) regular monitoring of Incidents; (5) the juridical person’s personal information controller must ensure that third parties processing personal information on the juridical person’s 2.5 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, behalf will similarly take reasonable and appropriate measures; to report information related to Incidents or potential and (6) the juridical person’s personal information controller must Incidents to a regulatory or other authority in your promptly notify the National Privacy Commission (“NPC”) and jurisdiction? If so, please provide details of: (a) the affected data subjects when an Incident resulted in a security breach. circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to The DPA’s implementing rules and regulations provide guidelines which the information is required to be reported; (c) on measures to be taken by a juridical person dealing with personal the nature and scope of information that is required information. They highlight the key principles for the protection of to be reported (e.g. malware signatures, network personal data: availability; integrity; and confidentiality. vulnerabilities and other technical characteristics Suggested organisational security measures are: (1) employing identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by compliance officers or protection officers; (2) creating and which the organisation might prevent publication of implementing policies that take into account the nature, scope, that information. context and purposes of the information processing, as well as the risks posed to the rights and freedoms of data subjects; (3) A personal data breach is defined as a “breach of security leading to maintaining records that sufficiently describe the data processing

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 135 © Published and reproduced with kind permission by Global Legal Group Ltd, London Angara Abello Concepcion Regala & Cruz Law Offices Philippines

the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or 2.9 Please provide details of the regulator(s) responsible otherwise processed”. A personal data breach exists when (1) for enforcing the requirements identified under questions 2.3 to 2.7. sensitive personal information that may be used to commit identity fraud is reasonably believed to have been acquired by an unauthorised person, and (2) the personal information controller believes that such The regulator tasked to ensure compliance with the DPA is the acquisition poses a real risk of harm to the affected data subjects. NPC, which is an independent body mandated to administer and implement the DPA and to monitor and ensure the Philippines’ Under the DPA, the personal information controller must inform compliance with international personal data protection standards. the NPC and affected data subjects within 72 hours of the former’s The NPC is attached to the DICT, though it performs its functions knowledge or reasonable belief that a personal data breach has independently.

Philippines occurred. The NPC is a collegial body composed of one commissioner and On one hand, the notification to the affected data subjects should two deputy commissioners. Its functions are: rule-making; advising; contain the nature of the breach, the personal data possibly involved, educating; compliance and monitoring; adjudicating complaints and and the measures taken by the entity to address the breach. It investigations; and enforcing the DPA. Further, the NPC may issue should also contain measures taken to reduce the harm or negative official directives and administrative issuances, orders, and circulars consequences of the breach, the contact details of representatives of that deal with procedural rules, schedules of administrative fines and the personal information controller so that data subjects can obtain penalties, and procedures for registration of data processing systems additional information about the breach, and the assistance to be and notification. provided. On the other hand, the notification to the NPC should include the nature of the breach and the measures taken to remedy the breach but exclude any description of the personal privileged 2.10 What are the penalties for not complying with the information. requirements identified under questions 2.3 to 2.8?

The DPA does not expressly penalise the failure to adopt the 2.6 If not a requirement, are organisations permitted by suggested reasonable and appropriate measures or to submit the Applicable Laws to voluntarily share information related to Incidents or potential Incidents with: (a) required notification, except with respect to persons found to have a regulatory or other authority in your jurisdiction; intentionally concealed the existence of a personal data breach (b) a regulatory or other authority outside your despite knowing of the breach and the obligation to notify the NPC. jurisdiction; or (c) other private sector organisations In such case, concealment shall be punishable by imprisonment for or trade associations in or outside your jurisdiction? a period between one year and six months and five years as well as a fine of not less than PHP 500,000.00 but not more than PHP A juridical person processing personal information is not absolutely 1,000,000.00. prohibited from sharing non-personal information related to Additionally, persons who allowed unauthorised access to personal Incidents by the DPA. On the other hand, personal information may data shall be punished by imprisonment ranging from one year to be shared but with the consent of the affected data subject. three years and a fine of not less than PHP 500,000.00 but not more than PHP 2,000,000.00. Persons who allowed unauthorised access 2.7 Are organisations required under Applicable Laws, or to sensitive personal information shall be punished by imprisonment otherwise expected by a regulatory or other authority, ranging from three years to six years and a fine of not less than PHP to report information related to Incidents or potential 500,000.00 but not more than PHP 4,000,000.00. Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the 2.11 Please cite any specific examples of enforcement nature and scope of information that is required to be action taken in cases of non-compliance with the reported. above-mentioned requirements.

A juridical person processing personal information is required to In December 2016, the NPC found that the Commission on notify the affected data subjects in case of a personal data breach, in Elections (“COMELEC”) violated the DPA for a data breach of the same manner as discussed in question 2.5. The notification to sensitive personal information in March 2015. The NPC ordered the affected data subjects shall also contain instructions on how they the COMELEC: to appoint a Data Protection Officer (“DPO”) may acquire more information on the breach. within one month of receipt of the NPC’s order; to create a privacy management program and a breach management procedure within three months; and to implement reasonable and appropriate security 2.8 Do the responses to questions 2.5 to 2.7 change if the measures within six months. It also ordered the Department of information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email Justice (“DOJ”) to investigate ’ use of a National Bureau address from which a phishing email originates); (d) of Investigation (“NBI”) IP address and to criminally prosecute the personally identifiable information of cyber threat public officer responsible for the data breach. actors; and (e) personally identifiable information of As in the COMELEC case, the NPC may compel government individuals who have been inadvertently involved in an Incident? entities, agencies, and instrumentalities to take specific actions to comply with the DPA. More generally, pursuant to its investigation of a complaint, adjudication of a dispute, or preparation of a No, once there has been a personal data breach, a juridical person, report, the NPC may also issue cease-and-desist orders and impose through its personal information controller, must notify the affected a temporary or permanent ban on the processing of personal data subjects. The personal privileged information itself shall not be information. disclosed to any party, including the NPC, without the consent of the affected data subjects.

136 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Angara Abello Concepcion Regala & Cruz Law Offices Philippines

possible by the lack of supervision or control by a natural person with 3 Specific Sectors a leading position who acts individually or on behalf of a juridical person and said natural person has a power of representation or is 3.1 Does market practice with respect to information otherwise authorised to make decisions and act on behalf of the security (e.g. measures to prevent, detect, mitigate juridical person, the juridical person shall be fined an amount of and respond to Incidents) vary across different double the imposable fines under Section 7 or PHP 5,000,000.00 business sectors in your jurisdiction? Please include (whichever is higher). details of any common deviations from the strict legal requirements under Applicable Laws. Under the DPA, if a juridical person has committed a punishable offence, the responsible officers who participated in or allowed, Applicable Laws on cybersecurity generally do not differ across through gross negligence, the offence to be committed may be different industries. However, under the DPA, the requirement to prosecuted. Philippines register processing operations and to notify the NPC of any changes to the automation of such processing operations only applies to a 4.2 Are companies (whether listed or private) required juridical person with 250 or more employees or with more than a de under Applicable Laws to: (a) designate a CISO; minimis amount of data subjects with sensitive personal information (b) establish a written Incident response plan or (at least 1,000 data subjects). policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform Meanwhile, under the ADRA, companies engaged in the business penetration tests or vulnerability assessments? of issuing access devices (usually banks, financing companies, and other financial institutions) are required to report any fraudulent Under the DPA, a Data Privacy Officer (“DPO”) must be registered acts involving access devices that were committed in the previous with the NPC if a company has more than 250 employees or the calendar year to the Credit Card Association of the Philippines. processing of personal information is: (1) likely to pose a risk to data subjects’ rights and freedoms; (2) not occasional; or (3) involves 3.2 Are there any specific legal requirements in relation sensitive personal information of at least 1,000 individuals. The to cybersecurity applicable to organisations application for registration shall include the name and address of the in: (a) the financial services sector; and (b) the personal information controller or processor, the general description telecommunications sector? of privacy and security measures for data protection, copies of all policies relating to data governance, data privacy, and information The Bangko Sentral ng Pilipinas (“BSP”) is the primary regulator of the security. financial services sector. The BSP issued BSP Circular No. 808 series Thus, the DPA does not specifically require the designation of a of 2013 which provides guidelines on Information Technology Risk Chief Information Security Officer (“CISO”), only the designation Management for all banks and BSP-supervised financial institutions of a DPO. However, with respect to (b), (c) and (d), while not (“BFSP”). The BSP is currently in the process of drafting a circular specifically stated in the DPA, they may be deemed reasonable that would introduce amendments to Circular 808: incorporating the requirements to implement the objectives of the DPA. latest standards on information security; and presenting a more holistic information technology security management system integrated with the information security programs and risk management systems of 4.3 Are companies (whether listed or private) subject banks. Other pertinent issuances of the BSP are: Circular No. 859 series to any specific disclosure requirements in relation of 2014, which requires banks and BFSPs to migrate from magnetic to cybersecurity risks or Incidents (e.g. to listing stripe technology to chip-enabled technology based on EMV; Circular authorities, the market or otherwise in their annual reports)? No. 863 series of 2016, which are guidelines on the implementation of EMV Card Fraud Liability Shift Framework (banks and BFSPs that have not yet shifted to EMV technology shall be allowed subject to the Under the DPA, the NPC requires the annual submission of a condition that it will be held responsible for losses associated with the summary of documented security Incidents and personal data use of counterfeit cards in a card-present environment); and Circular breaches. No. 958 series of 2017, which are guidelines for banks and BFSPs in implementing multi-factor authentication as a replacement for single- 4.4 Are companies (whether public or listed) subject to factor authentication in their systems. any other specific requirements under Applicable The DICT and the National Telecommunications Commission Laws in relation to cybersecurity? (“NTC”), which regulates the telecommunications sector, have yet to issue specific legal requirements relating to cybersecurity. Yes. When ordered by a court to preserve or examine computer However, the DICT recently launched a national cybersecurity data, service providers (public or private entities that provide a strategy framework that will ensure the protection of critical service that allows users to communicate by means of a computer infrastructure from cyber attacks through effective coordination system, or any other entity that processes or stores computer data on with law enforcement agencies (National Cybersecurity Plan 2022). behalf of users) are required to: (1) preserve the integrity of traffic data and subscriber information for a minimum period of six months from the date of the transaction; (2) preserve the integrity of content 4 Corporate Governance data for six months from the date of receipt of the order from law enforcement or competent authorities requiring its preservation; (3) preserve the integrity of computer data for an extended period of six 4.1 In what circumstances, if any, might a failure by months from the date of receipt of the order from law enforcement a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to or competent authorities requiring extension on its preservation; (4) a breach of directors’ duties in your jurisdiction? preserve the integrity of computer data until the final termination of the case and/or as ordered by the court, as the case may be; (5) ensure Under the CPA, if the commission of a punishable offence was made the confidentiality of the preservation orders and its compliance; (6)

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 137 © Published and reproduced with kind permission by Global Legal Group Ltd, London Angara Abello Concepcion Regala & Cruz Law Offices Philippines

collect or record by technical or electronic means and/or cooperate and assist law enforcement or competent authorities in the collection 6 Insurance or recording of computer data covered by the court warrant; (7) disclose or submit users’ information, traffic or relevant data to law 6.1 Are organisations permitted to take out insurance enforcement or competent authorities within 72 hours from receipt against Incidents in your jurisdiction? of the court warrant; and (8) immediately and completely destroy the computer data that is subject of a preservation order after the Yes, with prior approval, the Insurance Commission (“IC”) allows expiration of the period provided under the CPA. cyber-insurance products in the Philippines. Cyber-insurance may offer protection against losses due to: improper denial or approval of access to data; breach of computer software, system or security; 5 Litigation or theft of computer hardware, among others. Cyber-insurance may Philippines also include protection against extortion and loss as a result of an Incident and payment for an investigation to determine the source 5.1 Please provide details of any civil actions that may be brought in relation to any Incident and the elements of thereof. Thus, cyber-insurance may address loss resulting from that action that would need to be met. cyber attacks, e.g., “Wannacry” ransomware.

Civil actions involving Incidents may be brought before the proper 6.2 Are there any regulatory limitations to insurance court in two cases: (1) an action to demand the civil liability arising coverage against specific types of loss, such as from a criminal offence under Article 30 of the Civil Code; and (2) business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal an action to demand indemnification for damage to human relations limits placed on what the insurance policy can cover? under Articles 19 through to 21, 26 and 32 of the Civil Code. Articles 19 through to 21 of the Civil Code are catch-all provisions to Generally, there are no regulatory limitations to insurance hold a person civilly liable for his injurious act or omission. Article coverage against the types of losses mentioned above. However, 19 requires a person to act with justice, give everyone his due, and exceptionally, the insured cannot recover amounts paid arising from observe honesty and good faith. If a person wilfully or negligently damages, fines or penalties that are exemplary in nature. Likewise, causes damage to another person contrary to Article 19, he must there is no recovery for amounts paid arising from the insured’s indemnify the latter pursuant to Article 20. Similarly, a person who wilful and/or intentional violation of the DPA. causes damage to another person contrary to morals, good customs, or public policy shall compensate the latter under Article 21. Article 26 of the Civil Code requires a person to respect the dignity, 7 Employees personality, privacy and peace of mind of another person. Violating another person’s privacy in relation to his residence under this 7.1 Are there any specific requirements under Applicable provision and to his communication and correspondence under Law regarding: (a) the monitoring of employees for Article 32 of the Civil Code allows the offended party to recover the purposes of preventing, detection, mitigating and damages. responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents by employees to their employer? 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to Under the DPA, covered juridical persons must have systems Incidents. and processes in place to make their employees aware of their responsibilities (ensuring integrity, availability and confidentiality The Supreme Court has yet to resolve a case involving civil and of data) and the organisational requirements that must be met to criminal actions arising from Incidents. It did, however, rule on the comply with the DPA. CPA’s constitutionality in Disini v. Secretary of Justice. Before the lower courts, most cases with a cybersecurity element are criminal 7.2 Are there any Applicable Laws (e.g. whistle-blowing actions for computer hacking, child pornography, cybersex, ATM laws) that may prohibit or limit the reporting of cyber fraud and libel. risks, security flaws, Incidents or potential Incidents In 2016, the NPC issued a decision in NPC Case No. 16-001, by an employee? which ruled that the COMELEC violated the DPA after the group Anonymous hacked the Philippines’ voter registration database. Yes, Applicable Laws did not amend or repeal the Secrecy of The hack involved at least 75,302,683 voter records and 1,267 Bank Deposits Act (Republic Act No. 1405), the Foreign Currency COMELEC employee records. The NPC found that the COMELEC Deposits Act (Republic Act No. 6426), the Credit Information System Chairman wilfully and intentionally disregarded his duties as a Act (Republic Act No. 9510), and the Anti-Money Laundering Act personal information controller and recommended his prosecution (Republic Act No. 9610). Thus, these acts may prevent the reporting under the CPA. of Incidents to the proper authorities.

5.3 Is there any potential liability in tort or equivalent 8 Investigatory and Police Powers legal theory in relation to an Incident?

8.1 Please provide details of any investigatory powers of Yes. Incidents may lead to liability based on quasi-delict. Under law enforcement or other authorities under Applicable Article 2176 of the Civil Code, a person whose act or omission Laws in your jurisdiction (e.g. antiterrorism laws) that injures another person, whether through fault or negligence, is liable may be relied upon to investigate an Incident. to pay damages to the latter. Under Section 7 of the HSA, law enforcement authorities may listen

138 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Angara Abello Concepcion Regala & Cruz Law Offices Philippines

to, intercept and record, with the use of any mode, form, kind or therein: (1) secure a computer system or a computer data storage type of electronic or other surveillance equipment or intercepting medium; (2) make and retain a copy of computer data secured; and tracking devices, or with the use of any other suitable ways and (3) maintain the integrity of the relevant stored computer data; means for that purpose, any communication, message, conversation, (4) conduct forensic analysis or examination of the computer data discussion, or spoken or written words between members of a storage medium; and (5) render inaccessible or remove computer judicially declared and outlawed terrorist organisation, association, data in the accessed computer or network. Further, they may order or group of persons or of any person charged with or suspected of the any person, who has knowledge of the computer system, server, or crime of terrorism or conspiracy to commit terrorism, upon written information and communication system and the measures to protect order of the Court of Appeals. However, Section 7 is limited by and preserve the electronic data therein, to assist in the search and Section 44 of the DPA, which requires law enforcement authorities seizure. to comply with the principles of transparency, proportionality, and

When computer data is found to prima facie violate the CPA, the Philippines legitimate purpose. DOJ may issue an order to restrict or block access to the data. Under the CPA, the NBI and the Philippine National Police (“PNP”) Cybercrime Unit are responsible for enforcement. They 8.2 Are there any requirements under Applicable Laws are authorised to collect traffic data in real time, with due cause as for organisations to implement backdoors in their IT evidenced by a court warrant. They may also issue an order requiring systems for law enforcement authorities or to provide any person or service provider to disclose relevant information or law enforcement authorities with encryption keys? data in his possession and control within 72 hours from receipt, also after securing a court warrant. No, juridical persons are not required to leave backdoors in their The NBI and the PNP may perform the following, upon securing information and communication systems or to give law enforcement a search and seizure warrant and within the time period provided officers encryption keys.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 139 © Published and reproduced with kind permission by Global Legal Group Ltd, London Angara Abello Concepcion Regala & Cruz Law Offices Philippines

Leland R. Villadolid Jr. Arianne T. Ferrer Angara Abello Concepcion Regala & Cruz Angara Abello Concepcion Regala & Cruz Law Offices Law Offices ACCRALAW Tower ACCRALAW Tower Second Avenue Corner 30th Street Second Avenue Corner 30th Street Crescent Park West, Bonifacio Global City Crescent Park West, Bonifacio Global City 1635 Taguig, NCR 1635 Taguig, NCR Philippines Philippines

Tel: +632 830 8131 Tel: +632 830 8329 Email: [email protected] Email: [email protected] URL: www.accralaw.com URL: www.accralaw.com

Philippines Mr. Villadolid is a Senior Partner of the LDRD. He obtained his Ms. Ferrer is an Associate of the LDRD. She obtained a Juris Doctor Bachelor of Laws from the Ateneo de Manila University. He also holds degree from the University of the Philippines College of Law in 2015 a Bachelor of Arts in Philosophy from the University of the Philippines. and a Bachelor of Science degree in Business Economics from the His postgraduate education includes a Masters of Laws from the University of the Philippines where she graduated cum laude in 2010. George Washington University and training at the Environmental Law While at law school, Ms. Ferrer served as an editor of the Philippine Institute in Washington, D.C. Law Journal and represented the Philippines in the Philip C. Jessup International Law Moot Court Competition. Mr. Villadolid is a consultant of the following: Information Security Officers Group (ISOG); Bankers Association of the Philippines (BAP) Ms. Ferrer was admitted to the Philippine Bar in 2016. Since then, she Cyber Security Task Force; and the Philippine National Police (PNP) has handled litigation, alternative dispute resolution, and arbitration Anti-Cybercrime Group Advisory Council. He is also a member of the cases involving civil and commercial disputes. Ms. Ferrer has acted Philippine Dispute Resolution Center, Inc. (PDRCI) and Forum for as an administrative secretary in arbitration proceedings before the International Irregular Network Access (FIINA). Finally, Mr. Villadolid International Commercial Court and the Philippine Construction serves as a Commissioner in the Commission on Bar Discipline of the Industry Arbitration Commission. Integrated Bar of the Philippines (IBP). Mr. Villadolid handles cases involving litigation and/or arbitration on information communication and technology, cybercrimes, public utilities, antitrust and trade regulation and white-collar crimes.

ANGARA ABELLO CONCEPCION REGALA & CRUZ (“ACCRALAW”) is a multi-disciplinary team of legal professionals with in-depth knowledge in specialised fields of law. Seven practice departments in three regions offer timely, creative, and strategic legal solutions matched with cost-efficient administration and expert handling of client requirements. ACCRALAW is the undisputed leader in Philippine litigation and alternative dispute resolution (“ADR”). With a deep bench of litigators and ADR practitioners and a consistent, outstanding track record covering more than 40 years, ACCRALAW has extensive expertise in handling large- scale and complex disputes. Its trial experience before courts, tribunals, administrative agencies, and ADR fora is unmatched. ACCRALAW has contributed to Philippine jurisprudence by successfully representing clients in landmark legal controversies. ACCRALAW’s pre-eminence in litigation and ADR is due to the structured, hands-on training of its junior lawyers, who are among the top graduates in the Philippines, and the wide areas of expertise and the varied experience of its senior lawyers. Most ACCRALAW lawyers have completed postgraduate studies abroad, while others are faculty members of the best law schools. ACCRALAW lawyers have been commissioned by the Supreme Court to revise the Rules of Court and draft other rules in connection with the practice of law.

140 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 22

Poland Krystyna Szczepanowska-Kozłowska

Allen & Overy A. Pędzich sp.k. Justyna Ostrowska

Possession or use of hardware, software or other tools used to 1 Criminal Activity commit cybercrime (e.g. hacking tools) Creating, obtaining, transferring or allowing access to instruments 1.1 Would any of the following activities constitute a used to commit cybercrimes, which are listed in the CC and include criminal offence in your jurisdiction? If so, please hardware, software, computer passwords, access codes and any data provide details of the offence, the maximum penalties enabling access to information in a computer system, is punishable available, and any examples of prosecutions in your by imprisonment of up to three years. In such cases, the court orders jurisdiction: the forfeiture of the items and is authorised to do so even if they do not belong to the offender. Crimes against the protection of information are regulated by the Polish Criminal Code 1997 (the CC). Most cybercrimes, except Identity theft or identity fraud (e.g. in connection with access for computer sabotage and misuse of devices, which are prosecuted devices) pursuant to public accusation, are prosecuted only on a motion Yes, identity theft is penalised under Polish law. It is prohibited of the aggrieved party. On the motion being filed with the public to pretend to be another person, especially by using her/his image prosecutor’s office, proceedings are conductedex officio. or any other personal information in order to cause property or Hacking (i.e. unauthorised access) personal damage. Such behaviour is punishable by imprisonment of up to three years. Additionally, stealing, using or taking a document Anyone who, without being authorised, acquires information not without authorisation, which confirms the identity or the property intended for him/her by, among others, breaching electronic or rights of another person, is punishable with a fine, the restriction of internet security, may be punished with a fine, restriction of liberty liberty or imprisonment of up to two years. or imprisonment of up to two years. The same penalty may be imposed for unauthorised access to any part of a computer system, Electronic theft (e.g. breach of confidence by a current or former installation or use of any special equipment to acquire information employee, or criminal copyright infringement) or disclose information obtained in such way to another person. The The provisions of the Act of 4 February 1994 on Copyright law does not define the term “unauthorised access”. For this reason, and Related Rights are the legal basis for criminal copyright it is interpreted broadly as taking control over an IT system by any infringement, including offences committed on the internet. method that gives the possibility to view, copy, block, delete or use Unauthorised dissemination of someone else’s work is punishable information stored in that system. Accessing part of an IT system with a fine, restriction of liberty or deprivation of liberty of up to two suffices to constitute the offence. years. In addition, if an offence is committed for material benefits, it If after having obtained access to a system, the offender hinders may carry a sentence of imprisonment of up to three years. or prevents the automatic collection or transmission of data, or A breach of confidence by an employee may result both in civil and changes, deletes or destroys information contained in it, he/she may criminal liability. Any person, who, in violation of the law or an be punished by imprisonment of up to three years. obligation, accepts, discloses or uses information concerning the Denial-of-service attacks work performed, or public, social, economic or scientific activity pursued, is liable to a fine, the restriction of liberty or imprisonment Making a denial-of-service attack which causes significant for up to two years. disruption to a computer system or telecommunications network is considered a crime and punishable by imprisonment of three months If a violation concerns information constituting a business secret, to five years. it may also be deemed an act of unfair competition and as such be punishable with a fine, restriction of liberty or deprivation of liberty Phishing of up to two years. Due to the various forms which phishing may take, it can be In addition, confidentially disclosing or using information classified as fraud, computer fraud or as identity theft. constituting a banking secret may result in a fine of up to PLN 1 Infection of IT systems with malware (including ransomware, million and a penalty of up to three years of deprivation of liberty. spyware, worms, trojans and viruses) If an infringement concerns telecommunications secrecy, an Infecting IT systems with malware may significantly disrupt a administrative fine of up to 3% of the company’s revenue from computer system, which is punishable by imprisonment from three the last calendar year and/or a fine of up to 300% of the monthly months up to five years. remuneration of the person(s) managing the telecommunications

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 141 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy A. Pędzich sp.k. Poland

undertaking can be imposed by the President of the Office of Additionally, in exceptional situations, such as actions taken in Electronic Communication. necessary self-defence or to avoid immediate danger threatening Any other activity that adversely affects or threatens the any legally protected interest, which is of more value than the security, confidentiality, integrity or availability of any IT interest sacrificed, criminal acts may not be punishable or even system, infrastructure, communications network, device or data be considered as an offence, unless there could be other adequate measures taken. Polish criminal law also penalises damage to databases and computer sabotage regarding computer storage media of particular significance to national defence. 1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise Any person who without authorisation destroys, damages, deletes,

Poland in relation to cybersecurity or the occurrence of an alters or hinders access to data, or who hinders or prevents the Incident (e.g. terrorism offences)? Please cite any automatic collection and transmission of such data, is liable to specific examples of prosecutions of these offences imprisonment for up to three years. A significant loss of property in a cybersecurity context. caused as a result of such actions triggers imprisonment for between three months and five years. Collecting or transmitting data and hindering, preventing or otherwise A person who destroys, deletes or changes a record on computer affecting automatic processing which causes danger to the life or storage media that is of particular significance for national defence, health of many people or property of significant value may qualify as transport safety, the operation of the government or any other state a crime related to cybersecurity. When the said crime is committed authority or local government, or that interferes with or prevents the intentionally, it is punishable by imprisonment for between six automatic collection and transmission of such information, is liable months and eight years. In the case of unintentional conduct, the to imprisonment for between six months and eight years. offender is liable to imprisonment of up to three years. If the crime Failure by an organisation to implement cybersecurity measures results in the death of a person or grievous bodily harm made to many people, sanctions may reach up to 12 years’ imprisonment. Any organisation processing personal data is obliged to ensure the protection of such data by implementing and employing appropriate In the context of the prevention of terrorist attacks, under Polish technical and organisational measures, in particular proper law it is also prohibited to distribute or publicly present content cybersecurity measures for data processed in IT systems. A person, that could facilitate the commission of a terrorist offence with when administering data, who violates, even if unintentionally, the the intention that such an offence be committed. It is commonly duty to keep the data safe from removal by an unauthorised person, believed that electronic channels are most likely to be used for that damage, or destruction, is liable to a fine, penalty of restriction of purpose. The above crime is punishable by imprisonment from liberty or deprivation of liberty of up to one year. three months to five years.

1.2 Do any of the above-mentioned offences have 2 Applicable Laws extraterritorial application?

2.1 Please cite any Applicable Laws in your jurisdiction Yes, the above-mentioned offences have extraterritorial application, applicable to cybersecurity, including laws applicable because Polish criminal law also applies to Polish citizens who to the monitoring, detection, prevention, mitigation have committed an offence abroad. In addition, Polish criminal and management of Incidents. This may include, law applies to foreigners who commit a prohibited act abroad that for example, laws of data protection, intellectual is against the interests of Poland, a Polish citizen, a Polish legal property, breach of confidence, privacy of electronic entity or a Polish organisational unit without the status of a legal communications, information security, and import / entity. However, it should be noted that an act committed abroad export controls, among others. is considered an offence only if it is qualified as such by the law in force where it was committed. ■ Personal Data Protection Law of 29 August 1997 (consolidated text: Journal of Laws of 2016, item 922). If an offence is against the internal or external security of the ■ Law on Copyright and Related Rights of 4 February 1994 Republic of Poland, Polish criminal law applies to a Polish national (consolidated text: Journal of Laws of 2017, item 880). or a foreigner who commits the offence, regardless of the provisions ■ Act of 18 July 2002 on Provision of Services by Electronic in force in the place where it is committed. Means (consolidated text: Journal of Laws of 2017, item 1219). 1.3 Are there any actions (e.g. notification) that might ■ Telecommunication Law of 16 July 2004 (consolidated text: mitigate any penalty or otherwise constitute an Journal of Laws of 2016, item 1489). exception to any of the above-mentioned offences? ■ Act of 5 August 2010 on Protection of Classified Information (consolidated text: Journal of Laws of 2016, item 1167). Hacking any part of a computer system or the whole computer ■ Law of 29 November 2000 on foreign trade in goods, system and creating, obtaining, transferring or allowing access to technologies and services of strategic significance for state tools intended to be used to commit cybercrime is not penalised security, and the maintenance of international peace and if it is undertaken for the sole purpose of securing the IT system, security (consolidated text: Journal of Laws of 2017, item telecommunications system or IT network, or to develop new 1050). methods of protection. However, this exception cannot be applied ■ The Police Act of 6 April 1990 (consolidated text: Journal of if the said activity infringed public or private interest or caused other Laws of 2016, item 1782). damage. In addition, it is also a requirement to notify the computer system administrator about the detected threats.

142 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy A. Pędzich sp.k. Poland

2.2 Are there any cybersecurity requirements under 2.5 Are organisations required under Applicable Laws, or Applicable Laws applicable to critical infrastructure otherwise expected by a regulatory or other authority, in your jurisdiction? For EU countries only, how to report information related to Incidents or potential (and according to what timetable) is your jurisdiction Incidents to a regulatory or other authority in your expected to implement the Network and Information jurisdiction? If so, please provide details of: (a) the Systems Directive? Please include details of any circumstance in which this reporting obligation is instances where the implementing legislation in your triggered; (b) the regulatory or other authority to jurisdiction is anticipated to exceed the requirements which the information is required to be reported; (c) of the Directive. the nature and scope of information that is required to be reported (e.g. malware signatures, network Critical infrastructure in Poland is understood as both physical and vulnerabilities and other technical characteristics Poland identifying an Incident or cyber attack methodology); cybernetic systems (including objects, facilities or installations) and (d) whether any defences or exemptions exist by necessary for the minimal operation of the economy and the state. which the organisation might prevent publication of According to the Crisis Management Act of 26 April 2007, the that information. owner and independent or dependent holder of sites, installations, equipment and services of the critical infrastructure are obliged In general, except for telecommunication undertakings, public and to protect them, in particular by preparing and implementing governmental bodies and operators of critical infrastructure (see critical infrastructure protection plans, and maintaining their own question 2.2 above and question 3.2 below), Polish law does not backup systems to ensure the security and sustainability of their oblige organisations to report information related to Incidents or infrastructure, until their full recovery. The above operators of potential Incidents to regulators, even if personal data is processed. critical infrastructure are also obliged to designate the person Only data protection officers appointed by the data controller are responsible for maintaining contact with the relevant entities in the currently required to notify the data controller of a data breach field of critical infrastructure protection within 30 days of receipt of immediately after they learn of such an Incident. the information that the sites, installations, equipment and services owned by them or rendered by them are entered into the list of critical infrastructure kept by the Director of the Government Centre 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information for Security. In May 2017, the Ministry of Digitalisation adopted the related to Incidents or potential Incidents with: (a) Polish National Cybersecurity Policy 2017–2022. One of the main a regulatory or other authority in your jurisdiction; objectives of this strategy is to define and give new competences (b) a regulatory or other authority outside your and capabilities to the operators of critical infrastructure. jurisdiction; or (c) other private sector organisations The implementation of the Network and Information Systems or trade associations in or outside your jurisdiction? Directive into the Polish legislative system will take place through adoption of a new law: the Act on Cyber Security System. The draft Yes, Incidents may be reported to CERT Polska, the organisation law is being prepared by the Ministry of Digitalisation; however, which is part of the Research and Academic Computer Network at the moment both the wording of the future law and the exact (NASK) and the first Polish computer emergency response team, implementation date remain unknown. one of whose main responsibilities is the registration and handling of network security Incidents. If the Incident is related to a crime or offence, it can be reported to the Police or to the Agency of Internal 2.3 Are organisations required under Applicable Laws, Security as well. Incidents related to the security of networks can or otherwise expected by a regulatory or other also be reported to telecommunication operators. authority, to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what measures are required to be taken. 2.7 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, In general, except for telecommunication undertakings and operators to report information related to Incidents or potential of critical infrastructure (see question 2.2 above and question Incidents to any affected individuals? If so, please 3.2 below), Polish law does not oblige organisations to monitor, provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the detect, prevent or mitigate Incidents. Organisations processing nature and scope of information that is required to be personal data are obliged to employ appropriate physical and reported. logical measures, ensuring that data is secured against unauthorised interference. It is necessary to control any access to data (via No, currently there is no such obligation, except for the authentication mechanisms), monitor the occurrence of Incidents telecommunication undertakings. and maintain proper documentation, describing the manner of data processing and introducing safeguards. 2.8 Do the responses to questions 2.5 to 2.7 change if the information includes: (a) price sensitive information; 2.4 In relation to any requirements identified in question (b) IP addresses; (c) email addresses (e.g. an email 2.3 above, might any conflict of laws issues address from which a phishing email originates); (d) arise? For example, conflicts with laws relating personally identifiable information of cyber threat to the unauthorised interception of electronic actors; and (e) personally identifiable information of communications or import / export controls of individuals who have been inadvertently involved in encryption software and hardware. an Incident?

Please refer to question 3.2. Yes, such information may constitute personal data or a trade secret, so it would be necessary to identify legal grounds for such disclosure.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 143 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy A. Pędzich sp.k. Poland

b) The Telecommunication Law imposes a number of obligations 2.9 Please provide details of the regulator(s) responsible on the providers of publicly available telecommunications for enforcing the requirements identified under services to ensure the security and integrity of the networks. questions 2.3 to 2.7. They are required to implement proper measures that guarantee a level of security appropriate to the risk presented. The Inspector General for the Protection of Personal Data. In the event of an Incident, telecommunications entrepreneurs have to stop the transfer of any message and limit provision Office address: Stawki 2, 00-192 Warsaw. of any communications service that endangers network safety Website: www.giodo.gov.pl. and immediately report (not later than within 24 hours) the Incident to the President of the Office of Electronic Communications. Poland 2.10 What are the penalties for not complying with the requirements identified under questions 2.3 to 2.8? The provider is also obliged to notify the Inspector General for the Protection of Personal Data of each Incident concerning personal data within three days of the Incident. The Data Protection Act provides for criminal liability for a If the Incident may have a negative impact on the user’s violation of the duty to keep personal data safe from removal by an rights, the telecom operator is required to inform concerned unauthorised person, damage, or destruction. The offender is liable persons of the leakage within the above time. This obligation to a fine, a penalty of restriction of liberty or deprivation of liberty ceases to exist if the data is technically protected as required of up to one year. by law. The telecom operator has to maintain an inventory Furthermore, the Polish Data Protection Authority can request the of security Incidents comprising the facts surrounding the security breach, its effects and the remedial actions. data controller to remedy the infringement. A failure to comply with this order may result in a fine of up to PLN 200,000. 4 Corporate Governance 2.11 Please cite any specific examples of enforcement action taken in cases of non-compliance with the above-mentioned requirements. 4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to The Decision of the General Inspector for Personal Data Protection a breach of directors’ duties in your jurisdiction? of 25 July 2014, case no. DIS/DEC 707/57900/14 (failure to keep a register of security incidents related to personal data by the telecom An Incident may give rise to director’s liability for breach of their operator). duties if any damage is caused to the company as a consequence of the Incident, and at the same time, such Incident results from negligent, unlawful actions or actions contradictory to the articles 3 Specific Sectors of association of the director. However, a director may discharge himself/herself of liability by proving that that he/she was not at 3.1 Does market practice with respect to information fault or he/she fulfilled his/her duties with a degree of diligence security (e.g. measures to prevent, detect, mitigate proper for the professional nature of his/her actions. and respond to Incidents) vary across different business sectors in your jurisdiction? Please include 4.2 Are companies (whether listed or private) required details of any common deviations from the strict legal under Applicable Laws to: (a) designate a CISO; requirements under Applicable Laws. (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, Market practice in the banking, finance and telecommunications including for third party vendors; and (d) perform sectors provides stricter requirements regarding information penetration tests or vulnerability assessments? security, mainly due to the guidelines and recommendations imposed by the regulators. No, currently there is no general obligation to designate a CISO. However, this is the market standard for companies operating in different sectors and with access to commercially sensitive 3.2 Are there any specific legal requirements in relation information. to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the Companies processing personal data are permitted to designate an telecommunications sector? information security officer, but they are not obliged to do so. The data controllers have the obligation to develop and implement the security a) There are no specific legal requirements imposed on policy and the instruction specifying the method of managing the organisations operating in the financial services sector. computer system used for personal data processing, with particular However, Recommendation D on the management of consideration of the information security requirements. information technology and ICT environment security at It is also good market practice to conduct periodic cyber risk banks, which is a soft law guidance issued by the Polish assessments as well as penetration or vulnerability tests. Financial Supervision Authority, indicates that banks should examine the benefits of international standards (or their Polish equivalents) in the field of information security 4.3 Are companies (whether listed or private) subject (such as ISO/IEC 27000 standards) and make a decision on to any specific disclosure requirements in relation whether to adapt the ICT environment security management to cybersecurity risks or Incidents (e.g. to listing system functioning at the bank to the requirements of these authorities, the market or otherwise in their annual standards. A similar recommendation has been issued to the reports)? insurance and pension sector as well as to the capital markets sector. No, except for companies operating in the telecommunications sector. Please refer to the answer to question 3.2 above.

144 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy A. Pędzich sp.k. Poland

4.4 Are companies (whether public or listed) subject to 7 Employees any other specific requirements under Applicable Laws in relation to cybersecurity? 7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for Companies having access to classified information within the the purposes of preventing, detection, mitigating and meaning of the Act on Protection of Classified Information or responding to Incidents; and (b) the reporting of cyber performing contracts related to access to classified information have risks, security flaws, Incidents or potential Incidents to obtain the industrial security certificate that confirms the ability by employees to their employer? of the given company to protect the information marked at least with “confidential” or “high security level”. The monitoring of employees for the purposes of preventing, Poland detecting, mitigating and responding to Incidents is subject to the general rules on the monitoring of employees’ behaviour 5 Litigation and privacy protection in the workplace. As the employer is authorised to protect its property and control the performance of the 5.1 Please provide details of any civil actions that may be employees’ obligations resulting from an employment contract, the brought in relation to any Incident and the elements of monitoring of employees is considered as justified. However, each that action that would need to be met. employee should be notified in advance of the measures and purpose of the monitoring (e.g. via the internal bylaws). In each case, an The main civil action that may be brought in the event of an Incident employer should ensure that the employees’ dignity and personal is a lawsuit claiming infringement of personal rights. This may rights are fully protected (e.g. by refraining from monitoring private happen when the company fails to observe personal data protection correspondence). Constant monitoring is prohibited. There are rules and as a result there is a leakage of personal information. It no specific requirements regarding the reporting of cyber risks, is worth mentioning that to effectively bring a legal action, it is not Incidents and potential Incidents by employees to their employer. necessary to suffer any damage. A statement of claim should meet However, according to Art. 100 of the Polish Labour Code 1974, the formal requirements provided for by the Polish Code of Civil an employee is obliged to care for the interests of the employing Proceedings. establishment, protect its property and to maintain the confidentiality of information, the disclosure of which could cause damage to the employer. This provision is often used as a basis for introducing 5.2 Please cite any specific examples of cases that into the workplace regulations or internal security policies to the have been brought in your jurisdiction in relation to employee’s obligations in relation to the security of IT systems and Incidents. IT infrastructure, including the obligation to notify the employer about any breach of security or threat to the security of IT systems. There is currently no case law in Poland related to Incidents.

7.2 Are there any Applicable Laws (e.g. whistle-blowing 5.3 Is there any potential liability in tort or equivalent laws) that may prohibit or limit the reporting of cyber legal theory in relation to an Incident? risks, security flaws, Incidents or potential Incidents by an employee? Yes, the general rules regarding liability and compensation for damage caused by culpable behaviour may apply. In such cases, the No, there are no such regulations. There are no whistle-blowing claimant has to also prove the damage and the causal link between laws in Poland. the defendant’s activity and the damage.

8 Investigatory and Police Powers 6 Insurance

8.1 Please provide details of any investigatory powers of 6.1 Are organisations permitted to take out insurance law enforcement or other authorities under Applicable against Incidents in your jurisdiction? Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident. Yes, it is becoming increasingly popular among companies. From 2016, under the Police Act, the use of ‘operation controls’ is permitted to extract and record data from data storage media, 6.2 Are there any regulatory limitations to insurance telecommunications terminal equipment, information and coverage against specific types of loss, such as business interruption, system failures, cyber extortion communication systems. Any such hacking activity has to be pre- or digital asset restoration? If so, are there any legal authorised by a court, but enforcement authorities may undertake limits placed on what the insurance policy can cover? hacking practices without prior authorisation in urgent circumstances, if consent is granted by the court, within five days. All techniques and There are no regulatory limitations on that matter; however, when methods used by law enforcement agencies are, however, classified. there are no specific arrangements between the parties, the sum paid by the insurer may not be higher than the loss suffered.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 145 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy A. Pędzich sp.k. Poland

Evidence of cybercrimes can also be collected by more traditional Under the Act on Antiterrorist Activity, from last year, telecom procedural instruments provided for by the provisions of the Polish operators have the obligation to register pre-paid SIM cards and Criminal Procedure Code, such as: the search and seizure of stored verify the registration with an individual ID card, as well as the computer data (i.e. by securing the data medium on which data is right to block services (including websites) which support terrorist stored, e.g. computers and data carriers like hard drives, memory activities. sticks, CD-ROMs); the preservation of data for possible later access following a further disclosure order or production order (i.e. to 8.2 Are there any requirements under Applicable Laws compel a telecom operator to furnish the information necessary for for organisations to implement backdoors in their IT the criminal proceedings); the interception of content data; and the systems for law enforcement authorities or to provide retention of transmission data. law enforcement authorities with encryption keys? Poland The court, upon the motion of a public prosecutor, can also order the control and wiretapping of telephone calls and other forms of No, currently there are no requirements in respect of the communications, such as SMS and email. Such lawful interception implementation of backdoors. Also, the use of encryption is can be ordered for a maximum period of three months, with the permitted in Poland. The law does not, however, provide any possibility of extending it once for an additional three months. generally addressed obligation to provide private encryption keys to the law enforcement authorities.

146 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy A. Pędzich sp.k. Poland

Krystyna Szczepanowska-Kozłowska Justyna Ostrowska Allen & Overy A. Pędzich sp.k. Allen & Overy A. Pędzich sp.k. Rondo ONZ 1 Rondo ONZ 1 00-124 Warsaw 00-124 Warsaw Poland Poland

Tel: +48 22 820 6100 Tel: +48 22 820 6199 Email: [email protected] Email: [email protected] URL: www.allenovery.com URL: www.allenovery.com Poland Professor Krystyna Szczepanowska-Kozłowska is a partner at Justyna Ostrowska is an advocate at Allen & Overy, A. Pędzich Allen & Overy, A. Pędzich sp. k., heading the firm’s litigation and sp. k. with broad professional experience covering consultancy intellectual property practice. She is a legal advisor with over 20 related to electronic trade, commercial contracts and new years of experience. She specialises in litigation, both in intellectual technologies law, as well as intellectual property rights and data property law and in business and arbitration disputes, and also those protection. Ms. Ostrowska has achieved a strong expertise in concerning unfair competition and consumer protection. Professor advising world-leading operators on e-commerce, e-payment, Szczepanowska-Kozłowska represents clients both before the common unfair commercial practices and misleading advertising matters. courts and administrative courts. Furthermore, she advises clients She assists clients (both service providers as well as end users) in on non-contentious matters, especially civil law, intellectual property, managing the implementation of IT systems, outsourcing solutions competition and new technologies law. Professor Szczepanowska- and cloud projects, by negotiating agreements concerning services, Kozłowska is also a member of the Faculty of Law at the University of maintenance, implementation and licensing for IT solutions. She Warsaw where she heads the Department of Intellectual Property Law also advises clients on the cross-border use of personal data in and Intangible Assets and the Civil Law Institute. Moreover, she is the capital groups, processing personal data in electronic business, and author of numerous academic publications in the areas of civil law, conducts internal audits in this respect. industrial property law and unfair competition law.

Allen & Overy, A. Pędzich sp. k. is affiliated with Allen & Overy LLP, a limited liability partnership registered in England and Wales, with the registered office at One Bishops Square, London E1 6AD. A list of the names of the partners of Allen & Overy, A. Pędzich sp. k. and their professional qualifications is open to inspection at the registered office of Allen & Overy LLP and at the above address. Allen & Overy, A. Pędzich sp. k. is registered under no. KRS 21303 in the Register of Entrepreneurs of the National Court Register kept by The District Court in Warsaw, 12th National Court Register Commercial Division. Allen & Overy LLP (including its affiliates) has offices in: Abu Dhabi; Amsterdam; Antwerp; Bangkok; Barcelona; Beijing; Belfast; Bratislava; Brussels; Bucharest (associated office); Budapest; Casablanca; Doha; Dubai; Düsseldorf; Frankfurt; Hamburg; Hanoi; Ho Chi Minh City; HongKong; Istanbul; Jakarta (associated office); Johannesburg; London; Luxembourg; Madrid; Milan; Moscow; Munich; New York; Paris; Perth; Prague; Riyadh (cooperation office); Rome; São Paulo; Seoul; Shanghai; Singapore; Sydney;Tokyo; Warsaw; Washington, D.C.; and Yangon.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 147 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 23

Singapore Rajesh Sreenivasan

Rajah & Tann Singapore LLP Michael Chen

A person found guilty of this offence shall be liable on conviction 1 Criminal Activity to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding two years or to both. 1.1 Would any of the following activities constitute a There have been no prosecutions relating to phishing activities as criminal offence in your jurisdiction? If so, please yet. Nonetheless, as with denial-of-service attacks, phishing is also provide details of the offence, the maximum penalties recognised as a threat in Singapore’s Cybersecurity Strategy. available, and any examples of prosecutions in your jurisdiction: Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses) According to the applicable legislation specified below, the following Yes. Under section 5 of the CMCA, a person who does any act activities would constitute criminal offences in Singapore. which he knows will cause an unauthorised modification of the Hacking (i.e. unauthorised access) contents of any computer shall be guilty of an offence. Yes. Under section 3 of the CMCA, any person who knowingly A person found guilty of this offence shall be liable on conviction causes a computer to perform any function for the purposes of to a fine not exceeding S$10,000 or to imprisonment for a term not securing access without authority to any program or data held in any exceeding three years or to both. computer shall be guilty of an offence. Possession or use of hardware, software or other tools used to A person found guilty of this offence shall be liable on conviction commit cybercrime (e.g. hacking tools) to a fine not exceeding S$5,000 or to imprisonment for a term not Yes. Under section 8B of the CMCA, it is an offence for a person exceeding two years or to both. to obtain or retain any item (which includes hacking tools, among In Public Prosecutor v Muhammad Nuzaihan bin Kamal Luddin others) with the intent to use it to commit or facilitate commission [1999] 3 SLR(R) 653, the accused relied on an exploit, instead of an offence under the CMCA. of sophisticated software, to perform unauthorised access to an A person found guilty of this offence shall be liable on conviction internet service provider server, among others. In Lim Siong Khee to a fine not exceeding S$10,000 or to imprisonment for a term not v Public Prosecutor [2001] 1 SLR(R) 631, the accused hacked the exceeding three years or to both. victim’s email account by answering correctly the hint question to Identity theft or identity fraud (e.g. in connection with access successfully retrieve passwords and to gain unauthorised access. He devices) was sentenced to 12 months’ imprisonment. Yes. Under section 4 of the CMCA, it is an offence to secure Denial-of-service attacks unauthorised access to any computer program or data, with the intent Yes. Under section 7 of the CMCA, any person who knowingly and to commit an offence involving property, fraud or dishonesty. This without authority or lawful excuse, (a) interferes with, interrupts or offence is punishable on conviction by a fine not exceeding S$50,000 obstructs the lawful use of a computer, or (b) impedes or prevents or imprisonment for a term not exceeding 10 years or to both. access to, or impairs the usefulness or effectiveness of, any program In Public Prosecutor v S Kalai Magal Naidu [2006] SGDC 226, the or data stored in computer, shall be guilty of an offence. accused was convicted under section 4 for conducting searches on A person found guilty of this offence shall be liable on conviction her bank employer’s computer systems to effect cash withdrawals to a fine not exceeding S$10,000 or to imprisonment for a term not from the victim’s bank account. She was sentenced to four months’ exceeding three years or to both. imprisonment for each charge under section 4. There have been no prosecutions for denial-of-service attacks as Also, under section 5 of the CMCA, an accused may be charged for yet. Nevertheless, such attacks are recognised as threats under unauthorised modification of computer material. This may be seen Singapore’s Cybersecurity Strategy. in Public Prosecuctor v Tan Hock Keong Benjamin [2014] SGDC Phishing 16, where the accused used the victim’s debit card that he found to make a purchase on eBay. It was held that he knew that by doing There is no specific provision that deals with phishing. However, so, he would cause unauthorised modification to the contents of a under section 3 of the CMCA, any person who knowingly causes a computer, namely the data stored in the bank’s servers, such that the computer to perform any function for the purposes of securing access online purchase would be approved. without authority to any program or data held in any computer shall be guilty of an offence. In addition, the Penal Code contains provisions on cheating by personation. Although not cyber-specific, section 416 of the Penal

148 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Rajah & Tann Singapore LLP Singapore

Code (cheating by personation) may apply to identity theft. It is an offence for anyone to cheat by pretending to be some other person, 1.2 Do any of the above-mentioned offences have or by knowingly substituting one person for another, or representing extraterritorial application? that he or any other person is a person other than he or such other person really is. The punishment is imprisonment for a term which The CMCA, PDPA and Penal Code have extraterritorial application. may extend to five years or a fine or both. Section 11 of the CMCA specifies that the CMCA provisions have effect against any person, irrespective of nationality or citizenship, Under section 170 of the Penal Code, it is an offence to personate a and even if the person is outside or within Singapore, if: public servant. The punishment is imprisonment for a term which may extend to two years or a fine or both. (a) the accused was in Singapore at the material time of the offence; Electronic theft (e.g. breach of confidence by a current or former

(b) the computer, program or data was in Singapore at the Singapore employee, or criminal copyright infringement) material time of the offence; or Yes. Under section 8A of the CMCA, it is an offence for a person to (c) the offence causes or creates significant risk of serious harm obtain or retain personal information, or to supply, offer to supply, in Singapore. transmit or make available the personal information, if the person The above captures anyone who commits an offence under the knows or has reason to believe that any personal information about CMCA for which the person targets a computer, program or data another person (being an individual) was obtained by an act done located in Singapore, or if the person was located in Singapore in contravention of the CMCA. This offence is punishable on when the offence happened. Also, if the offence causes significant conviction by a fine not exceeding S$10,000 or to imprisonment for risk of serious harm in Singapore, then the extraterritorial provision a term not exceeding three years or to both. may apply. Examples of serious harm include the disruption of or The theft of personal data could constitute an offence under the serious diminution of public confidence in essential services such PDPA. Under section 51 of the PDPA, it is an offence for an as communications and transport infrastructure or public utilities. organisation or individual to dispose of, alter, falsify, conceal or destroy personal data. The punishment for this offence is a fine of 1.3 Are there any actions (e.g. notification) that might up to S$5,000 in the case of an individual, and up to S$50,000 in mitigate any penalty or otherwise constitute an any other case. exception to any of the above-mentioned offences? Under section 136 of the Copyright Act, the following instances of copyright infringement are criminal offences, where the infringing The legislation does not specify mitigating factors to the above party knows or ought reasonably to know that the copies are offences. Nevertheless, cooperation with the relevant regulators or infringing ones: make for sale or hire infringing copies; sell or enforcement authorities, or active steps taken to mitigate the loss or let for hire infringing copies; possess or import infringing copies damage caused by any of the offences, could be viewed by a court for commercial purposes; and distribute infringing copies for as mitigating factors. commercial purposes.

There is also criminal liability if the copyright infringement is wilful 1.4 Are there any other criminal offences (not specific and either or both of certain situations apply: (i) the extent of the to cybersecurity) in your jurisdiction that may arise infringement is significant; and/or (ii) the person does the act to in relation to cybersecurity or the occurrence of an obtain a commercial advantage. Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences Any other activity that adversely affects or threatens the in a cybersecurity context. security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data In addition to legislation specifically targeted at cybercrime, the Under the CMCA, it is an offence to perform unauthorised use or existing criminal offences as set out in the Penal Code and Sedition interception of a computer service (section 6), and for unauthorised Act (Cap. 290), among others, may be able to encompass offences disclosure of access code (section 8). Attempts are also caught relating to cybersecurity. It is generally an offence (even though not under section 10 of the CMCA, whereby anyone who attempts specific to cybersecurity) to commit or facilitate terrorism activities, to commit or does any act preparatory to or in furtherance of the e.g. where there is financing of terrorism. commission of any offence under the CMCA shall be guilty of an The Protection from Act (Cap. 256A) (the “POHA”) offence. Therefore, any forms of attempts to gain unauthorised establishes that it is an offence to intentionally cause harassment, access, or to commit any other offences under the CMCA, will alarm or distress, and to commit unlawful . For example, constitute offences as well. unlawful stalking includes keeping the victim or a related person Failure by an organisation to implement cybersecurity measures under surveillance. The PDPA requires organisations to protect personal data in their possession or under their control by making reasonable security 2 Applicable Laws arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. If the organisation does not comply with this requirement, the 2.1 Please cite any Applicable Laws in your jurisdiction Personal Data Protection Commission (the “PDPC”) can give the applicable to cybersecurity, including laws applicable organisation directions to ensure compliance; for example, directing to the monitoring, detection, prevention, mitigation the organisation to pay a financial penalty of up to S$1 million. and management of Incidents. This may include, for example, laws of data protection, intellectual The Cybersecurity Bill proposes to require owners of CII to property, breach of confidence, privacy of electronic establish mechanisms and processes as may be necessary in order to communications, information security, and import / detect any cybersecurity threat in respect of its critical information export controls, among others. infrastructure. Please note that the draft Cybersecurity Bill is still undergoing review at the time of writing and has yet to take effect. The Ministry of Communications and Information (“MCI”) and

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 149 © Published and reproduced with kind permission by Global Legal Group Ltd, London Rajah & Tann Singapore LLP Singapore

the Cyber Security Agency of Singapore (“CSA”) issued a public a maximum fine of up to S$100,000, and/or imprisonment for a term consultation on the proposed Cybersecurity Bill, over the period not exceeding 20 years. from 10 July 2017 to 24 August 2017. At the time of writing, the In the proposed Cybersecurity Bill (“Bill”), there are cybersecurity MCI and CSA were still reviewing the feedback received during requirements that impose duties on owners of CII. Per the Bill, a the public consultation. The draft Cybersecurity Bill is intended CII means: ‘a computer or computer system that is necessary for to establish a framework for the oversight and maintenance of the continuous delivery of essential services which Singapore relies national cybersecurity in Singapore. As described subsequently, on, the loss or compromise of which will lead to a debilitating the Cybersecurity Bill will impose duties and obligations on owners impact on the national security, defence, foreign relations, economy, who own CII. public health, public safety or public order of Singapore’. The Notwithstanding the above, the current laws which relate to Commissioner will have the power to designate a computer or

Singapore cybersecurity in Singapore include: computer system as a CII – such designation of a computer or Computer Misuse and Cybersecurity Act (Cap. 50A) (CMCA) computer system as a CII will be an official secret under the Official Secrets Act, and shall not be divulged to the public. The CMCA sets out penalties for various cybersecurity offences, as described in section 1 above. Depending on the offence, the ‘Essential services’ are specified in the First Schedule of the maximum quantum of the fine ranges from between S$5,000 to Bill. The First Schedule details 44 types of services which may S$50,000, and the maximum imprisonment term ranges from be considered as ‘essential services’, under the broad categories between two years to 10 years. The penalties may be enhanced in of energy, info-communications, water, healthcare, banking and specific circumstances. For example, the maximum fine quantum finance, security and emergency services, aviation, land transport, and imprisonment term are increased in the case of second or maritime, Government, and media. subsequent conviction. Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) 2.3 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other The PDPA imposes data protection obligations on private authority, to take measures to monitor, detect, prevent organisations when they perform activities involving the collection, or mitigate Incidents? If so, please describe what use and disclosure of personal data. The PDPC has powers to bring measures are required to be taken. enforcement actions against organisations which fail to comply with these PDPA obligations. Under the Protection Obligation imposed by the PDPA, an Penal Code (Cap. 224) organisation is required to protect personal data in its possession As described in section 1 above, the Penal Code sets out offences or under its control by making reasonable security arrangements to relating to personation, among others. prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Copyright Act (Cap. 63) Under the draft Cybersecurity Bill, CII owners will be required to: As described in section 1 above, the Copyright Act establishes that comply with such codes of practice or directions in relation to the certain acts of copyright infringement constitute offences. CII as may be issued by the Commissioner; carry out regular risk Strategic Goods (Control) Act (Cap. 300) assessments; and participate in cybersecurity exercises as required by The Strategic Goods (Control) Act controls the transfer and the Commissioner. Please note that the draft Cybersecurity Bill is still brokering of strategic goods and strategic goods technology undergoing review at the time of writing and has yet to take effect. (including specified information security and cryptographic systems), among others. 2.4 In relation to any requirements identified in question 2.3 above, might any conflict of laws issues 2.2 Are there any cybersecurity requirements under arise? For example, conflicts with laws relating Applicable Laws applicable to critical infrastructure to the unauthorised interception of electronic in your jurisdiction? For EU countries only, how communications or import / export controls of (and according to what timetable) is your jurisdiction encryption software and hardware. expected to implement the Network and Information Systems Directive? Please include details of any No such issues have been reported to arise thus far in Singapore. instances where the implementing legislation in your jurisdiction is anticipated to exceed the requirements of the Directive. 2.5 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Section 15A of the CMCA sets out the Minister for Communications Incidents to a regulatory or other authority in your and Information’s powers to issue directions to any person or jurisdiction? If so, please provide details of: (a) the organisation to take such measures or comply with such requirements circumstance in which this reporting obligation is as may be necessary to prevent, detect or counter cyber threats to triggered; (b) the regulatory or other authority to national security, essential services, defence, or foreign relations which the information is required to be reported; (c) of Singapore. Under the CMCA, “essential services” means the nature and scope of information that is required services directly related to communications infrastructure, banking to be reported (e.g. malware signatures, network vulnerabilities and other technical characteristics and finance, public utilities, public transportation, land transport identifying an Incident or cyber attack methodology); infrastructure, aviation, shipping, or public key infrastructure; or and (d) whether any defences or exemptions exist by emergency services such as police, civil defence or health services. which the organisation might prevent publication of Section 9 of the CMCA enhances the punishment for certain that information. offences that are committed on protected computers (including computers used for defence, communications, public utilities, and Section 15A of the CMCA sets out the Minister for Communications banking, among others). The applicable punishment is enhanced to and Information’s powers to issue directions to any person or

150 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Rajah & Tann Singapore LLP Singapore

organisation to take such measures or comply with such requirements as may be necessary to prevent, detect or counter cyber threats to 2.7 Are organisations required under Applicable Laws, or national security, essential services, defence, or foreign relations of otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Singapore. Such measures include providing any information that Incidents to any affected individuals? If so, please is necessary to identify, detect or counter any such threat, and/or a provide details of: (a) the circumstance in which report of a breach or an attempted breach of security. this reporting obligation is triggered; and (b) the The PDPA does not contain a mandatory reporting obligation. nature and scope of information that is required to be However, the PDPC has issued non-binding guidelines reported. recommending organisations to voluntarily notify the PDPC as soon as possible of any data breaches that might cause public concern The PDPA does not contain a mandatory notification obligation. or where there is a risk of harm to a group of affected individuals. However, the PDPC has issued non-binding guidelines Singapore recommending organisations to voluntarily notify affected The PDPC is currently reviewing the PDPA, and has issued a public individuals immediately if a data breach involves sensitive personal consultation (from 27 July 2017 to 21 September 2017) seeking data. Note that “sensitive personal data” is not defined under the feedback on its proposed amendments. One amendment relates to PDPA, only “personal data”. mandatory data breach notification. It is proposed that organisations must notify the affected individuals and PDPC if a data breach has The PDPC is currently reviewing the PDPA, and has issued a public risks of impacting or harming the affected individuals, or to notify consultation (from 27 July 2017 to 21 September 2017) seeking the PDPC if there is a significant scale of breach (involving 500 or feedback on its proposed amendments. One amendment relates to more individuals). As the public consultation is still underway at mandatory data breach notification. It is proposed that organisations the time of writing, there are no guidelines on the nature and scope must notify the affected individuals and PDPC if a data breach has of information needed to be reported. It is proposed that certain risks of impacting or harming the affected individuals, or to notify exemptions should apply to the reporting requirement; for example, the PDPC if there is a significant scale of breach (involving 500 or if the organisation is acting on behalf of a public agency, or where more individuals). As the public consultation is still underway at other written law prohibit notification. the time of writing, there are no guidelines on the nature and scope of information needed to be reported. It is proposed that certain The draft Cybersecurity Bill proposes to impose a duty to report exemptions should apply to the notification requirement to affected cybersecurity Incidents to the Commissioner of Cybersecurity if individuals; for example, if notification is likely to impede law these Incidents involve CII or systems interconnected with CII. enforcement investigations, or where the breached personal data is The information required for reporting will be prescribed by the encrypted to a reasonable standard. Commissioner. The draft Cybersecurity Bill also proposes to grant the Commissioner with powers to investigate all cybersecurity threats 2.8 Do the responses to questions 2.5 to 2.7 change if the and Incidents (not only those involving CIIs); for example, to information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email obtain information (such as technical logs), and, in the event of address from which a phishing email originates); (d) serious cybersecurity threats and Incidents, to enter premises where personally identifiable information of cyber threat relevant computers and computer systems are located, access such actors; and (e) personally identifiable information of computers, and scan computers for cybersecurity vulnerabilities. In individuals who have been inadvertently involved in addition, the Commissioner will be empowered to direct any person an Incident? or organisation to take emergency measures and requirements to prevent, detect, counter any threat to a computer or computer No, the responses do not change, provided that any PDPA service. Please note that the draft Cybersecurity Bill is still requirements are complied with if the information includes personal undergoing review at the time of writing and has yet to take effect. data.

2.6 If not a requirement, are organisations permitted by 2.9 Please provide details of the regulator(s) responsible Applicable Laws to voluntarily share information for enforcing the requirements identified under related to Incidents or potential Incidents with: (a) questions 2.3 to 2.7. a regulatory or other authority in your jurisdiction; (b) a regulatory or other authority outside your Regulators responsible for enforcing requirements are generally jurisdiction; or (c) other private sector organisations either sector-specific or subject-matter specific, including but not or trade associations in or outside your jurisdiction? limited to:

While there are no general restrictions with regards to voluntary Sector/Subject Relevant Statute/ Regulators sharing of information pertaining to an Incident, this is subject Matter Regulations to sector-specific regulations and regulatory oversight which Cybersecurity CMCA MCI, CSA may constrain an organisation from sharing such information. If Personal Data PDPA PDPC Singapore Police the information pertains to personal data, the organisation must Penal Offences Penal Code comply with the PDPA in sharing such information. Additionally, Force (“SPF”) Banking and organisations should not share information protected on the grounds Monetary Authority Financial Sector of Singapore of national secret or which is prejudicial to national security, under Sector-Specific Laws/Notices/ (“MAS”) the Official Secrets Act and Internal Security Act, respectively. Regulations Guidelines Infocomm Media Telecommunications Development Act Authority (“IMDA”)

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 151 © Published and reproduced with kind permission by Global Legal Group Ltd, London Rajah & Tann Singapore LLP Singapore

The MAS has also issued guidelines for financial institutions 2.10 What are the penalties for not complying with the to mitigate cybersecurity risks, such as the Technology Risk requirements identified under questions 2.3 to 2.8? Management Guidelines, Outsourcing Guidelines, Business Continuity Management Guidelines, and Bring-Your-Own-Device Penalties for failure to comply with any of the abovementioned (“BYOD”) Circular. requirements are dependent upon the respective statutes, regulations Telecommunications Sector: or guidelines, for example: The IMDA has formulated the Telecommunication Cybersecurity ■ The PDPC has powers to issue directions and bring enforcement actions to ensure compliance with the PDPA. Code of Practice to enhance the cybersecurity preparedness for For example, the PDPC can impose a financial penalty of up designated licensees. Besides security Incident management to S$1 million. requirements, the Code includes requirements to prevent, protect, Singapore ■ Under section 15A of the CMCA, a person who fails to detect and respond to cybersecurity threats. take any measure or comply with any requirement directed by the Minister shall be guilty of an offence and shall be liable on conviction to a fine not exceeding S$50,000 or to 4 Corporate Governance imprisonment for a term not exceeding 10 years or to both. 4.1 In what circumstances, if any, might a failure by 2.11 Please cite any specific examples of enforcement a company (whether listed or private) to prevent, action taken in cases of non-compliance with the mitigate, manage or respond to an Incident amount to above-mentioned requirements. a breach of directors’ duties in your jurisdiction?

The PDPC has taken an active role in ensuring action be taken against Failure by a company to prevent, mitigate, manage or respond to an organisations which breach the PDPA. By way of example, on 21 Incident could amount to breach of directors’ duties; for example, April 2016, the PDPC imposed financial penalties of S$50,000 and if the failure results from a director’s breach of their duty to act S$10,000 on K Box Entertainment Group (“K Box”) and its data honestly and use reasonable diligence in the discharge of the duties intermediary, Finantech Holdings, for failing to implement proper of their office. and adequate protective measures to secure its IT system, resulting While not mandatory, the Code of Corporate Governance (“Code”) in unauthorised disclosure of the personal data of 317,000 K Box sets out best practices in relation to corporate governance principles. members. K Box was also issued directions and penalised for the The Code of Corporate Governance is issued by the MAS, on absence of a Data Protection Officer. recommendation by the Corporate Governance Council, and was last revised on 2 May 2012. Under Principle 11 “Risk Management and Internal Controls”, the board of directors should determine the 3 Specific Sectors company’s levels of risk tolerance and risk policies, and oversee management in the design, implementation and monitoring of the 3.1 Does market practice with respect to information risk management and internal control systems (including financial, security (e.g. measures to prevent, detect, mitigate operational, compliance and information technology controls). and respond to Incidents) vary across different In relation to financial institutions, the MAS has issued the business sectors in your jurisdiction? Please include Technology Risk Management Guidelines, which set out technology details of any common deviations from the strict legal risk management best practices and recommend that, in view of the requirements under Applicable Laws. importance of the IT function in supporting a financial institution’s business, the board of directors and senior management should have Apart from the PDPA requirement for all organisations to make oversight of technology risks and ensure that the organisation’s reasonable security arrangements to protect personal data, other IT function is capable of supporting its business strategies and cybersecurity obligations and requirements are imposed in sector- objectives. The board of directors and senior management should specific legislation, codes of practice, and guidelines, such that ensure that a sound and robust technology risk management information security measures vary depending on business sector. framework is established and maintained. They should also be fully responsible for ensuring that effective internal controls and 3.2 Are there any specific legal requirements in relation risk management practices are implemented to achieve security, to cybersecurity applicable to organisations reliability, resiliency and recoverability. in: (a) the financial services sector; and (b) the telecommunications sector? 4.2 Are companies (whether listed or private) required Financial Services Sector: under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or Under the Technology Risk Management Notices, regulated policy; (c) conduct periodic cyber risk assessments, financial institutions are required to notify the MAS as soonas including for third party vendors; and (d) perform possible, but not later than one hour, upon the discovery of a relevant penetration tests or vulnerability assessments? Incident. Regulated financial institutions are required to submit a root cause and impact analysis report to the MAS, within 14 days There is currently no general requirement under Applicable Laws or such longer period as the MAS may allow, from the discovery of for all companies to: (a) designate a CISO; (b) establish a written the relevant Incident. Incident response plan or policy; (c) conduct periodic cyber risk A “relevant incident” refers to a system malfunction or IT security assessments; and (d) perform penetration tests or vulnerability Incident, which has a severe and widespread impact on the assessments. financial institution’s operations or materially impacts the financial Nevertheless, there are sector-specific cybersecurity requirements. institution’s service to its customers. For example, in relation to financial institutions, the MAS Technology

152 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Rajah & Tann Singapore LLP Singapore

Risk Management Guidelines recommend that financial institutions devise an Incident response framework, perform risk assessments, 6 Insurance as well as penetration tests and vulnerability assessments. The MAS Outsourcing Guidelines recommend that financial institutions 6.1 Are organisations permitted to take out insurance conduct periodic risk assessments on outsourced service providers, against Incidents in your jurisdiction? and review and monitor the security practices and control processes of the outsourced service providers on a regular basis. Yes. Organisations are permitted to take out insurance against Incidents. Often known as ‘cyber insurance’, such insurance may 4.3 Are companies (whether listed or private) subject cover business interruption loss due to network security failure or to any specific disclosure requirements in relation attack, human errors, or programming errors, among others. to cybersecurity risks or Incidents (e.g. to listing As this type of insurance is relatively novel in Singapore, it has Singapore authorities, the market or otherwise in their annual been reported that the MAS and CSA have been working with reports)? industry partners and a Singapore university to research on cyber risk, security and insurance, so as to develop insurance schemes to Companies are currently not subject to specific disclosure protect citizens and businesses against cyber attacks. requirements in relation to cybersecurity risks or Incidents (whether to listing authorities, the market or otherwise in their annual reports). 6.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as 4.4 Are companies (whether public or listed) subject to business interruption, system failures, cyber extortion any other specific requirements under Applicable or digital asset restoration? If so, are there any legal Laws in relation to cybersecurity? limits placed on what the insurance policy can cover?

Companies may be subject to specific cybersecurity requirements Currently, there are no regulatory limitations to insurance coverage under sector-specific codes or guidelines, such as those set out in against the specified losses, such as business interruption, system section 3 above. failures, cyber extortion or digital asset restoration. Notwithstanding the above, the general rule of ex turpi causa non 5 Litigation oritur actio applies to insurance contracts as it applies to contractual illegality. A person cannot rely on his own illegal act to make a claim against his insurance policy, nor benefit from his own criminal 5.1 Please provide details of any civil actions that may be conduct. This is also contrary to public policy, since allowing the brought in relation to any Incident and the elements of indemnification of such risks would be to encourage the commission that action that would need to be met. of crimes, which would be wholly against public policy.

An Incident could give rise to claims in contract (for breach of contract) or tort (as set out under question 5.3 below). 7 Employees The PDPA provides for a right of private action, whereby any person who suffers loss or damage directly as a result of a contravention 7.1 Are there any specific requirements under Applicable of certain Data Protection Provisions by an organisation shall Law regarding: (a) the monitoring of employees for have a right of action for relief in civil proceedings in a court. In the purposes of preventing, detection, mitigating and such a private action, the court may grant the plaintiff all or any responding to Incidents; and (b) the reporting of cyber of the following: (a) relief by way of injunction or declaration; (b) risks, security flaws, Incidents or potential Incidents damages; and/or (c) such other relief as the court thinks fit. by employees to their employer? Under the CMCA, the court may order a person convicted of a (a) Generally, the Applicable Law does not impose specific CMCA offence to pay compensation to any victim of the offence. requirements on employers to monitor employees for the This order will not prejudice the victim’s right to a civil remedy for purposes of preventing, detecting, mitigating and responding the recovery of damages beyond the amount of compensation paid to Incidents. under the order. In relation to financial institutions, the MAS Technology Risk Management Guidelines recommend that, for accountability 5.2 Please cite any specific examples of cases that and identification of unauthorised access, financial institutions have been brought in your jurisdiction in relation to should ensure that records of user access are uniquely Incidents. identified and logged for audit and review purposes. The MAS recommends that financial institutions should closely supervise staff with elevated system access entitlements and There have not been reported cases directly relating to civil actions have all their systems activities logged and reviewed as they brought in relation to Incidents. have the knowledge and resources to circumvent systems controls and security procedures. 5.3 Is there any potential liability in tort or equivalent In the non-binding Advisory Guidelines issued by the PDPC, legal theory in relation to an Incident? which provide examples of security arrangements to protect personal data, the PDPC recommends restricting employee access to confidential documents on a need-to-know basis. A party may face potential liability in tort in relation to an Incident; for example: if the Incident results from the party’s negligence; there (b) There are no requirements under Applicable Law regarding is a breach of confidence; or there is a breach of statutory duties. the reporting of Incidents or potential Incidents by employees to their employers. However, it is to be noted that under

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 153 © Published and reproduced with kind permission by Global Legal Group Ltd, London Rajah & Tann Singapore LLP Singapore

the employment contracts or internal company policies, Internal Security Act (“ISA”): in the interest of Singapore’s national there may be such notification requirements imposed upon security, the ISA provides for the Government’s power to order employees. preventive detention, and the power of police to search and seize subversive documents, among other powers. 7.2 Are there any Applicable Laws (e.g. whistle-blowing Cybersecurity Bill: the draft Bill proposes to provide investigative laws) that may prohibit or limit the reporting of cyber powers to the Cybersecurity Commissioner (or any other risks, security flaws, Incidents or potential Incidents cybersecurity officer upon his authorisation), and to exercise by an employee? powers necessary to determine the impact or potential impact of the cybersecurity threat or Incident. There are currently no Applicable Laws which may prohibit or limit

Singapore the reporting of cyber risks, security flaws, Incidents or potential Incidents by an employee. 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide 8 Investigatory and Police Powers law enforcement authorities with encryption keys?

Under section 40(2) of the CPC, for the purposes of investigating 8.1 Please provide details of any investigatory powers of an arrestable offence, the Public Prosecutor may by order authorise law enforcement or other authorities under Applicable a police officer or an authorised person to require any person, Laws in your jurisdiction (e.g. antiterrorism laws) that whom he reasonably suspects to be in possession of any decryption may be relied upon to investigate an Incident. information, to grant him access to such decryption information as may be necessary to decrypt any data required for the purposes of CMCA: computer misuse offences are investigated by the SPF. investigating the arrestable offence. Failure to comply is an offence More specifically, within SPF’s Criminal Investigation Department, punishable by a fine not exceeding S$10,000 or to imprisonment for the Technology Crime Division conducts investigation and forensic a term not exceeding three years or to both. examination into technology-related offences committed under the Under section 15A of the CMCA, the Minister for Communications CMCA. The SPF’s powers of investigation are set out under the and Information has the power to issue directions to any person or Criminal Procedure Code (Cap. 63) (“CPC”). organisation to take such measures, such as the exercise of powers PDPA: the PDPC can initiate investigations upon complaint or its referred to under section 40(2) of the CPC to require decryption own motion. It has the power to require relevant documents or information, as may be necessary to prevent, detect or counter cyber information, and the power to enter premises without warrant as threats to national security, essential services, defence, or foreign well as under warrant. relations of Singapore.

154 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Rajah & Tann Singapore LLP Singapore

Rajesh Sreenivasan Michael Chen Rajah & Tann Singapore LLP Rajah & Tann Singapore LLP 9 Battery Road #25-01 9 Battery Road #25-01 Singapore 049910 Singapore 049910 Singapore Singapore

Tel: +65 6232 0751 Tel: +65 6232 0780 Email: [email protected] Email: [email protected] URL: sg.rajahtannasia.com URL: sg.rajahtannasia.com

Rajesh Sreenivasan heads the Technology Media and Michael Chen is an Associate in the Technology Media and Singapore Telecommunications Practice at Rajah & Tann Singapore LLP. He Telecommunications Practice at Rajah & Tann Singapore LLP. He has been advising clients on matters relating to cybersecurity, data has assisted in an extensive range of intellectual property, technology, protection, telecommunications, electronic commerce, IT contracts, media, and data protection matters. He actively advises on a wide and digital media for over 20 years. range of technology contracts. His clients include financial institutions, state governments, He graduated from the University of Melbourne Law School and is multinational corporations in the telecoms, computer hardware admitted in both Singapore and Australia. Michael has a keen interest and software sectors, government-linked companies and statutory in computers and technology, and also holds a degree in electrical and boards. On the regional front, Rajesh has been engaged by the computer engineering from Cornell University. ASEAN Secretariat to facilitate a pan-ASEAN forum on legislative and regulatory reforms to collectively address convergence of IT, telecoms and broadcasting across all 10 member countries, and by the Commonwealth Secretariat to co-lead an e-government capacity building exercise involving all member Caribbean nations. Rajesh is also the contributing author for the Singapore chapter of Sweet & Maxwell’s Data Protection Laws of the World since 2010. Rajesh has been cited as a leading TMT lawyer by all major legal ranking directories.

Rajah & Tann Singapore LLP has grown to be one of the largest full-service law firms in Singapore, providing full service and high-quality advice to an impressive list of clients. We have more than 300 lawyers, many ranked among the very best in their specialist practice areas. Our Technology, Media and Telecommunications (“TMT”) Practice is at the forefront of the TMT sector as thought leaders and trusted legal advisors for major TMT organisations and regulatory bodies in the Asia Pacific region and beyond. Led by a team of Partners who have been universally commended as the best of breed in TMT and ably supported by a team of specialist Associates, we are ready to help our clients navigate through this dynamic and constantly evolving area of practice. Cybersecurity is a key area of concern for all clients, and safeguarding clients’ trust and ensuring confidentiality of sensitive data is a vital task for many of our clients. In this respect, our broad suite of cybersecurity services, which includes multi-disciplinary data breach services and 24-hour emergency response teams, stand ready to assist our clients as may be required.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 155 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 24

South Africa Suad Jacobs

ENSafrica Theo Buchler

Section 86(4): use any device or computer program mentioned 1 Criminal Activity above in order to unlawfully overcome security measures designed to protect data or access to it. 1.1 Would any of the following activities constitute a The penalty for contravening section 86(5) is a fine or imprisonment criminal offence in your jurisdiction? If so, please for a period not exceeding five years. provide details of the offence, the maximum penalties Phishing available, and any examples of prosecutions in your jurisdiction: In South Africa, phishing is prosecuted in terms of the common law offence of fraud and it can be prosecuted in terms of section 87(2) Offences related to cybercrime in the Republic of South of the ECT Act. Africa (“South Africa”) are currently set out in the Electronic In Burchell’s Principles of Criminal Law (Juta, 4th Edition, pg. Communications and Transaction Act 25 of 2002 (“ECT Act”); 721) fraud is defined as “unlawfully making, with intent to defraud, in particular, sections 85 to 89. South Africa is in the process of a misrepresentation which causes actual prejudice or which is enacting further legislation to regulate the area of cybercrime and potentially prejudicial to another”. cybersecurity. This new legislation, which is currently open for South African jurisprudence, in respect of the offence of fraud, is public debate in the South African Parliament, is known as the well-developed and easily applied in cases involving phishing. Cybercrimes and Cybersecurity Bill (“Cybercrimes Bill”). The Section 87(2) of the ECT Act states that a person who commits any Cybercrimes Bill, inter alia, criminalises the unlawful securing of of the acts described in section 86(1) to (5) (as set out above) for the access to data, unlawful acquiring of data, unlawful interference purpose of obtaining an unlawful advantage by causing fake data with data, a computer program, a computer data storage medium or to be produced with the intent that it would be considered or acted computer system. It also creates a variety of other offences that do upon as if it were authentic, is guilty of an offence. not currently exist in South African law. If a perpetrator is convicted of the offence of fraud, then the penalty Hacking (i.e. unauthorised access) that can be imposed would only be restricted by the maximum In terms of section 86(1) of the ECT Act, it is an offence for a person sentencing jurisdiction of the court that would try the case. Cases of to intentionally access or intercept data without the appropriate fraud can be prosecuted in the Magistrate’s and High Courts of South authority or permission to do. The maximum penalty available Africa. The Magistrate’s Court – in respect of these types of offences for an offence committed in terms of section 86(1) is a fine or – can impose a fine or imprisonment for a period not exceeding 15 imprisonment for a period not exceeding 12 months. years per charge. Further, the High Courts of South Africa have Denial-of-service attacks unlimited jurisdiction in respect of sentencing; they are able to impose any fine or period of imprisonment deemed appropriate in In terms of section 86(5) of the ECT Act, it is an offence for a person the circumstances. The penalty for contravening section 87(2) is a to commit any of the acts set out in sections 86(1) to 86(4) below, fine or imprisonment for a period not exceeding five years. if the person’s intent is to interfere with access to an information system so that it constitutes a denial, including a partial denial, of Infection of IT systems with malware (including ransomware, service to legitimate users: spyware, worms, trojans and viruses) Section 86(1): intentionally access or intercept data without the Infecting an IT system with malware is currently not directly criminalised in South African legislation; however, section 86(3) appropriate authority or permission to do so; and 86(4) (as set out above) do deal with this type of act indirectly. Section 86(2): intentionally and without authority interfere with data Section 87(1) of the ECT Act also criminalises the actions of a person in a way that causes the data to be modified, destroyed or otherwise who performs or threatens to perform an act as described in section rendered ineffective; 86 for the purpose of obtaining an unlawful proprietary advantage Section 86(3): unlawfully produce, sell, offer to sell, procure for use, by undertaking to stop such action, or by undertaking to restore any design, adapt for use, distribute or possess any device, including a damage caused as a result of their actions. Contravening section 86(3) computer program or a component, which is designed primarily to carries a maximum penalty of a fine or imprisonment for a period overcome security measures for the protection of data, or to perform not exceeding 12 months. Contravening sections 86(4) and 87(1) any of these acts with regard to a password, access code or other carries a maximum penalty of a fine or imprisonment for a period similar kind of data with the intent to unlawfully use this item to not exceeding five years. Section 89 of the ECT Act prescribes the contravene this provision; and penalties that relate to contravening sections 86, 87 and 88 of the Act.

156 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London ENSafrica South Africa

Further, although current South African law does not directly Chapter 11, section 57 of the Cybercrimes Bill deals with the criminalise infecting an IT system with malware, it should, however, protection of critical information infrastructure, including the be noted that we criminalise the results that this malware is designed identification of critical information infrastructure, and it further to achieve. For example, as can be seen from section 86(1) above, sets out the process that will be followed in determining appropriate it is an offence to unlawfully obtain access to data and spyware is measures on how this critical information infrastructure should be usually introduced to an IT system in order to achieve this. Further, protected. Also see references to the POPI Act below. in terms of section 86(5), the denial of service is criminalised, and ransomware is designed to completely deny, or partially deny, service to legitimate users of an IT system. 1.2 Do any of the above-mentioned offences have extraterritorial application? Sections 4(1), 5(1) and 6(1) of the proposed Cybercrimes Bill criminalises unlawful acts in respect of software and hardware tools, Section 90 of the ECT Act deals with the jurisdiction of South as well as unlawful interference with data, a computer program, a South Africa African courts in respect of the offences created by this Act. Section computer data storage medium or a computer system. Section 14 of 90 states that, in the following circumstances, a South African court the Cybercrimes Bill states that a person who contravenes sections will have jurisdiction to hear a case relating to a cyber offence, if: 4(1), 5(1) or 6(1) is liable on conviction to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and imprisonment. (a) the offence was committed in South Africa; (b) any preparatory act towards the offence, any part of the Possession or use of hardware, software or other tools used to offence or any results of the offence occurred in South Africa; commit cybercrime (e.g. hacking tools) (c) the offence was committed by a South African citizen, As set out above, section 86(3) and section 86(4) criminalise the permanent resident or a person carrying on business here; or possession and/or use of any device, including a computer program (d) the offence was committed on board any ship or aircraft and component, if the purpose of such possession or use is to registered in South Africa or on a voyage or flight to or from commit an offence in terms of the ECT Act. The penalties in respect here at the time that the offence was committed. of contravening sections 86(3) and 86(4) are set out above. From the provisions of section 90 of the ECT Act, it can be seen Section 4(1) of the proposed Cybercrimes Bill criminalises the that in certain circumstances, the Act does have extraterritorial actions of a person who unlawfully and intentionally possesses, application. manufactures, assembles, obtains, sells, purchases, makes available or advertises any software or hardware tool for the purposes of contravening certain provisions of the Cybercrimes Bill. 1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an Identity theft or identity fraud (e.g. in connection with access exception to any of the above-mentioned offences? devices)

Charges in respect of this offence can be brought in terms of the common The ECT Act does not cover mitigation of sentences or exceptions law offence of fraud and/or theft. The South African common law that would apply in the case of contraventions of the Act. offence of fraud is defined above. In Burchell’sPrinciples of Criminal Law (ibid, pg. 673), theft is defined as “an unlawful appropriation with intent to steal of a thing capable of being stolen”. 1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise These offences can also be prosecuted in terms of copyright laws. in relation to cybersecurity or the occurrence of an The sentencing jurisdiction in respect of common law offences Incident (e.g. terrorism offences)? Please cite any would be determined by the sentencing thresholds of the court in specific examples of prosecutions of these offences which the prosecution is brought. This has been set out above. in a cybersecurity context. Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement) All of the criminal offences created by the ECT Act have been dealt with above. South Africa has legislation that criminalises These offences can be charged in terms of section 86(1) relating to acts of terrorism and acts that could involve a cybersecurity breach. unlawful access to data. Further, these offences can be prosecuted However, the legislation criminalising acts of terrorism is drafted in terms of the common law offence of theft. Section 86(1) carries broadly so that it would cover a multitude of possible scenarios. a maximum penalty of a fine or imprisonment for a period not exceeding 12 months. The sentencing jurisdiction in respect of The offence of treason in South Africa is a common law offence common law offences has been dealt with above. and, similarly, has a broad definition that can cater for a number of possible scenarios, including a cybersecurity attack or Incident. Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data 2 Applicable Laws Section 88 of the ECT Act also criminalises offences that were not completed; for example, attempting to commit any of the offences criminalised in the ECT Act or aiding or abetting those offences. 2.1 Please cite any Applicable Laws in your jurisdiction The penalty for attempting to commit, aid or abet any of the offences applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation in the ECT Act carries the same sentence as if the crime were and management of Incidents. This may include, successfully perpetrated. for example, laws of data protection, intellectual Failure by an organisation to implement cybersecurity measures property, breach of confidence, privacy of electronic communications, information security, and import / Currently, South Africa has no legislation that imposes this sort of export controls, among others. duty on organisations.

However, in chapters 10 and 11 of the proposed Cybercrimes Bill, Some of the key pieces of legislation that govern or are relevant to structures have been introduced to deal with cybersecurity and the area of cybersecurity in South Africa are: critical information infrastructure protection, respectively.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 157 © Published and reproduced with kind permission by Global Legal Group Ltd, London ENSafrica South Africa

(a) the Constitution of South Africa, 1996. Chapter 2, section 14 enshrines the right to privacy. Section 14(d) states that 2.3 Are organisations required under Applicable Laws, “[e]veryone has the right to privacy, which includes the right or otherwise expected by a regulatory or other not to have the privacy of their communications infringed”; authority, to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what (b) the ECT Act, which is stated by the legislature “[t]o provide for measures are required to be taken. the facilitation and regulation of electronic communications and transactions; to provide for the development of a national e-strategy for the Republic; to promote universal access to South African law does not currently place a duty on organisations electronic communications and transactions and the use of to take measures to monitor, detect, prevent or mitigate Incidents. electronic transactions by SMMEs; to provide for human However, when the POPI Act comes into operation, “a responsible resource development in electronic transactions; to prevent party” (defined as “a public or private body or any other person abuse of information systems; to encourage the use of which, alone or in conjunction with others, determines the purpose South Africa e-government services; and to provide for matters connected of and means for processing personal information”) who keeps any therewith”; type of record relating to personal information of third parties (a data (c) the Protection of Personal Information Act 4 of 2013 (“POPI subject) would be subject to introducing certain minimum standards Act”). This Act has been passed by the South African for the protection of this personal information. Section 19 of the Act Parliament; however, it is not yet in full operation and is places a duty on a responsible party to take appropriate, reasonable expected to come into operation later this year. The legislature technical and organisational measures to prevent unlawful access to states that this legislation has been enacted in order “[t]o promote the protection of personal information processed or processing of personal information in its possession or under its by public and private bodies; to introduce certain conditions control. Certain types of information are excluded from the ambit of so as to establish minimum requirements for the processing the POPI Act. This information is set out in sections 6 and 7 of the of personal information; to provide for the establishment of Act, which deals with “Exclusions” and “Exclusions for journalistic, an Information Regulator to exercise certain powers and to literary or artistic purposes”, respectively. perform certain duties and functions in terms of this Act and Further, section 52 of the Cybercrimes Bill, in its current form, the Promotion of Access to Information Act, 2000; to provide places obligations on electronic communications service providers for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and financial institutions. In terms of this section, if an electronic and automated decision making; to regulate the flow of communications service provider or financial institution is aware personal information across the borders of the Republic; and or becomes aware that its computer system is involved in the to provide for matters connected therewith”; and commission of any offence provided for in chapter 2 of the Bill, (d) the Cybercrimes Bill, which has not yet been enacted by then it must, without undue delay, report the offence in a prescribed the South African Parliament and is open for public debate. manner to the South African Police Services. Further, it is to The legislature indicates that the purpose of the Bill is “[t]o preserve any information that may be of assistance to the law create offences and impose penalties which have a bearing on enforcement agency in investigating the offence. It should be noted cybercrime; to criminalise the distribution of data messages that the Cybercrimes Bill may change before it is enacted. which is harmful and to provide for interim protection orders; to further regulate jurisdiction in respect of cybercrimes; to further regulate the powers to investigate cybercrimes; 2.4 In relation to any requirements identified in question to further regulate aspects relating to mutual assistance in 2.3 above, might any conflict of laws issues respect of the investigation of cybercrime; to provide for arise? For example, conflicts with laws relating the establishment of a 24/7 Point of Contact … to impose to the unauthorised interception of electronic obligations on electronic communications service providers communications or import / export controls of and financial institutions to assist in the investigation of encryption software and hardware. cybercrimes and to report cybercrimes; to provide for the establishment of structures to promote cybersecurity At this point, no conflicts are foreseen, but it should be noted that the and capacity building; to regulate the identification and majority of the provisions of the POPI Act are not yet in operation. declaration of critical information infrastructures and Further, the Cybercrimes Bill is not in its final form yet. measures to protect critical information structures; provides that the Executive may enter into agreements with foreign States to promote cybersecurity ... and to provide for matters 2.5 Are organisations required under Applicable Laws, or connected therewith”. otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents to a regulatory or other authority in your 2.2 Are there any cybersecurity requirements under jurisdiction? If so, please provide details of: (a) the Applicable Laws applicable to critical infrastructure circumstance in which this reporting obligation is in your jurisdiction? For EU countries only, how triggered; (b) the regulatory or other authority to (and according to what timetable) is your jurisdiction which the information is required to be reported; (c) expected to implement the Network and Information the nature and scope of information that is required Systems Directive? Please include details of any to be reported (e.g. malware signatures, network instances where the implementing legislation in your vulnerabilities and other technical characteristics jurisdiction is anticipated to exceed the requirements identifying an Incident or cyber attack methodology); of the Directive. and (d) whether any defences or exemptions exist by which the organisation might prevent publication of There is currently no legislation that specifically relates to protecting that information. critical infrastructure from cybercrime. However, one of the stated aims of the Cybercrimes Bill is to regulate the identification and South African law does not currently place a duty on organisations declaration of critical information infrastructure and to introduce to report information related to Incidents or potential Incidents to a measures to protect critical information infrastructure. regulatory or other authority. However, when the POPI Act comes

158 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London ENSafrica South Africa

into operation, responsible parties will have 12 months to bring their business practices in line with this law. 2.9 Please provide details of the regulator(s) responsible for enforcing the requirements identified under The POPI Act states that if there has been an Incident/breach questions 2.3 to 2.7. and personal information has been accessed or acquired by any unauthorised people, then the Information Regulator and the subject The following institutions would, inter alia, be relevant in regulating whose information has been breached should be notified. the cybercrimes environment in South Africa: In terms of the Act, the Information Regulator can establish (a) the State Security Agency; exemptions in respect of organisations/persons that are not required (b) the South African Police Services; to comply with the provisions of the Act if the public interest outweighs the subject’s right to privacy or where non-compliance is (c) the National Prosecuting Authority; and beneficial to the data subject. (d) the Information Regulator established in terms of the POPI Act. South Africa

2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information 2.10 What are the penalties for not complying with the related to Incidents or potential Incidents with: (a) requirements identified under questions 2.3 to 2.8? a regulatory or other authority in your jurisdiction; (b) a regulatory or other authority outside your The POPI Act prescribes different sentences for different offences, jurisdiction; or (c) other private sector organisations and penalties are set out in sections 107 and 109 of the Act. The or trade associations in or outside your jurisdiction? Cybercrimes Bill similarly prescribes different sentences for different offences, and penalties are set out in sections 14 and 22 Currently, there is no prohibition on organisations sharing of the Bill. information related to Incidents or potential Incidents with regulatory or other authorities in South Africa, or outside of this jurisdiction, as long as the information is not confidential, classified 2.11 Please cite any specific examples of enforcement or subject to some other restriction. action taken in cases of non-compliance with the above-mentioned requirements. The POPI Act will, however, have an effect on this position when it comes into operation, because it will affect the flow of personal The POPI Act and Cybercrimes Bill have not come into operation information generally but also specifically restrict the flow of yet, and as a result, no non-compliance actions have been brought personal information outside of South Africa. to court.

2.7 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, 3 Specific Sectors to report information related to Incidents or potential Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this 3.1 Does market practice with respect to information reporting obligation is triggered; and (b) the nature and security (e.g. measures to prevent, detect, mitigate scope of information that is required to be reported. and respond to Incidents) vary across different business sectors in your jurisdiction? Please include details of any common deviations from the strict legal When the POPI Act comes into operation, section 22(1) of the POPI requirements under Applicable Laws. Act states that where there are reasonable grounds to believe that the personal information of a data subject (defined as “the person to The ECT Act does not specifically require that different business whom personal information relates”) has been accessed or acquired sectors address information security differently. However, by any unauthorised person, the responsible party must notify the information related to national security is regulated by its own Information Regulator as well as the subject whose data has been legislation and regulations. Similarly, the electronic communications breached, if the subject can be identified. service providers and financial institutions are subject to their own The notification to the subject whose information has been breached legislation and regulations. should be sufficient so that they are able to protect themselves The POPI Act does envisage that the Information Regulator may against the possible consequences of their personal information establish general and/or industry-specific Codes of Conduct that falling into the hands of criminals. The detailed requirements of the will regulate information protection. The Cybercrimes Bill also POPI Act are set out in section 22. distinguishes between critical infrastructure that is of national importance and other infrastructure. As stated above, one of the 2.8 Do the responses to questions 2.5 to 2.7 change if the aims of the legislation would be to regulate the identification and information includes: (a) price sensitive information; declaration of critical information infrastructure and measures to (b) IP addresses; (c) email addresses (e.g. an email protect it. address from which a phishing email originates); (d) personally identifiable information of cyber threat actors; and (e) personally identifiable information of 3.2 Are there any specific legal requirements in relation individuals who have been inadvertently involved in to cybersecurity applicable to organisations an Incident? in: (a) the financial services sector; and (b) the telecommunications sector? The POPI Act allows for the Information Regulator to create exemptions in terms of the application of certain provisions of the In South Africa, there are no specific legal requirements in relation Act. However, the Information Regulator has, to date, not created to cybersecurity applicable to organisations in the financial sector any exemptions or established any Codes of Conduct. and electronic communications service providers. The Cybercrimes

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 159 © Published and reproduced with kind permission by Global Legal Group Ltd, London ENSafrica South Africa

Bill does, as set out above, in section 52, create obligations for these It should further be noted that when the POPI Act comes into organisations. Further, section 11 of the Cybercrimes Bill states that operation, this will place duties on responsible parties to maintain certain offences committed against restricted computer systems are the integrity of personal information that they process. If there aggravated offences: financial institutions are considered restricted is an Incident and the company fails to respond to the Incident computer systems. appropriately or in line with the requirement of the POPI Act or The South African Reserve Bank is working very closely with other legislation, this non-compliance may give rise to a director the financial sector and banks, in particular, to develop codes and being held liable. practices relating to cybersecurity and cybercrime, to ensure that this sector is as secure as possible. 4.2 Are companies (whether listed or private) required under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or South Africa 4 Corporate Governance policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform penetration tests or vulnerability assessments? 4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, South African law does not require companies to appoint a Chief mitigate, manage or respond to an Incident amount to a breach of directors’ duties in your jurisdiction? Information Security Officer, nor does it require: a written Incident response plan or policy; the conducting of periodic cyber risk assessments or the performance of penetration testing or vulnerability The King IV: Report on Corporate Governance for South Africa assessments. However, ENSafrica recommends that all of our clients – 2016 (“King IV”) is a set of voluntary principles and leading have a comprehensive Incident response plan, which includes having practices in the area of corporate governance. The King Reports on proper policies and procedures in place. Further, we conduct training to Corporate Governance are drafted in order to apply to organisations, assist our clients and their employees to understand the relevant policies regardless of their form of incorporation. The guidelines and and procedures. As part of this cybersecurity governance framework, governance practices in King IV are voluntary, except for listed we recommend vulnerability assessments and/or penetration testing in entities and entities required to comply with King IV by law. King order to detect and address weaknesses in our clients’ IT infrastructure. IV principle 12 states that “[t]he governing body should govern Introducing this type of governance framework also assists our clients technology and information in a way that supports the organisation to comply with the requirements of the POPI Act. setting and achieving its strategic objectives”. King IV states that information technology is a corporate asset and governance structures must be implemented to protect and improve 4.3 Are companies (whether listed or private) subject this asset. IT governance supports an organisation in setting and to any specific disclosure requirements in relation to cybersecurity risks or Incidents (e.g. to listing achieving its objectives. The responsibilities of the governing body authorities, the market or otherwise in their annual (the “Board”) include ensuring that the organisation’s IT is managed reports)? through transparency, effective controls and the management of communication, information and technology. It must be adequately This has been dealt with in questions 2.5 and 2.7 above. resourced and sufficiently defined, in accordance with the business sector and environment in which the organisation operates. Principle 12 of King IV sets out a number of principles that the Board of an 4.4 Are companies (whether public or listed) subject to entity should follow in respect of the governance of technology and any other specific requirements under Applicable Laws in relation to cybersecurity? information. The principles of common law relating to a breach of fiduciary There are no additional requirements placed on companies other duties apply, and a director can be held liable for any loss, damages than those imposed by the legislation dealt with in sections 1, 2 and or costs (applicable Companies Act sections 75, 76(2), 76(3) and 4 above. 77(2)). Section 76 of the Companies Act 71 of 2008 sets out the Standards of Directors Conduct. Section 76(2) states that a director of a company must “(a) not use the position of director, or any 5 Litigation information obtained while acting in the capacity of a director – (i) to gain an advantage for the director, or for any other person other than the company… (ii) to knowingly cause harm to the 5.1 Please provide details of any civil actions that may be company…; (b) communicate to the board at the earliest practicable brought in relation to any Incident and the elements of that action that would need to be met. opportunity any information that comes to the director’s attention, unless the director (i) easily believes that the information is (aa) the material to the company; or (bb) generally available to the public,… South African law recognises a delictual action in general terms (ii) is bound not to disclose that information by a legal or ethical (delict is the equivalent of tort) and this action may be brought obligation of confidentiality”. against the perpetrators of an Incident. Essentially, the delictual action is the common law action lex aquilia and is for compensation Section 76(3) states that “[s]ubject to subsections (4) and (5), a or, as is known in South African law, damages. Damages must be director of a company, when acting in that capacity, must exercise differentiated from actual damage, and damages are essentially the powers and perform the functions of director (a) in good faith what one suffers when one’s patrimony has been diminished. This and for a proper purpose; (b) in the best interests of the company; would include pure economic loss, where there has been no physical and (c) with a degree of care, skill and diligence that may reasonably damage to property. The elements of the action lex aquilia are: be expected of a person (i) carrying out the same functions in 1. a wrongful act or omission; relation to the company as those carried out by that director; and (ii) having the general knowledge, skill and experience of that director”. 2. a duty of care not to cause harm/loss; and 3. actual patrimonial loss on the part of the claimant.

160 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London ENSafrica South Africa

Where an Incident occurs, wrongfulness will essentially be the cause of the Incident, and by its malicious nature, would be a breach of the 7 Employees duty of care not to cause loss by the perpetrators of the Incident. Possibly, the most significant aspect of the aquilian action would 7.1 Are there any specific requirements under Applicable be the proof of damages. It is entirely comprehensible that many Law regarding: (a) the monitoring of employees for millions of rands can be lost due to an Incident in a myriad of ways. the purposes of preventing, detection, mitigating and The one important aspect relating to recovery of damages is that responding to Incidents; and (b) the reporting of cyber the plaintiff/claimant has to mitigate (take every step to lessen) its risks, security flaws, Incidents or potential Incidents by employees to their employer? damages, and they have to be able to prove this. In general terms, South African law does not recognise punitive damages, save in very specific circumstances which are not germane to this topic. In South Africa, there is no legislation that requires that an employer

monitors employees for the purposes of preventing, detecting, South Africa The South African High Court has inherent jurisdiction over every mitigating and/or responding to Incidents. person within its borders, and if the perpetrators of an Incident are inside the country and are identifiable, the High Court within the Further, South African law does not currently place a duty on same jurisdiction as the perpetrators will hear the matter. employees to inform their employer of cyber risks, security flaws, Incidents or potential Incidents involving their employer. However, In addition, section 99 of the POPI Act provides for civil remedies. The when the POPI Act comes into operation this position will change. Act states that a data subject or the Information Regulator may institute Section 21(2) of the POPI Act requires that an operator (defined a civil action for damages in a court having jurisdiction against a as “a person who processes personal information for a responsible responsible party if there has been a breach of the provisions of this Act, party in terms of a contract or mandate, without coming under as referred to in section 73 of the Act. Section 73 relates to interference the direct authority of the party”) or an employee who processes with the protection of personal information of a data subject. The civil personal information on behalf of a responsible party, must notify action may be instituted whether or not there is intent or negligence on the responsible party immediately when there are reasonable the part of the responsible party. This civil action will be available to data grounds to believe that the personal information of a data subject subjects/the Information Regulator when the Act comes into operation. has been accessed or acquired by an unauthorised person.

5.2 Please cite any specific examples of cases that 7.2 Are there any Applicable Laws (e.g. whistle-blowing have been brought in your jurisdiction in relation to laws) that may prohibit or limit the reporting of cyber Incidents. risks, security flaws, Incidents or potential Incidents by an employee? At present we are not aware of any specific examples that have been brought in our jurisdiction. If an employee is disclosing or reporting a cyber risk, security flaw, Incident or potential Incident to their employer and/or the 5.3 Is there any potential liability in tort or equivalent responsible party and they follow the proper protocols, there should legal theory in relation to an Incident? not be any restriction on this type of reporting.

The liability of perpetrators of Incidents has been dealt with above. With regard to potential liability, the position of a third party where 8 Investigatory and Police Powers an Incident occurs may be affected by the introduction of the POPI Act, which will place a duty on holders of personal information to 8.1 Please provide details of any investigatory powers of safeguard the personal information. Further, civil action can be law enforcement or other authorities under Applicable brought against a responsible party in terms of section 99 of the POPI Laws in your jurisdiction (e.g. antiterrorism laws) that Act when there has been a breach of section 73 of the POPI Act. may be relied upon to investigate an Incident.

The SAPS has the general power to question witnesses and take 6 Insurance statements from witnesses in respect of the commission of crimes committed within the borders of South Africa. In addition, the Criminal Procedure Act 51 of 1977 (“CPA”) sets out further powers 6.1 Are organisations permitted to take out insurance against Incidents in your jurisdiction? of investigation that can be used by the SAPS when conducting investigations. The following chapters of the CPA are relevant: Organisations are permitted to take out insurance against cyber (a) chapter 2 sets out the law with regard to obtaining search Incidents. This insurance would, inter alia, depending on the nature warrants, entering premises, seizing items of evidence and the forfeiture and disposal of property connected with offences; of cover taken, cover business interruption, system failures, cyber extortion and digital asset restoration. (b) chapter 3 sets out how to obtain evidence from individuals or suspects (bodily samples, etc.); (c) chapters 4 to 7 set out how to secure the attendance of an 6.2 Are there any regulatory limitations to insurance accused at court including the powers of arrest, issuing a coverage against specific types of loss, such as summons, etc.; business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal (d) chapter 23, section 205 allows the SAPS to request a court limits placed on what the insurance policy can cover? to compel a witness to provide evidence in respect of the commission of an offence; and There are no regulatory limitations that are placed on the type of (e) chapter 24, section 212 allows the SAPS to obtain proof of insurance that can be taken to cover cyber Incidents. The general certain facts by affidavit or certificate. rules applying to insurance would apply in this area of the law.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 161 © Published and reproduced with kind permission by Global Legal Group Ltd, London ENSafrica South Africa

In addition, the POPI Act, which should come into operation in South Africa shortly, gives the Information Regulator the following 8.2 Are there any requirements under Applicable Laws powers: for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide (a) the right to commence an investigation on their own initiative; law enforcement authorities with encryption keys? (b) to refer any complaint to another body if the Information Regulator believes that the complaint falls more properly South African legislation does not place this duty on organisations within the jurisdiction of another body; operating in this jurisdiction. (c) to summon people to appear before it and to give evidence; (d) to enter and search any premises; Acknowledgment (e) to conduct interviews; and

South Africa (f) to carry out other enquiries that the Information Regulator The authors would like to acknowledge the third author of this sees fit. chapter, Gretchen de Smit. The Cybercrimes Bill also provides for the following investigative Gretchen is an off-site consultant at ENSafrica in the corporate powers: commercial department. She has significant experience in the (a) search for, access to and seizure of articles involved in the area of corporate governance and she contributed to the corporate commission of offences; governance section of this chapter. (b) mutual legal assistance in the arena of cybercrimes; Tel: +27 11 269 7600 / Email: [email protected] (c) obtaining evidence of certain facts by affidavit; (d) establishment and functioning of a 24/7 point of contact; and (e) authorising the National Executive to enter into agreements with foreign states aimed at improving law enforcement in the area of cybercrime and cooperation in the combating of cybercrime.

162 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London ENSafrica South Africa

Suad Jacobs Theo Buchler ENSafrica ENSafrica 150 West Street 150 West Street Sandton Sandton South Africa South Africa

Tel: +27 82 554 7336 Tel: +27 11 269 7600 Email: [email protected] Email: [email protected] URL: www.ENSafrica.com URL: www.ENSafrica.com

Suad Jacobs is the head of ENSafrica’s forensics department in Theo Buchler is a director at ENSafrica in the dispute resolution the Johannesburg office, and is a well-known white-collar crime department and specialises in general commercial transactions South Africa prosecutor and forensics lawyer. She specialises in leading forensic and litigation, the latter almost exclusively in the High Court and at investigations in the areas of procurement, fraud, cybercrime and arbitration (local and international). Theo’s experience includes, corruption in the private and public sectors. Suad has acted for a inter alia, matters involving banking and finance litigation (particularly variety of government departments and private entities in South Africa, interest claims), restraints of trade, building and construction as well as and her investigations have led to numerous successful disciplinary general litigation. Theo works closely with the forensics departments and criminal proceedings against offenders, as well as the recovery of at ENSafrica to assist with matters that require the input of a dispute losses in various criminal matters. resolution practitioner. Theo contributed to the litigation section of this chapter. Her experience includes advising clients on anti-fraud, cybercrime and anti-corruption matters, including the compliance requirements of the United States’ Foreign Corrupt Practices Act, 1977, the United Kingdom’s Bribery Act, 2010, as well as the South African Prevention and Combating of Corrupt Activities Act, 2004.

The ENSafrica forensics department has specialist expertise and practical experience in complex, large-scale investigations for multi-national corporations as well as national, provincial and local government. We have also conducted anti-bribery and compliance audits and training across Africa. what we offer The key forensics/anti-bribery compliance support services that the team provides include: ■■ anti-bribery compliance investigations; ■■ fraud investigations; ■■ corruption investigations; ■■ cybercrime investigations; ■■ theft investigations; ■■ money laundering; ■■ preparation and implementation of anti-bribery policies and procedures; ■■ regulatory/statutory anti-bribery compliance advice (FICA/POCA/FCPA/UKBA); ■■ forensic interviews and interrogations; and ■■ expert witness testimony.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 163 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 25

Switzerland Dr. András Gurovits

Niederer Kraft & Frey Ltd. Clara-Ann Gordon

SCC) – penalty: a custodial sentence of up to three years; or 1 Criminal Activity a monetary penalty. Phishing 1.1 Would any of the following activities constitute a Depending on the individual design and purpose of a phishing mail or criminal offence in your jurisdiction? If so, please website, such phishing can constitute the following criminal offences: provide details of the offence, the maximum penalties available, and any examples of prosecutions in your ■ fraudulent use of a trademark or a copyright protected work jurisdiction: (Article 62 of the Swiss Trade Mark Protection Act, Article 67 of the Swiss Copyright Act); Hacking (i.e. unauthorised access) ■ forgery of a document (Article 251 SCC); or Hacking can constitute a criminal offence in Switzerland. Pursuant ■ computer fraud: unauthorised use of data and the transferring of financial assets through phishing (Article 147 SCC), to Article 143bis of the Swiss Criminal Code (SCC), any person who obtains unauthorised access by means of data transmission equipment each of which is punishable by a custodial sentence not exceeding to a data processing system that has been specially secured to prevent five years, or by a monetary penalty if committed for commercial such access is liable on complaint to a custodial sentence not exceeding gain. three years or to a monetary penalty. If the hacker for his own or Furthermore, in phishing cases, the criminal offence of money for another’s unlawful gain obtains specially secured data which is laundering (Article 305bis SCC), with a penalty of a custodial not intended for him, he is liable, according to Article 143 SCC, to a sentence not exceeding three years or a monetary penalty, can be custodial sentence not exceeding five years or to a monetary penalty. part of the accusation (see the decision by the Federal Criminal In its decisions BGer 6B_615/2014 and 6B_456/2007, the Swiss Court, BG.2011.43). Federal Supreme Court held that unauthorised access to another The Office of the Attorney General of Switzerland has reported that, person’s password-protected e-mail account falls under the scope of the from 2012 to 2016, 455 criminal complaints with regard to phishing “hacking offence”. In 2016, several hackers and persons threatening were filed by banks, authorities and private persons. Many cases to hack IT systems of banks, universities and private enterprises could were closed without an outcome due to lack of evidence or offenders have been identified and arrested in Switzerland or abroad with the remaining unidentified. Other cases, especially those involving help of mutual legal assistance from foreign authorities. requests for mutual legal assistance of foreign authorities, are still Denial-of-service attacks pending. Denial-of-service attacks can constitute a criminal offence in Infection of IT systems with malware (including ransomware, Switzerland. Pursuant to Article 144bis SCC, any person who spyware, worms, trojans and viruses) without authorisation alters, deletes or renders unusable data that Such infections can be covered by Article 144bis SCC, prescribing is stored or transmitted electronically is liable on complaint to that whoever alters, deletes or renders unusable data that is stored or a custodial sentence not exceeding three years or to a monetary transmitted electronically is liable on complaint to a custodial sentence penalty. Moreover, data can also be regarded as rendered unusable, not exceeding three years or to a monetary penalty (“virus offence”). if such data still exists but is temporarily inaccessible for authorised Especially in connection with ransomware attacks, the following users, e.g. due to a denial-of-service attack. further criminal provisions can be applicable: Moreover, depending on the modus operandi of the individual case, ■ Fraud for commercial gain (Article 146 SCC) – penalty: a the following further criminal provisions can be applicable in the custodial sentence not exceeding 10 years; or a monetary context of denial-of-service attacks: penalty of not less than 90 daily penalty units. ■ Extortion (Article 156 SCC) – penalty: a custodial sentence ■ Extortion (Article 156 SCC) – penalty: a custodial sentence not exceeding five years; or a monetary penalty. not exceeding five years; or a monetary penalty. ■ Coercion (Article 181 SCC) – penalty: a custodial sentence ■ Money laundering (Article 305bis SCC) – penalty: a custodial of up to three years; or a monetary penalty. sentence not exceeding three years; or a monetary penalty. ■ Misuse of a telecommunications installation (Article 179septies Possession or use of hardware, software or other tools used to SCC) – penalty: a fine upon complaint. commit cybercrime (e.g. hacking tools) ■ Obstructing, disrupting or endangering the operation of a While the mere possession of hacking tools is not illegal, the provision telecommunication service or utility provider (Article 239 or use of hacking tools can constitute a criminal offence. According

164 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Niederer Kraft & Frey Ltd. Switzerland

to Article 144bis paragraph 2 SCC, whoever manufactures, imports, Data Protection (FADP) – penalty: monetary penalty. Article markets, advertises, offers or otherwise makes accessible programs 47 of the Banking Act – penalty: a custodial sentence of up that will be used to alter, delete or render unusable data without to three years; or a monetary penalty. Article 147 of the authorisation is liable to a custodial sentence of up to three years or Financial Market Infrastructure Act (FMIA) – penalty: a to a monetary penalty. In its decision BGE 129 IV 230, the Federal custodial sentence not exceeding three years; or a monetary Supreme Court held that instructions and manuals explaining how penalty. to create programs that infect, destroy or render data unusable fall ■ Breach of postal or telecommunications secrecy (Article under the scope of this virus offence. 321ter SCC) – penalty: a custodial sentence not exceeding three years; or a monetary penalty. Articles 43 and 53 of the Moreover, any person who markets or makes accessible passwords, Swiss Telecommunications Act (TCA) – penalty: fine not programs or other data that are intended to be used to obtain exceeding CHF 5,000. unauthorised access to a data processing system is liable to a

■ Unsolicited distribution of spam massages (Article 3 lit. o Switzerland custodial sentence not exceeding three years or to a monetary in conjunction with Article 23 of the Federal Law on Unfair penalty as prescribed by Article 143bis paragraph 2 SCC. Competition) – penalty: a custodial sentence of up to three Finally, exporting or brokering certain goods for monitoring the internet years; or a monetary penalty. or mobile telecommunications without official permission can be liable Failure by an organisation to implement cybersecurity measures to a custodial sentence of up to three years or to a monetary penalty There is no generally applicable regulation in Switzerland specifically pursuant to Article 9 of the Ordinance on the Export and Brokering of requiring the implementation of certain cybersecurity measures (for Goods for Monitoring Internet and Mobile Communication. sector-specific requirements see question 3.2 below). However, Identity theft or identity fraud (e.g. in connection with access general compliance obligations require the implementation of an devices) internal control system (relevant for companies limited by shares, There is no explicit regulation for identity theft or identity fraud in see Article 20 of the Swiss Code of Best Practice for Corporate Switzerland. Depending on the intention of the offender and his Governance) and technical and organisational measures to ensure modus operandi, it can be covered by different articles of the SCC, the confidentiality, integrity and availability of information and such as Article 143 (unauthorised obtaining of data), Article 146 IT systems, which can include the implementation of an adequate (fraud), Article 147 (computer fraud), Article 143bis (hacking) or information security management system (relevant for all Article 173 et seqq. (offences against personal honour). organisations, see Article 7 FDPA). Electronic theft (e.g. breach of confidence by a current or former The Swiss Federal Council adopted a “National Strategy on employee, or criminal copyright infringement) Switzerland’s Protection against Cyber Risks” (NCS) in 2012. One Electronic theft can be covered by several criminal offences. Article 143 of the measures provided for in the NCS was the evaluation of SCC prescribes the penalty for an unauthorised data acquisition. The existing legislation for immediate adjustment needs. In 2016, the maximum penalty is a custodial sentence of five years. Furthermore, involved authorities declared that they did not detect such need for any person who betrays a manufacturing or trade secret that is not to be adjustment of existing legislation from a cybersecurity perspective. revealed under a statutory or contractual duty or anyone who exploits such a betrayal can face a custodial sentence of up to three years or a 1.2 Do any of the above-mentioned offences have monetary penalty under Article 162 SCC. Finally, according to Article extraterritorial application? 67 et seqq. of the Swiss Copyright Act, a copyright infringement that has been committed wilfully and unlawfully can be punished with a The extraterritorial application of the SCC, with regard to the offences custodial sentence of up to one year or a monetary penalty; in cases of mentioned above, requires that the offender is present in Switzerland committing the offence for commercial gain, the penalty is a custodial and will not be extradited (Articles 6, 7 SCC). In the context of phishing, sentence not exceeding five years or a monetary penalty. it is currently in dispute between the Swiss Office of the Attorney Any other activity that adversely affects or threatens the General and the criminal courts whether on the basis of the Council of security, confidentiality, integrity or availability of any IT Europe’s Cybercrime Convention in conjunction with Article 6 SCC system, infrastructure, communications network, device or data such offences committed abroad are even subject to Swiss criminal jurisdiction where the offender and victim are not Swiss citizens. The following further criminal offences impairing security, confidentiality, integrity and availability have to be considered under Swiss law: 1.3 Are there any actions (e.g. notification) that might ■ Falsification or suppression of information in connection mitigate any penalty or otherwise constitute an with a telecommunications service (Article 49 of the Swiss exception to any of the above-mentioned offences? Telecommunications Act (TCA)) – penalty: a custodial sentence of up to three years; or a monetary penalty. Yes, Swiss criminal law incorporates the mitigating principles of ■ Unauthorised misuse or disclosure of information received withdrawal and active repentance. If a person of his own accord by means of a telecommunications installation that was does not complete the criminal act or if he assists in preventing the not intended for the receiver (Article 50 TCA) – penalty: a completion of the act, the court may reduce the sentence or waive custodial sentence of up to one year; or a monetary penalty. any penalty (Article 23 SCC). ■ Interfering in telecommunications or broadcasting (Article 51 TCA) – penalty: a custodial sentence of up to one year; or 1.4 Are there any other criminal offences (not specific a monetary penalty. to cybersecurity) in your jurisdiction that may arise ■ Obstructing, disrupting or endangering the operation of a in relation to cybersecurity or the occurrence of an telecommunication service or utility provider (Article 239 Incident (e.g. terrorism offences)? Please cite any SCC) – penalty: a custodial sentence of up to three years; or specific examples of prosecutions of these offences a monetary penalty. in a cybersecurity context. ■ Breach of professional confidentiality (Article 321 SCC) – penalty: a custodial sentence of up to two years; or a The following other provisions can be applicable in the context of monetary penalty. Article 35 of the Swiss Federal Act on cybersecurity:

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 165 © Published and reproduced with kind permission by Global Legal Group Ltd, London Niederer Kraft & Frey Ltd. Switzerland

■ Causing fear and alarm among the general public (Article 258 SCC). 2.2 Are there any cybersecurity requirements under Applicable Laws applicable to critical infrastructure ■ Public incitement to commit a felony or act of violence in your jurisdiction? For EU countries only, how (Article 259 SCC). (and according to what timetable) is your jurisdiction ■ Participating or supporting a criminal organisation (Article expected to implement the Network and Information 260ter SCC). Systems Directive? Please include details of any ■ Financing terrorism by collecting or providing funds (Article instances where the implementing legislation in your quinquies jurisdiction is anticipated to exceed the requirements 260 SCC). of the Directive. ■ Foreign operations and activities directed against the security bis of Switzerland (Article 266 SCC). In Switzerland, there are no generally applicable mandatory ■ Diplomatic Treason: endangering the interest of Switzerland Switzerland cybersecurity requirements for critical infrastructures so far (for sector- (i) by making a secret accessible to a foreign country; or (ii) specific requirements see question 3.2 below). In 2012, the Federal by falsifying, destroying, disposing or stealing documents Council adopted the “National Strategy on the Protection of Critical relating to Switzerland’s legal relations with a foreign state Infrastructures” (SIK). The Federal Office for Civil Protection was (Article 267 SCC). mandated to implement the strategy and published a “Guideline for the ■ Political, industrial or military espionage in the interest of a Protection of Critical Infrastructures” in 2015, outlining recommended foreign state or organisation (Articles 272, 273, 274 SCC). risk, crisis and continuity concepts based on international standards. ■ Founding of an unlawful association (Article 275ter SCC). Furthermore, the draft bill of a Federal Information Security Act issued ■ Criminal provisions concerning the representation of acts of by the Federal Council in February 2017 prescribes certain security violence (Article 135 SCC), pornography (Article 197 SCC) measures for federal authorities and offers support to private operators or racial discrimination (Article 261bis SCC). of critical infrastructures to minimise network and system disruptions. Please note the decisions of the Federal Criminal Court, SK.2013.39, and the Federal Supreme Court, BGer 6B_645/2007, both regarding 2.3 Are organisations required under Applicable Laws, cases of “cyber-jihad/cyber-terrorism”, included several of the or otherwise expected by a regulatory or other above-mentioned offences as part of the subject of the accusation. authority, to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what measures are required to be taken. 2 Applicable Laws There is no generally applicable requirement in Switzerland to take measures to monitor, detect, prevent or mitigate Incidents. However, 2.1 Please cite any Applicable Laws in your jurisdiction Article 7 FADP in conjunction with Articles 8 and 9 of the Ordinance applicable to cybersecurity, including laws applicable to the FADP provide that personal data must be protected against to the monitoring, detection, prevention, mitigation unauthorised processing, destruction, loss, technical faults, forgery, and management of Incidents. This may include, theft or unlawful use through the implementation of adequate for example, laws of data protection, intellectual technical and organisational measures including mandatory controls property, breach of confidence, privacy of electronic communications, information security, and import / of the following IT and data-related circumstances: entrance; export controls, among others. personal data carrier; transport; disclosure; storage; usage; access; and input. ■ Federal Act on Data Protection. With regard to specific cybersecurity safeguards to be taken in the ■ Ordinance to the Federal Act on Data Protection. financial and telecommunications sector, see question 3.2 below. ■ Swiss Criminal Code. ■ Telecommunications Act. 2.4 In relation to any requirements identified in question 2.3 above, might any conflict of laws issues ■ Ordinance on Telecommunications Services. arise? For example, conflicts with laws relating ■ Federal Act on Copyright and Related Rights. to the unauthorised interception of electronic ■ Trade Mark Protection Act. communications or import / export controls of encryption software and hardware. ■ Civil Code, Code of Obligations. ■ Banking Act. Such conflict of laws cannot be perceived currently. ■ Ordinance on Banks.

■ Financial Market Infrastructure Act. 2.5 Are organisations required under Applicable Laws, or ■ Financial Market Supervision Act. otherwise expected by a regulatory or other authority, ■ Federal Law on Unfair Competition. to report information related to Incidents or potential Incidents to a regulatory or other authority in your ■ Federal Act on the Implementation of International Sanctions. jurisdiction? If so, please provide details of: (a) the ■ Federal Act on the Control of Dual-Use Goods, Specific circumstance in which this reporting obligation is Military Goods and Strategic Goods. triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) ■ Ordinance on the Export, Import and Transit of Dual Use the nature and scope of information that is required Goods, Specific Military Goods and Strategic Goods. to be reported (e.g. malware signatures, network ■ Ordinance on the Export and Brokering of Goods for vulnerabilities and other technical characteristics Monitoring Internet and Mobile Communication. identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by ■ Federal Act on the Intelligence Service (expected as of which the organisation might prevent publication of September 2017). that information. ■ Federal Information Security Act (expected as of 2018). So far, there is no general reporting obligation for cyberattacks in

166 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Niederer Kraft & Frey Ltd. Switzerland

Switzerland. However, a duty to notify the Federal Data Protection and Information Commissioner in cases of unauthorised data 2.10 What are the penalties for not complying with the processing or loss of data has been included in the preliminary draft requirements identified under questions 2.3 to 2.8? of the revised FDPA. Specific reporting obligations are currently only imposed on certain industries such as the financial and the Due to the absence of a general obligation to implement safeguards telecommunication sector; see question 3.2 below. against cyberattacks or to report Incidents to an authority, there are no penalties for not complying. For penalties triggered by not complying with sector-specific 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information obligations to report Incidents to the supervisory authorities, see related to Incidents or potential Incidents with: (a) question 3.2 below. a regulatory or other authority in your jurisdiction; (b) a regulatory or other authority outside your Switzerland jurisdiction; or (c) other private sector organisations 2.11 Please cite any specific examples of enforcement or trade associations in or outside your jurisdiction? action taken in cases of non-compliance with the above-mentioned requirements.

Organisations have the possibility (not the obligation) to inform So far, to our knowledge, the competent supervisory authorities have MELANI, the Swiss Reporting and Analysis Centre for Information enforced sector-specific reporting provisions only in cases that had no Assurance. Such a notification can be filed anonymously with a connection with cybersecurity. However, in 2016, FINMA ordered simple message on MELANI’s website. Furthermore, it is also banks of supervisory category 1 (extremely large, important and complex possible to inform the Swiss Coordination Unit for Cybercrime market participants; very high risk) and category 2 (very important, Control (CYCO). complex market participants; high risk) to conduct an additional examination and invited those of category 3 (large and complex market 2.7 Are organisations required under Applicable Laws, or participants; significant risk) to conduct a self-assessment pertaining to otherwise expected by a regulatory or other authority, the status of the implementation of safeguards against cyberattacks. to report information related to Incidents or potential Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which 3 Specific Sectors this reporting obligation is triggered; and (b) the nature and scope of information that is required to be reported. 3.1 Does market practice with respect to information security (e.g. measures to prevent, detect, mitigate There is no such explicit obligation to inform affected individuals and respond to Incidents) vary across different under Swiss law. However, in the legal literature it is partially business sectors in your jurisdiction? Please include held that organisations are obligated to report such Incidents to the details of any common deviations from the strict legal affected individuals in accordance with Article 4 paragraph 2 FADP, requirements under Applicable Laws. incorporating the principle of good faith. The necessity and extent of such information depend on the circumstances, e.g. the gravity of Yes, market practice varies across business sectors as the legal the breach and the necessity to prevent any damages and potential requirements are different (see question 3.2 below). abuse of the disclosed data. The preliminary draft of the revised FADP provides for obligations to notify affected data subjects in 3.2 Are there any specific legal requirements in relation cases of unauthorised data processing or loss of data. to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the telecommunications sector? 2.8 Do the responses to questions 2.5 to 2.7 change if the information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email (a) Yes, Article 14 of the Financial Market Infrastructure Act address from which a phishing email originates); (d) (FMIA) requires financial market infrastructures (i.a. stock personally identifiable information of cyber threat exchanges, trading facilities, payment systems) to operate actors; and (e) personally identifiable information of robust IT systems which are appropriate for its activities, individuals who have been inadvertently involved in provide for effective emergency arrangements, ensure the an Incident? continuity of the business activity, and provide for measures to protect the integrity and confidentiality of information regarding its participants and their transactions. Article 3f of The responses do not change. the Banking Act and Article 12 paragraph 4 of the Ordinance on Banks require banks to implement an appropriate risk 2.9 Please provide details of the regulator(s) responsible management, including an internal control system, in order for enforcing the requirements identified under to detect, limit and monitor, i.a., relevant operational risks. questions 2.3 to 2.7. These requirements are specified in the recently updated FINMA-Circular 2008/21 “Operational Risks – Banks” where the minimum details of a cyber risk management The supervisory authorities monitoring and enforcing the above- concept to be implemented based on international mentioned requirements pertaining to general data protection and standards are outlined (protection of processes/IT systems/ sector-specific cybersecurity are the following: sensitive data, detection and recording of cyberattacks, ■ Federal Data Protection and Information Commissioner. remedial measures, recovery of normal operations, regular ■ Cantonal Data Protection Commissioners. vulnerability analysis and penetration testing). FINMA- Circulars are not legally binding, but they elaborate the ■ Federal Office of Communications (OFCOM). regulator’s intended enforcement practice and are regularly ■ Financial Market Supervisory Authority (FINMA). accepted and complied with by the industry.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 167 © Published and reproduced with kind permission by Global Legal Group Ltd, London Niederer Kraft & Frey Ltd. Switzerland

According to Article 29 paragraph 2 of the Financial Market Supervision Act (FINMASA), FINMA has to be informed 4.2 Are companies (whether listed or private) required about any Incident that is of substantial importance to the under Applicable Laws to: (a) designate a CISO; supervision, which can include Incidents that could have a (b) establish a written Incident response plan or negative impact on the reputation or operation of the financial policy; (c) conduct periodic cyber risk assessments, institution or the financial centre of Switzerland. Pursuant including for third party vendors; and (d) perform to Articles 45 and 46 FINMASA, the wilful provision of penetration tests or vulnerability assessments? false information to FINMA or failing to make a mandatory report to FINMA can be punished with a custodial sentence (a) There is no such general obligation to designate a CISO of up to three years or a monetary penalty, and in cases of under Swiss law. negligence with a fine of up to CHF 250,000. In case of (b) Apart from special sector-related requirements (see question a serious infringement of the supervisory provisions, the 3.2 above), there is no such general obligation to establish a Switzerland licence of a supervised person or entity, can according to written Incident response plan or policy. Article 37 FINMASA, be revoked, its recognition withdrawn (c) Apart from special sector-related requirements (see question or its registration cancelled. 3.2 above), there is no such general obligation to conduct (b) On the basis of Article 96 paragraph 2 of the Ordinance periodic cyber risk assessments, including for third-party on Telecommunications Services (OTS), OFCOM has vendors. published a currently non-binding “Guideline on Security (d) Apart from special sector-related requirements (see question and Availability of Telecommunications Infrastructures 3.2 above), there is no such general obligation to perform and Services” recommending telecommunications service penetration tests or vulnerability assessments. providers to implement, monitor and update (i) an information security management system as described in the international standards relating to information security, such as ISO/IEC 4.3 Are companies (whether listed or private) subject 27001:2005 and ITU-T X.1051, (ii) a business continuity to any specific disclosure requirements in relation plan, and (iii) a disaster recovery plan, and to comply with to cybersecurity risks or Incidents (e.g. to listing international security recommendations in the ICT sector, authorities, the market or otherwise in their annual such as the “ETSI White Paper No. 1 – Security for ICT” reports)? and the “ITU-T ICT Security Standards Roadmap”. OFCOM has the competence to declare the mentioned guideline to be There are no generally applicable disclosure requirements in relation binding. to cybersecurity risks or Incidents for companies in Switzerland (for Article 96 OTS prescribes the obligation of telecommunications sector-specific requirements see question 3.2 above). However, if service providers to immediately inform OFCOM of disruptions an Incident can result in damage claims or penalties, these risks have in the operation of their networks which (potentially) affect at to be assessed and appropriate provisions have to be established and least 30,000 customers (landline, OTT, broadcasting) or 25 transmitter sites (mobile communications). OFCOM requires included in the balance sheet in the annual reports. the operators to include in the report, i.a., a description of the Furthermore, in the event that a large number of data subjects are disruption, the categories of causes (cable rupture, energy/ affected, there may be an exceptional duty to report the Incident hardware/software/human failure, cyberattack, malicious publicly according to the data procession principle of good faith (see interference) and the measures taken to end the disruption. question 2.7 above). This can particularly be the case if the data Pursuant to Article 53 of the Telecommunications Act, anyone subjects concerned cannot be informed individually. who infringes any provision of the telecommunications legislation, such as the reporting obligation under Article 96 OTS, is liable to a fine not exceeding CHF 5,000. 4.4 Are companies (whether public or listed) subject to Finally, there are further sector-specific requirements, particularly in any other specific requirements under Applicable Laws in relation to cybersecurity? connection with aviation, the railway industry and nuclear energy.

There are no other specific requirements. 4 Corporate Governance 5 Litigation 4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to 5.1 Please provide details of any civil actions that may be a breach of directors’ duties in your jurisdiction? brought in relation to any Incident and the elements of that action that would need to be met. If the failure results from not having an adequate compliance management system (including risk management, internal reporting According to Article 15 paragraph 1 FADP in conjunction with Article and control, and sufficient supervision) in a company limited by 28 et seqq. of the Swiss Civil Code, the affected person of a cybercrime- shares or a limited liability company, this can constitute a breach of induced data breach has the possibility to bring actions relating to the the directors’ obligation to perform their duties with all due diligence protection of privacy, provided that there is a violation of personality and to safeguard the interests of the company in good faith (Articles rights, e.g. due to data theft or illegal data processing. This can include 717, 812 Code of Obligations) and to supervise the persons entrusted actions for damages, prohibitive injunctions, information/disclosure with managing the company, in particular with regard to compliance and notification of third parties or the publication of judgments. with the law (Article 716a Code of Obligations). These duties are Furthermore, members of the board of directors, managing directors only explicitly imposed on members of the board of directors, and executive officers of companies limited by shares and managing managing directors and executive officers of companies limited by directors of limited liability companies are liable both to the company shares and managing directors of limited liability companies. and to the individual shareholders and creditors, for any losses or damage arising from any intentional or negligent breach of their duties (Articles 754, 827 Code of Obligations); see question 4.1 above.

168 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Niederer Kraft & Frey Ltd. Switzerland

5.2 Please cite any specific examples of cases that 7.2 Are there any Applicable Laws (e.g. whistle-blowing have been brought in your jurisdiction in relation to laws) that may prohibit or limit the reporting of cyber Incidents. risks, security flaws, Incidents or potential Incidents by an employee? To date, we are not aware of any civil actions that have been filed by affected persons or companies in relation to cybersecurity Incidents Laws with possibly inhibiting effects on reporting cyber risks and in Switzerland. The few judgments pertaining to liability for data similar Incidents could be triggered by the secrecy provisions breaches derive from administrative investigations conducted by the mentioned under the last heading of question 1.1 above. supervisory authorities. Furthermore, in Switzerland, there is no explicit protection for whistleblowers, so far, who report Incidents with regard to their

employers to public authorities or the media. However, a draft bill Switzerland 5.3 Is there any potential liability in tort or equivalent of the Code of Obligations, that is still under the scrutiny of the legal theory in relation to an Incident? legislative institutions, introduces such whistleblower protection from termination and other detriments (Article 336 paragraph 2 If the claimant is able to prove damages and the violation of a legally lit. d, Article 328 paragraph 3 Code of Obligations). protected right or norm, the purpose of which is to protect from such damages, he is entitled to compensation for moral sufferings and the payment of damages by virtue of Articles 49 and 41 of the Code of 8 Investigatory and Police Powers Obligations. Furthermore, according to Article 423 of the Code of Obligations, data subjects can request the handing over of profits arising from violations of their privacy rights. 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that 6 Insurance may be relied upon to investigate an Incident.

KOBIK, the Swiss Coordination Unit for Cybercrime, does not 6.1 Are organisations permitted to take out insurance only function as a notification office for cybercrimes, but also looks against Incidents in your jurisdiction? actively for criminally relevant content on the internet. However, after its verification, KOBIK passes the information to the competent Since 2000, organisations have the possibility to take out insurance criminal law enforcement authorities, which are the local, cantonal against cyberattacks. The offered coverage includes, for example, and federal police departments and public prosecutors’ offices. the loss or theft of data, damages due to hacking and malware, and the unauthorised disclosure of data. 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT 6.2 Are there any regulatory limitations to insurance systems for law enforcement authorities or to provide coverage against specific types of loss, such as law enforcement authorities with encryption keys? business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal There are no such requirements under Swiss law. limits placed on what the insurance policy can cover?

There are no regulatory limitations to insurance coverage concerning such Incidents.

7 Employees

7.1 Are there any specific requirements under Applicable Law regarding: (a) the monitoring of employees for the purposes of preventing, detection, mitigating and responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents by employees to their employer?

(a) There are no such specific requirements. (b) A general reporting obligation of cyber risks and other potential Incidents for employees vis-à-vis the employer can, according to Article 321a of the Code of Obligations, be derived from the duty of care and loyalty.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 169 © Published and reproduced with kind permission by Global Legal Group Ltd, London Niederer Kraft & Frey Ltd. Switzerland

Dr. András Gurovits Clara-Ann Gordon Niederer Kraft & Frey Ltd. Niederer Kraft & Frey Ltd. Bahnhofstrasse 13 Bahnhofstrasse 13 CH-8001 Zurich CH-8001 Zurich Switzerland Switzerland

Tel: +41 58 800 80 00 Tel: +41 58 800 80 00 Email: [email protected] Email: [email protected] URL: www.nkf.ch URL: www.nkf.ch

András Gurovits specialises in technology (IT, telecoms, Clara-Ann Gordon is specialised in the areas of TMT/outsourcing, Switzerland manufacturing, regulatory) transactions (including acquisitions, data privacy, internal investigations/e-discovery and compliance. outsourcing, development, procurement, distribution), data protection, She regularly advises clients in the above areas on contractual, corporate, dispute resolution (incl. administrative proceedings) and governance/compliance and other legal matters, represents clients sports. in transactions and before the competent regulatory and investigating authorities as well as before state courts, arbitral tribunals and in He regularly advises clients on contractual, compliance, governance, mediation proceedings, and renders opinions on critical regulatory and disputes and other legal matters in the above areas. contract law topics in the said industry-specific areas. He, thus, not only advises in these areas, but also represents clients She has advised on and negotiated a broad range of national and before the competent regulatory and investigating authorities, state international IT, software and outsourcing transactions (also in courts and arbitral tribunals. regulated markets), has represented clients in technology-related Dr. Gurovits is distinguished as a leading lawyer by various directories court proceedings and international arbitration, and is experienced such as Chambers and The Legal 500. Dr. Gurovits has been a in data protection and secrecy laws, white-collar investigations and lecturer at the University of Zurich for more than a decade. Presently, e-discovery, telecom regulations (including lawful interception), he is a listed arbitrator with the Court of Arbitration for Sport CAS/TAS e-commerce, and IT law. in Lausanne and member of the Legal Committee of the International Ms. Gordon regularly publishes in the field of technology (ICT) and Ice Hockey Federation. frequently speaks at national and international conferences on emerging legal issues in technology law.

Established in 1936, Niederer Kraft & Frey is a preeminent Swiss law firm with a proven track record of legal excellence and innovation. Throughout our history, we have continuously worked on the most important and demanding cases entrusted to Swiss law firms. This is the foundation of our distinct market knowledge, expertise and experience as well as our capacity for innovative thought. We work and think internationally. As a market leader in Switzerland, we have built long-standing relationships with the world’s best international law firms. The majority of our lawyers have undertaken further training at American, British or other foreign universities and many of us have gained professional experience in partner law firms abroad. Thanks to our heritage and market position we offer innovative and sustainable services, and avoid being influenced by short-term trends. We attach great importance to combining a highly professional approach and persistence in pursuing our clients’ goals with being easy to work with, even in the most demanding situations.

170 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 26

Taiwan Sean Yu-Shao Liu

Lee, Tsai & Partners Attorneys-at-Law Sophia Tsai

Further, if the electromagnetic records above involve another 1 Criminal Activity person’s property, meaning that the phisher unlawfully acquires such property through the false creation, deletion and alteration of 1.1 Would any of the following activities constitute a records, it would also constitute computer fraud and the offender criminal offence in your jurisdiction? If so, please shall be sentenced to imprisonment for not more than seven years; in provide details of the offence, the maximum penalties addition thereto, a fine of not more than NT$700,000 (US$23,333) available, and any examples of prosecutions in your may be imposed (see Article 339-3 of the Criminal Code). jurisdiction: Lastly, if the fraud is conducted through electronic communication or other broadcasting media and directed at the public, the offender Offences against computer security are generally regulated by the may be sentenced to imprisonment for at least one year and not Criminal Code of the Republic of China (the “Criminal Code”). more than seven years; in addition thereto, a fine of not more than Hacking (i.e. unauthorised access) NT$1,000,000 (US$33,333) may be imposed (see Article 339-4 of the Criminal Code). According to Article 358 of the Criminal Code, a person who commits an unauthorised access to another’s computer or related Infection of IT systems with malware (including ransomware, equipment by entering their account details and password, hacking spyware, worms, trojans and viruses) computer security measures, or exploiting vulnerabilities in This would fall under denial-of-service attacks that are punishable computer systems, shall be sentenced to imprisonment for not more under Article 360 of the Criminal Code, as stated above. than three years; in lieu thereof, or in addition thereto, a fine of not Possession or use of hardware, software or other tools used to more than NT$300,000 (US$10,000) may be imposed. commit cybercrime (e.g. hacking tools) Denial-of-service attacks Simply possessing such hardware, software or tools for research A person who, without any justification, interferes with another without causing harm to another does not constitute a crime. person’s computer and other equipment through a computer However, the use of such hardware, software or tools to interfere with program or other electromagnetic method, which then causes injury the computer of another and cause injury to the public or another may to the public or another, shall be sentenced to imprisonment for not violate Article 360 of the Criminal Code, as stated above. more than three years; in lieu thereof, or in addition thereto, a fine Identity theft or identity fraud (e.g. in connection with access of not more than NT$300,000 (US$10,000) may be imposed (see devices) Article 360 of the Criminal Code). Identity theft Phishing Depending on the facts, identify theft may fall under a violation of A typical phishing attempt may take the following form: Articles 358 and 359 of the Criminal Code, as stated above, which (1) a person who digitally masquerades as a reliable and famous prohibit the use of another’s account and password and obtaining/ entity or person in order to obtain another person’s account deleting/altering another’s electromagnetic records without justification. and password; and Identity fraud (2) such person using the account and password to obtain, delete Depending on the facts, identify fraud may violate the aforementioned or alter the electromagnetic records of the victim and cause Articles 210, 216 and 220 of the Criminal Code for forgery of injury to the public or others. electromagnetic records, or the aforementioned Article 339-3 of the The conduct above would first constitute forgery and use of Criminal Code for the unlawful acquisition of another’s property false electromagnetic records, under which the offender shall be and interest by manipulating the electromagnetic records of such sentenced to imprisonment for not more than five years (see Articles property and interest. Further, if the fraud is directed to the public 210, 216 and 220 of the Criminal Code). through electronic communication or other broadcasting media, it Secondly, the conduct above may constitute a violation of Article may also involve a violation of Article 339-4 of the Criminal Code. 359 of the Criminal Code, under which a person who, without any Electronic theft (e.g. breach of confidence by a current or former justification, obtains, deletes or alters the electromagnetic records employee, or criminal copyright infringement) of another and thus causes injury to the public or others shall be Depending on the facts, electronic theft may violate the sentenced to imprisonment of no more than five years; in lieu aforementioned Article 359 of the Criminal Code, which prohibits thereof, or in addition thereto, a fine of not more than NT$600,000 the obtaining, deleting or altering of electromagnetic records (US$20,000) may be imposed. without justification.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 171 © Published and reproduced with kind permission by Global Legal Group Ltd, London Lee, Tsai & Partners Attorneys-at-Law Taiwan

Criminal copyright infringement is provided under Article 91 of the Copyright Act, which carries a sentence of imprisonment for not 2 Applicable Laws more than three years, detention, or, in lieu thereof, or in addition thereto, a fine not more than NT$750,000 (US$25,000). 2.1 Please cite any Applicable Laws in your jurisdiction Any other activity that adversely affects or threatens the applicable to cybersecurity, including laws applicable security, confidentiality, integrity or availability of any IT to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, system, infrastructure, communications network, device or data for example, laws of data protection, intellectual Producing malicious code or a program that is directed at committing property, breach of confidence, privacy of electronic any of the above activities, the offences which fall under the scope of communications, information security, and import /

Taiwan Articles 358 and 359 of the Criminal Code, or the provision of such export controls, among others. code or program to another for the same, is punishable under Article 362 of the Criminal Code and may be punished by imprisonment Currently, there is no law or regulation in Taiwan directly on point for not more than five years; in lieu thereof, or in addition thereto, for monitoring, detecting, preventing, mitigating and managing a fine of not more than NT$600,000 (US$20,000) may be imposed. cybersecurity Incidents that is applicable to all industries. Failure by an organisation to implement cybersecurity measures Nevertheless, there are provisions that are relevant to achieving Unless relevant facts correspond to the elements of the the above goals. For example, the Personal Information Protection aforementioned offences, failure by an organisation to implement Act (“PIPA”) in Taiwan strictly requires how personal data may be cybersecurity measures is not a crime. collected, kept and used. The authority may request a company collecting personal data to stipulate a plan to secure personal data. Further, gaining unauthorised access to a system for stealing 1.2 Do any of the above-mentioned offences have personal data may also be found to be a PIPA violation and be extraterritorial application? sentenced to imprisonment for as high as five years. That said, in April 2017, the Executive Yuan submitted a draft bill Except for Articles 339-4 of the Criminal Code, the other called “Information and Communication Security Management aforementioned articles do not have extraterritorial application. Act” (“ICSM”) for the Legislative Yuan to deliberate. The bill is Jurisdiction-wise, however, as long as either the conduct or the result aimed to require both the public and private sectors to set up and of an offence takes place in Taiwan, it is deemed to be an offence maintain a security system for their data. The bill might pass the that occurred in Taiwan and may be punishable under Taiwan law legislative process in the coming months. (see Article 4 of the Criminal Code).

2.2 Are there any cybersecurity requirements under 1.3 Are there any actions (e.g. notification) that might Applicable Laws applicable to critical infrastructure mitigate any penalty or otherwise constitute an in your jurisdiction? For EU countries only, how exception to any of the above-mentioned offences? (and according to what timetable) is your jurisdiction expected to implement the Network and Information If the attackers voluntarily turn themselves in for an offence not yet Systems Directive? Please include details of any discovered, the punishment may be mitigated (see Article 62 of the instances where the implementing legislation in your Criminal Code). jurisdiction is anticipated to exceed the requirements of the Directive.

1.4 Are there any other criminal offences (not specific As stated above, currently there is no law or regulation on to cybersecurity) in your jurisdiction that may arise cybersecurity that is generally applicable, but the competent in relation to cybersecurity or the occurrence of an authorities of certain key industries have promulgated certain Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences cybersecurity requirements that must be followed by all entities in a cybersecurity context. under their jurisdiction. For example, financial institutions and securities firms must follow A person who, with the intention to endanger national security or the security requirements imposed by the Financial Supervisory social stability, collects or delivers any classified document, picture, Commission (“FSC”), and telecommunication companies must information or article to a foreign country or Mainland China may be comply with the security requirements imposed by the National sentenced to imprisonment for a term of not more than five years; in Communications Commission (“NCC”). addition thereto, a fine of not more than NT$1,000,000 (US$33,333) may be imposed (see Articles 2-1 and 5-1 of the National Security 2.3 Are organisations required under Applicable Laws, Act). Further, a person who reveals or delivers information that has or otherwise expected by a regulatory or other been classified under the Classified National Security Information authority, to take measures to monitor, detect, prevent Protection Act (“CNSIPA”) may be imprisoned for one to seven or mitigate Incidents? If so, please describe what years (see Article 32 of CNSIPA). measures are required to be taken. While the law has contemplated that the above acts may be carried out through a cybersecurity attack on government facilities, there To expand on the above, financial institutions are required to follow has not been any significant prosecutions in this regard. certain security standards stipulated by the Bank Association and approved by the FSC for their information systems, and they are obliged to inform the FSC and the Central Bank of any cybersecurity Incident that may affect their business operations or infringe on the interests of their customers.

172 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Lee, Tsai & Partners Attorneys-at-Law Taiwan

Further, in February 2017, the FSC required all financial institutions to set up a unit exclusively in charge of information security within 2.7 Are organisations required under Applicable Laws, or six months. otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Additionally, telecommunications companies are also required by Incidents to any affected individuals? If so, please the NCC to stipulate and implement an information security plan, provide details of: (a) the circumstance in which which shall cover information security management standards, the this reporting obligation is triggered; and (b) the assessment of cybersecurity levels, the mechanisms for managing nature and scope of information that is required to be information security, and the response and notification mechanisms, reported. etc. If an Incident involves unauthorised access, disclosure or alteration of personal data, the organisation shall notify the affected Taiwan 2.4 In relation to any requirements identified in question individuals of the infringement and the measures in response taken 2.3 above, might any conflict of laws issues in accordance with PIPA. For financial and securities companies, arise? For example, conflicts with laws relating to the unauthorised interception of electronic the notification shall include contact information for consultation communications or import / export controls of services. encryption software and hardware. 2.8 Do the responses to questions 2.5 to 2.7 change if the We have not found any conflict of law issues in relation to the information includes: (a) price sensitive information; requirements mentioned above. (b) IP addresses; (c) email addresses (e.g. an email address from which a phishing email originates); (d) personally identifiable information of cyber threat 2.5 Are organisations required under Applicable Laws, or actors; and (e) personally identifiable information of otherwise expected by a regulatory or other authority, individuals who have been inadvertently involved in to report information related to Incidents or potential an Incident? Incidents to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the circumstance in which this reporting obligation is No. The answers to questions 2.5 to 2.7 remain the same. triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) 2.9 Please provide details of the regulator(s) responsible the nature and scope of information that is required for enforcing the requirements identified under to be reported (e.g. malware signatures, network questions 2.3 to 2.7. vulnerabilities and other technical characteristics identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by The regulator in charge of financial institutions and securities firms which the organisation might prevent publication of is the FSC; the telecommunications industry is supervised by the that information. NCC. Please also refer to our answer to question 2.2.

As mentioned above, private financial institutions have to report 2.10 What are the penalties for not complying with the to the FSC, the Central Bank and the Central Deposit Insurance requirements identified under questions 2.3 to 2.8? Corporation of any cybersecurity Incident that may affect their business operations or infringe on the interests of their customers. Financial institutions For state-run financial institutions, they have to report to the Ministry of Finance, FSC, etc. A violation of the rules relating to information security is regarded as a form of a breach of internal regulatory and audit mechanisms, The contents of the report include the time of the Incident, the which carries a fine of more than NT$2 million (US$66,666) but relevant data involved, the level of impact, the events of the Incident, less than NT$10 million (US$333,333) under the Bank Act and the the type of Incident, and emergency measures taken. There are no Financial Holding Companies Act. exceptions to this reporting obligation. Securities firms For telecommunications companies, the process is similar to that for financial institutions, save for the fact that the competent authority A violation of the rules relating to information security is regarded is the NCC instead of the FSC. as a form of a breach of internal regulatory and control mechanisms, which carries a fine of more than NT$240,000 (US$8,000) but less than NT$2.4 million (US$80,000). 2.6 If not a requirement, are organisations permitted by Applicable Laws to voluntarily share information Telecommunications companies related to Incidents or potential Incidents with: (a) a For a Type I telecommunications company (i.e., those involved regulatory or other authority in your jurisdiction; (b) a in laying down telecommunications backbone lines and hardware regulatory or other authority outside our jurisdiction; in providing telecommunications services), a violation of the or (c) other private sector organisations or trade administrative regulations carries a fine of more than NT$300,000 associations in or outside your jurisdiction? (US$10,000) but less than NT$3million (US$100,000). For a Type II telecommunications company (i.e., any telecommunications There is no law or regulation prohibiting organisations to voluntarily company that engages in telecommunications work other than share information related to Incidents or potential Incidents with those done by Type I companies), a violation of the administrative any entities. Nevertheless, the disclosure must comply with other regulations carries a fine of more than NT$200,000 (US$6,666) but applicable laws, such as PIPA. less than NT$2million (US$66,666).

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 173 © Published and reproduced with kind permission by Global Legal Group Ltd, London Lee, Tsai & Partners Attorneys-at-Law Taiwan

person of a company (e.g., director or manager) shall be loyal to the 2.11 Please cite any specific examples of enforcement company and shall exercise the due care of a good administrator in action taken in cases of non-compliance with the conducting the business operations of the company. above-mentioned requirements. If the director or manager is also responsible for a company’s information security matters, and he or she intentionally or In 2016, First Bank in Taiwan reported that 41 of its ATMs were negligently failed to follow the relevant cybersecurity requirements hacked and NT$83.27 million (US$2.77 million) in cash was stolen. so as to prevent, mitigate, manage or respond to an Incident, it Afterwards, First Bank was found to have several information security is very likely such responsible director or manager may be held vulnerabilities, such as the failure to isolate the ATM administration personally liable under Article 23 of the Company Act for failing server, or implement appropriate security measures for its voice-mail to exercise due care. Taiwan system at its London branch, which was the point of intrusion. This was found to be in violation of the “Guidelines for Financial Institutions on Information Security Management in Electronic Banking” regarding 4.2 Are companies (whether listed or private) required the use of isolated networks and antivirus software. under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or First Bank was found to have also failed to allow security experts policy; (c) conduct periodic cyber risk assessments, audit its records for unauthorised access, which is a violation including for third party vendors; and (d) perform of the “Guidelines for Financial Institutions on the Assessment penetration tests or vulnerability assessments? of Information Security for Computer Systems” regarding the obligation to review network and server access records for (a) There is no mandatory requirement for companies to designate irregularities and verify warning systems. a CISO. Nevertheless, the FSC does require domestic banks For the above omissions, the FSC imposed a fine of NT$10 million to set up a dedicated cybersecurity unit, designate a high- (US$333,333) on First Bank for violation of Article 45-1 of the level manager, and allocate sufficient resources to deal with relevant cybersecurity matters. Bank Act. (b) Some key industries are required to draft a written Incident response plan or policy. For example, financial institutions 3 Specific Sectors are required to have contingency plans in place of an Incident. In addition, telecommunications companies shall establish joint defence and response measures. 3.1 Does market practice with respect to information (c) Periodic cyber risk assessments. security (e.g. measures to prevent, detect, mitigate i. Financial institutions are required to conduct periodic and respond to Incidents) vary across different risk assessments depending on the classification of their business sectors in your jurisdiction? Please include details of any common deviations from the strict legal computer systems and their evaluation cycles. requirements under Applicable Laws. ii. Telecommunications companies must carry out periodical internal audits, which include network security. Companies in Taiwan have not yet dedicated significant resources (d) Penetration tests or vulnerability assessments. regarding information security; only the financial sector has established i. Financial institutions are required to conduct penetration a set of reasonably developed rules, with industry associations tests for its own websites and scan and repair vulnerabilities releasing various guidelines and safety practices, and the FSC, as the in its network equipment, servers and terminal equipment. competent authority, has been relatively keen on this matter, with the ii. Telecommunications companies shall conduct penetration aforementioned recent requirement for financial institutions to have tests, vulnerability scanning, and maintenance and repairs dedicated information security teams. However, the aforementioned on a regular basis. First Bank ATM hack in 2016 revealed significant gaps even for financial institutions to actually maintain mandated security concepts 4.3 Are companies (whether listed or private) subject in practice, so Taiwan companies as a whole still have significant room to any specific disclosure requirements in relation for improvement in terms of information and network security. to cybersecurity risks or Incidents (e.g. to listing authorities, the market or otherwise in their annual reports)? 3.2 Are there any specific legal requirements in relation to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the Financial institutions telecommunications sector? Financial holding companies or banking businesses shall assess and review the status of its internal control systems (which covers Please see our previous answers to the questions in section 2 for information and communications security), submit statements details of the legal requirements of the financial services sector and regarding such systems, and publish the information contained in the telecommunications sector. those statements on the company’s website as well as a website designated by the competent authority within three months of the end of each fiscal year. The internal control systems statement shall 4 Corporate Governance be included in the annual report and prospectuses. Telecommunications companies 4.1 In what circumstances, if any, might a failure by The NCC has requested telecommunications companies to submit a company (whether listed or private) to prevent, a self-assessment of their operational security levels to the NCC mitigate, manage or respond to an Incident amount to before the end of September each year. However, this is not a a breach of directors’ duties in your jurisdiction? mandatory requirement.

According to Article 23 of the Company Act, the responsible

174 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Lee, Tsai & Partners Attorneys-at-Law Taiwan

Altering electromagnetic records 4.4 Are companies (whether public or listed) subject to In the 103-Tai-Shang-Zi-3093 Criminal Decision, the defendant any other specific requirements under Applicable Laws in relation to cybersecurity? was accused of exploiting a vulnerability in the online game distributed by the plaintiff company to enable the use of external software for running multiple accounts and for selling in-game As stated above, depending on the industry, a company in Taiwan items for real money. The court found the defendant’s conduct as may be subject to regulations or practices which may be connected having damaged the plaintiff’s business interest and management to cybersecurity concerns (if at all). of its electromagnetic records in the form of such “in-game items”, which constitute the offence of altering electromagnetic records of another under Article 359 of the Criminal Code. 5 Litigation Taiwan In the civil case arising from the above, the court reasoned that Article 359 of the Criminal Code, in essence, sets out a right (i.e., 5.1 Please provide details of any civil actions that may be the integrity of electromagnetic records) to be protected, which brought in relation to any Incident and the elements of falls under Paragraph 2 of Article 184 of the Civil Code regarding that action that would need to be met. a “law to protect another”. Therefore, a victim may claim civil compensation from the perpetrator of an offence, under Article 359 In the event of any Incident, the victim will most likely bring a civil of the Criminal Code, by citing a breach of a provision protecting the action against the offender under relevant provisions of the Civil rights of another under Paragraph 2 of Article 184 of the Civil Code. Code of Taiwan. A person who, intentionally or negligently, infringed on the right of another shall be liable for any injury arising therefrom (see Article 5.3 Is there any potential liability in tort or equivalent legal theory in relation to an Incident? 184 of the Civil Code). In the event that the infringement violates ethics or laws protecting another (such as the aforementioned Articles 358, 359, 360 and 362 of the Criminal Code), this “right” As stated above, relevant articles of tort in the Civil Code of Taiwan of a person could be interpreted broadly and includes not only are the main basis to bring civil actions in reference to Incidents. statutory rights, but also a person’s economic interests or his/her , which are particularly relevant in the context of 6 Insurance many Incidents because often there may be no physical damage to the victim. For example, in a denial-of-service attack, the victim’s property is sound but the victim’s business operations might be 6.1 Are organisations permitted to take out insurance completely shut down. against Incidents in your jurisdiction? In the event of an infringement of a personality right in an Incident, the victim may request the court remove the infringement while The insurance industry in Taiwan has launched several information also claiming monetary damages; if the victim’s reputation has been security-related policies on the market, which may be generally split damaged, the offender shall take proper measures to rehabilitate the into three categories: Privacy Protection Liability; Cyber Security victim’s reputation (see Articles 18 and 195 of the Civil Code). Insurance; and Electronic and Computer Crime Policy. Additionally, for an Incident involving personal data, the victim may Privacy Protection Liability generally covers third-party liability also be able to claim against the entity collecting or storing such data resulting from unauthorised disclosure of information, including if the injury may be attributed to the entity’s failure to implement crisis management expenses, investigation expenses, litigation proper security measures or comply with any other provision of defence expenses, settlements and court fees. PIPA in handling personal data (Articles 29 and 30 of PIPA). Cyber Security Insurance is generally an upgrade to the aforementioned Privacy Protection Liability and further covers damages arising from unauthorised disclosure of information from 5.2 Please cite any specific examples of cases that outside attacks or internal negligence, as well as system restoration have been brought in your jurisdiction in relation to Incidents. expenses, business reputation management expenses, and damages from suspension of business. Hacking into a corporate email system Electronic and Computer Crime Policy mainly covers financial or other property loss as a result of any alteration or destruction In the 104-Su-Zi-314 Criminal Case, the defendant was accused of of electronic data due to a malicious intrusion of the insured’s IT exploiting his knowledge of vulnerabilities in the plaintiff company’s systems or a virus. email system, gained from his work to provide maintenance services for such system, to access and read the emails of high-level staff of Currently, out of the three categories, the Privacy Protection the plaintiff company. The defendant was convicted under Article Liability policies are relatively more popular, which may be due to 358 of the Criminal Code for breaching into another’s computer the detailed implementation of personal data protection under PIPA. system through exploiting vulnerabilities. With the increasing threat posed by ransomware and other computer crimes, policies under the other categories are expected to become In the civil damages case arising out of the same facts as the more popular as well. above matter (105-Chong-Su-Zi-752 Civil Decision), the plaintiff argued that the defendant’s breach into the plaintiff’s email system constituted an infringement, under the first half of Paragraph 1, 6.2 Are there any regulatory limitations to insurance Article 184 of the Civil Code, of the plaintiff’s “protection and coverage against specific types of loss, such as management of information security” for its email system, and the business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal plaintiff sought compensation for the costs in restoring its email limits placed on what the insurance policy can cover? system and expenses for hiring outside experts to investigate the breach. Currently, no such regulatory limitations to insurance coverage

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 175 © Published and reproduced with kind permission by Global Legal Group Ltd, London Lee, Tsai & Partners Attorneys-at-Law Taiwan

against information security-related events have been imposed. However, as information security-related insurance is considered a 8 Investigatory and Police Powers form of property insurance, all the regulations regarding property insurance should still be complied with, such as the “Autonomous 8.1 Please provide details of any investigatory powers of Regulations on Designing Property Insurance Products” regarding the law enforcement or other authorities under Applicable requirement to clearly specify the scope of the policy, and the scope Laws in your jurisdiction (e.g. antiterrorism laws) that must be mutually commensurate with the stipulated premium rates. may be relied upon to investigate an Incident.

Criminal investigations 7 Employees If an Incident involves a criminal offence, the prosecutor or the Taiwan police (after being approved by a prosecutor) may apply with the 7.1 Are there any specific requirements under Applicable court for a to search the property, electronic records, Law regarding: (a) the monitoring of employees for dwelling, or other premises of an accused person or a suspect. the purposes of preventing, detection, mitigating and Administrative investigation responding to Incidents; and (b) the reporting of cyber risks, security flaws, Incidents or potential Incidents As stated above, currently there is no cross-the-board cybersecurity by employees to their employer? law in Taiwan that is applicable to all industries. However, in certain highly regulated industries (such as finance and (a) The monitoring of employees for information security- telecommunications), the respective authorities have strong powers related purposes is allowed, as long as the general rules to initiate and conduct administrative investigations. for monitoring employees are complied with. Past judicial For example, in the aforementioned ATM heist case, the FSC, as a decisions have held that employers may monitor employees if bank authority, investigated whether First Commercial Bank was 1) the employee monitoring policy was disclosed beforehand, 2) the employee consents in writing to be monitored, 3) there negligent in maintaining its ATM system. Such investigative power is a reasonable basis to suspect that monitoring could result is derived from Article 45 of the Banking Act, which provides that in collection of work-related evidence or offence, and 4) for the FSC may appoint a designee or entrust an appropriate institution work-related monitoring, there is a reasonable causal link to examine the business, financial affairs and other relevant affairs of between the method used and the purpose to be achieved. a bank or related parties, or direct a bank or related parties to prepare Violation of any of the above may be deemed as a breach of and submit, within a prescribed period of time, balance sheets, the employee’s privacy. property inventories or other relevant documents for examination. (b) There is no specific obligation under Applicable Law on employees for reporting cyber risks, security flaws, Incidents or potential Incidents to the employer. However, 8.2 Are there any requirements under Applicable Laws the employer’s internal rules may impose such a reporting for organisations to implement backdoors in their IT obligation on the employee, which must be reasonable and systems for law enforcement authorities or to provide law enforcement authorities with encryption keys? necessary so as to be binding against the employee.

There is no requirement to implement law enforcement backdoors 7.2 Are there any Applicable Laws (e.g. whistle-blowing under Applicable Laws in Taiwan. laws) that may prohibit or limit the reporting of cyber risks, security flaws, Incidents or potential Incidents by an employee?

No such limitations in whistle-blowing laws exist. However, if the reporting of such matters resulted in the disclosure of company secrets or other confidential information, the employee could be held liable for compensation of any damages caused as a result.

176 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Lee, Tsai & Partners Attorneys-at-Law Taiwan

Sean Yu-Shao Liu Sophia Tsai Lee, Tsai & Partners Attorneys-at-Law Lee, Tsai & Partners Attorneys-at-Law 9th Fl., 218 Tun Hwa S. Rd. 9th Fl., 218 Tun Hwa S. Rd. Sec. 2, Taipei 106 Sec. 2, Taipei 106 Taiwan Taiwan

Tel: +886 2 2378 5780 Tel: +886 2 2378 5780 Email: [email protected] Email: [email protected] URL: www.leetsai.com URL: www.leetsai.com Taiwan Sean is an associate partner in Lee, Tsai and Partners Attorneys-at- Sophia is an associate in Lee, Tsai and Partners Attorneys-at-Law. Law. He is an experienced litigator and has acted for clients from the She received her B.A. and LL.M. from the National Taiwan University. government to major companies, domestic and abroad. Her practice focuses on general corporate legal affairs, general civil and criminal law, and e-commerce. Sean works on a wide variety of legal issues and specialises in construction, antitrust, unfair competition and commercial disputes. He frequently appears before the civil courts, administrative courts, Fair Trade Commission, China Arbitration Association and Complaint Review Board for Government Procurement. With an extensive understanding of technology and business, Sean advises many major companies in corporate legal matters, such as fundraising, M&A, joint venture, licensing, procurement, distribution and agency. Beside his legal practice, Sean is active in public discussion of legal policy, notably laws and regulations involving financial technology and start-up fundraising. He is now a member of the Taiwan Fintech Association.

Dr. Chung-Teh Lee and Jaclyn Tsai founded the first office of the Lee Tsai Group in Taipei in 1998 with the professional motto “Reason” and “Compassion” and expanded to Shanghai in 2001 and Beijing in 2010. The Lee Tsai Group’s seamless operation between offices allows its clients full access to the entire professional team, regardless of location. The firm’s IT/IP Practice is led by Ms. Jaclyn Tsai, who, during her appointment as Minister without Portfolio, was responsible for cybersecurity related issues for e-commerce-related laws, the Convener of the Mobile Broadband Service and Industry Development Taskforce, a member of the National Information and Communication Security Taskforce, and a member of the Cyber Security Management Law deliberation group. Main Areas of Practice:

■■ Intellectual Property Law. ■■ Media and Entertainment. ■■ Infrastructure Projects / Construction Law. ■■ Capital Market / Securities. ■■ Mergers and Acquisitions / Global Investment. ■■ Patent Registration / Prosecution. ■■ Dispute Resolution. ■■ Trade Mark Registration.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 177 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 27

Thailand Saroj Jongsaritwang

R&T Asia (Thailand) Limited Sui Lin Teoh

Possession or use of hardware, software or other tools used to 1 Criminal Activity commit cybercrime (e.g. hacking tools) No. However, the Thai Court has the power to forfeit any property 1.1 Would any of the following activities constitute a used or in possession for use in the commission of an offence by criminal offence in your jurisdiction? If so, please any person. provide details of the offence, the maximum penalties available, and any examples of prosecutions in your Identity theft or identity fraud (e.g. in connection with access jurisdiction: devices) No. There is no specific offence in relation to identity theft or The main laws and regulations relating to computer crimes in identity fraud. However, identity theft/fraud would be considered Thailand are the Computer Crime Act 2007 (“CCA”) and the Thai as the act of causing damage to the computer data of another person Penal Code. under Section 9 of the CCA mentioned above. In addition, whoever Hacking (i.e. unauthorised access) inputs into a publicly accessible computer system computer data that will appear as an image of another person and the image has Yes. Section 5 of the CCA provides that whoever illegally accesses been created, edited, appended or adapted by electronic means or a computer system that has specific security measures and such whatsoever means, and in doing so is likely to impair the reputation security measures are not intended for that person’s use would be of such other person or exposes such other person to hatred or liable to imprisonment not exceeding six months or to a fine not contempt, would be liable to imprisonment not exceeding three exceeding THB 10,000, or both. years and a fine not exceeding THB 200,000, or both (Section 16 Section 7 of the CCA provides that whoever illegally accesses of the CCA). computer data that has specific security measures which are not Electronic theft (e.g. breach of confidence by a current or former intended for that person’s use would be liable to imprisonment not employee, or criminal copyright infringement) exceeding two years or to a fine not exceeding THB 40,000, or both. This is not applicable in our jurisdiction. Denial-of-service attacks Any other activity that adversely affects or threatens the Yes. Section 10 of the CCA provides that whoever illegally acts security, confidentiality, integrity or availability of any IT in a manner that causes suspension, deceleration, obstruction or system, infrastructure, communications network, device or data interference to a computer system of another person so that it is not capable of functioning normally would be liable to imprisonment Yes. Section 6 of the CCA provides that if a person who has not exceeding five years or to a fine not exceeding THB 100,000, knowledge of the security measures to access a computer system or both. specifically created by another person illegally discloses such security measures in a manner that is likely to cause damage to Phishing another person, such person shall be liable to imprisonment not Yes. Section 14(1) of the CCA provides that whoever dishonestly exceeding one year or to a fine not exceeding THB 20,000, or both. or deceitfully inputs into a computer system computer data which Section 8 of the CCA provides that a person who illegally makes, by is distorted or forged, either in whole or in part, or computer data any electronic means, an interception of computer data of another which is false, in such a manner likely to cause injury to the public person that is being transmitted in a computer system and such (but not constituting a crime of defamation) under the Penal Code, computer data is not for the benefit of the public or is not available would be liable to imprisonment not exceeding five years or to a fine for other persons to utilise would be liable to imprisonment not not exceeding THB 100,000, or both. exceeding three years or to a fine not exceeding THB 60,000, or Infection of IT systems with malware (including ransomware, both. spyware, worms, trojans and viruses) Failure by an organisation to implement cybersecurity measures Yes. Section 9 of the CCA provides that whoever illegally acts in a Yes. Section 15 of the CCA provides that any service provider manner that damages, impairs, deletes, alters or makes additions to, who cooperates, consents to or acquiesces in the commission of an either in whole or in part, computer data of another person would offence under Section 14 of the CCA with regards to a computer be liable to imprisonment not exceeding five years or to a fine not system in his control would be liable to the same penalty as provided exceeding THB 100,000, or both. in Section 14 of the CCA.

178 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London R&T Asia (Thailand) Limited Thailand

Section 14 of the CCA provides that whoever commits the following which is forged or altered in accordance with Section 269/1 shall be acts shall be liable to imprisonment not exceeding five years or to a liable to imprisonment between one year to 10 years or to a fine of fine not exceeding THB 100,000, or both: THB 20,000 to THB 200,000, or both. For example, three men were (1) dishonestly or deceitfully inputting into a computer system accused of conspiring to hack and forge electronic card information computer data which is distorted or forged, either in whole in the systems of a telecommunications operator to raise the cards’ or in part, or computer data which is false, in such a manner top-up value to THB 105,000,000 and then selling them for THB likely to cause injury to the public but not constituting a 12,000,000. They were found guilty of selling forged electronic crime of defamation under the Criminal Code; cards and were imprisoned. (2) inputting into a computer system computer data which is false, in such a manner likely to cause damage to the maintenance

of national security, public safety, national economic security, 2 Applicable Laws Thailand or public infrastructure serving national public interest, or to cause panic amongst the public; (3) inputting into a computer system computer data which 2.1 Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable constitutes a crime concerning the security of Thailand or a to the monitoring, detection, prevention, mitigation crime concerning terrorism under the Penal Code; and management of Incidents. This may include, (4) inputting into a computer system computer data with vulgar for example, laws of data protection, intellectual characteristics when such computer data is capable of being property, breach of confidence, privacy of electronic accessed by the general public; and communications, information security, and import / (5) publishing or forwarding computer data with the knowledge export controls, among others. that it is the computer data under points (1) to (4). ■ The CCA. If the acts under (1) to (5) above are not committed against the public but are committed against a particular person, the criminal ■ The Electronic Transactions Act 2001. or the person who publishes or forwards the aforesaid computer ■ The Royal Decree prescribing Criteria and Procedures for data would be liable to imprisonment not exceeding three years or Electronic Transactions of the Government Sector 2006. to a fine not exceeding THB 60,000, or both (and the offences are ■ The Royal Decree on Supervision of Electronic Payment compoundable). Service Business 2008. ■ The Notifications issued by the Electronic Transactions Commission (“ETC”). 1.2 Do any of the above-mentioned offences have extraterritorial application? ■ The Royal Decree on Security Procedures for Electronic Transaction 2010. If an offence specified in the CCA is committed outside Thailand ■ The Special Case Investigation Act 2004. and (i) the offender is a Thai national and there is a request for ■ The Telecommunication Business Act 2011. punishment by the government of the country where the offence has ■ The National Council for Peace and Order Announcements. occurred or by the injured person, or (ii) the offender is a non-Thai national and the Thai Government or a Thai person is an injured 2.2 Are there any cybersecurity requirements under person and there is a request for punishment by the injured person, Applicable Laws applicable to critical infrastructure the offender would be subject to the provisions of the CCA. in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction expected to implement the Network and Information 1.3 Are there any actions (e.g. notification) that might Systems Directive? Please include details of any mitigate any penalty or otherwise constitute an instances where the implementing legislation in your exception to any of the above-mentioned offences? jurisdiction is anticipated to exceed the requirements of the Directive. Yes. There is an exception which applies only to service providers. In principle, any service provider who cooperates, consents to or Yes. The ETC’s List of Sectors/Organisations that are deemed as acquiesces in the commission of an offence under Section 14 of the Critical Infrastructure and Required to Comply with Strict Security CCA with regards to a computer system within his control would be Techniques 2016 impose a list of critical infrastructure organisations subject to the same penalty as that which is imposed upon a person which are required to have additional security standards (strict who commits the offence under Section 14 of the CCA. However, security techniques) in accordance with the Notification of the ETC in the case that the service provider is able to prove it has complied on Information Security Standards and in accordance with Security with the Ministerial Notification setting out procedures for the Techniques 2012, such as having a teleworking policy, automatic notification and suppression of the dissemination of such data and equipment identification, a clean-desk policy, a clear-screen policy the removal of such data from the computer system, it would be and setting up time limits on connections with networks regarded exempt from the penalty. as high risk.

1.4 Are there any other criminal offences (not specific 2.3 Are organisations required under Applicable Laws, to cybersecurity) in your jurisdiction that may arise or otherwise expected by a regulatory or other in relation to cybersecurity or the occurrence of an authority, to take measures to monitor, detect, prevent Incident (e.g. terrorism offences)? Please cite any or mitigate Incidents? If so, please describe what specific examples of prosecutions of these offences measures are required to be taken. in a cybersecurity context. Yes. Commercial banks, e-payment service providers and Yes. Section 269/4 of the Criminal Code provides that whoever telecommunications service providers are required by Applicable uses or acquires for use an electromagnetic record/electronic card Laws to take measures to monitor, detect, prevent and mitigate

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 179 © Published and reproduced with kind permission by Global Legal Group Ltd, London R&T Asia (Thailand) Limited Thailand

Incidents as per the requirements set out under Applicable Laws (e.g. a report to the police and that report is then handed to the inquiry Bank of Thailand’s Notifications and the Notifications of the National official to investigate the alleged conduct and file charges against a Broadcasting and Telecommunications Commission (“NBTC”). suspect (if considered appropriate). Please find more details in our answers to question 3.2 below. There are no legal provisions prohibiting or restricting organisations from notifying foreign authorities or private sector organisations. 2.4 In relation to any requirements identified in question 2.3 above, might any conflict of laws issues 2.7 Are organisations required under Applicable Laws, or arise? For example, conflicts with laws relating otherwise expected by a regulatory or other authority, to the unauthorised interception of electronic to report information related to Incidents or potential communications or import / export controls of Incidents to any affected individuals? If so, please

Thailand encryption software and hardware. provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the No, there are no conflict of laws issues. nature and scope of information that is required to be reported.

2.5 Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, The securities companies are required to notify an affected customer to report information related to Incidents or potential or other affected persons without delay upon the acknowledgment Incidents to a regulatory or other authority in your of a system disruption, unauthorised access to a system or an jurisdiction? If so, please provide details of: (a) the Incident that results in damage to the security company’s reputation, circumstance in which this reporting obligation is such as website defacement. There are no specific requirements on triggered; (b) the regulatory or other authority to the information to be included in the notice given to the affected which the information is required to be reported; (c) individuals. the nature and scope of information that is required to be reported (e.g. malware signatures, network For other sectors, there is no legal requirement to notify Incidents or vulnerabilities and other technical characteristics potential Incidents to any affected individuals. identifying an Incident or cyber attack methodology); and (d) whether any defences or exemptions exist by which the organisation might prevent publication of 2.8 Do the responses to questions 2.5 to 2.7 change if the that information. information includes: (a) price sensitive information; (b) IP addresses; (c) email addresses (e.g. an email address from which a phishing email originates); (d) Pursuant to the Royal Decree on Supervision of Electronic Payment personally identifiable information of cyber threat Service Business 2008, e-payment service providers are required actors; and (e) personally identifiable information of to notify Bank of Thailand (“BOT”) of an occurrence of any individuals who have been inadvertently involved in problem or failure to provide e-payment service as soon as possible. an Incident? E-payment service providers have the obligation to notify BOT of all the problems and failures in relation to their services regardless No. The responses do not change. of whether or not such problem/failure is caused by the occurrence of an Incident. Moreover, e-payment service providers are required to notify BOT within 24 hours if their services are temporarily 2.9 Please provide details of the regulator(s) responsible for enforcing the requirements identified under suspended due to any special circumstances (which may or may not questions 2.3 to 2.7. involve an Incident). With respect to securities companies under the Securities and (a) BOT is the regulator of financial institutions and other non- Exchange Act 1992 (“SEA”), securities companies are required financial institutions as specified by BOT. It is thebody to notify, either by verbal or electronic means, the Securities responsible for supervising, examining and analysing the and Exchange Commission (“SEC”) without delay upon the performance and risk management systems of e-payment acknowledgment of a system disruption, unauthorised access services. to a system or an Incident that results in damage to the security (b) The SEC is the regulator of companies listed on the Stock company’s reputation, such as website defacement. The notice is Exchange of Thailand and is responsible for supervising required to specify the date and time of the Incident, the type of the standard operating procedures of securities companies, Incident, the details of the Incident and the effects from the Incident. including IT supervision procedures. On the following business day after such acknowledgment, a written (c) A police officer has the authority to initiate an investigation report must be submitted to the SEC, which must further specify or proceedings relating to a criminal offence, including CCA details of how the Incident is being resolved and the progress made offences. in doing so. There are no exemptions applicable to e-payment service providers 2.10 What are the penalties for not complying with the or securities companies in terms of reporting requirements. requirements identified under questions 2.3 to 2.8?

(a) With respect to securities companies under the SEA, the 2.6 If not a requirement, are organisations permitted by penalty for not complying to the notice requirements under Applicable Laws to voluntarily share information questions 2.5 and 2.7 is a fine not exceeding THB 300,000 related to Incidents or potential Incidents with: (a) and a further fine not exceeding THB 10,000 for every a regulatory or other authority in your jurisdiction; day during which the violation continues. The director, (b) a regulatory or other authority outside your manager or any person responsible for the operation of such jurisdiction; or (c) other private sector organisations securities company shall be liable to imprisonment for a term or trade associations in or outside your jurisdiction? not exceeding six months or to a fine not exceeding THB 200,000, or both, unless it can be proven that such person has Yes. When an Incident occurs, the organisation is entitled to file

180 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London R&T Asia (Thailand) Limited Thailand

no involvement with the commission of the offence by such prescribe mandatory practices required to be observed by the securities company. e-payment service provider. (b) With respect to e-payment service providers under the (b) Telecommunications sector: the telecommunications supervision of BOT, the penalty for not complying to the sector is administrated by the National Broadcasting and notice requirement under question 2.5 is a fine not exceeding Telecommunications Commission (“NBTC”). The NBTC THB 1,000,000 or THB 2,000,000 depending on the types of has issued notifications setting out rules and procedures for e-payment service providers. the management of information technology, and procedures (c) With respect to telecommunications business licensees, for protecting personal information, rights of privacy and they are required to comply with the licensing conditions freedom in communication through telecommunications’ prescribed in their particular licence, which may include means. Moreover, the NBTC has the power to prescribe cybersecurity measures. In such case, if a licensee fails specific provisions concerning cybersecurity to each licensed Thailand to comply with the prescribed licensing conditions, the telecommunications operator. National Broadcasting and Telecommunications Commission shall have the power to order the licensee to: refrain from carrying out the violating act(s); carry out rectification and 4 Corporate Governance improvement; or perform actions correctly or appropriately within a specified period of time. If the licensee fails to comply with the order, the licensee shall be liable to a fine 4.1 In what circumstances, if any, might a failure by not less than THB 20,000 per day and in the case where the a company (whether listed or private) to prevent, licensee still ignores to perform actions correctly, or where mitigate, manage or respond to an Incident amount to a breach of directors’ duties in your jurisdiction? there is serious damage to the public interest, the Commission shall have the power to suspend or revoke the licence. There are none in our jurisdiction.

2.11 Please cite any specific examples of enforcement action taken in cases of non-compliance with the 4.2 Are companies (whether listed or private) required above-mentioned requirements. under Applicable Laws to: (a) designate a CISO; (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, So far, we have found no non-compliance cases taken by the relevant including for third party vendors; and (d) perform regulators which have been announced to the public. penetration tests or vulnerability assessments?

3 Specific Sectors Securities companies are required to conduct cyber risk assessments and vulnerability assessments at least once a year. If a securities company assigns a third party to manage its IT system, the securities 3.1 Does market practice with respect to information company is required to have an Incident response policy. There security (e.g. measures to prevent, detect, mitigate is no requirement for the appointment of a CISO for securities and respond to Incidents) vary across different companies. business sectors in your jurisdiction? Please include details of any common deviations from the strict legal These requirements do not apply to private companies. requirements under Applicable Laws. 4.3 Are companies (whether listed or private) subject Yes. State agencies have obligations pertaining to specific to any specific disclosure requirements in relation information security measures, such as the requirement for policies to cybersecurity risks or Incidents (e.g. to listing and practices on personal information protection in electronic authorities, the market or otherwise in their annual transactions, IT security practices and policies (which must include reports)? provisions relating to access control, user access management, user responsibilities, network control, operating system access control Securities companies are required to submit an annual report which and other provisions as specified by the Office of the Electronic includes its IT management and occurrence of Incidents to the Transactions Commission (“OETC”)). On the other hand, private SEC. E-payment service providers are also required to prepare sector organisations have fewer legal requirements. information and details as to the provision of services and make the same available for inspection by BOT. BOT has the power to instruct an e-payment service provider to provide any information 3.2 Are there any specific legal requirements in relation in relation to its services, including information on the occurrence to cybersecurity applicable to organisations in: (a) the financial services sector; and (b) the of Incidents. telecommunications sector? 4.4 Are companies (whether public or listed) subject to Yes. any other specific requirements under Applicable (a) Financial services sector: organisations which operate Laws in relation to cybersecurity? e-payment services are regulated under the relevant BOT notifications. Principally, e-payment service providers are The CCA imposes a legal requirement on service providers (e.g. required to have a contingency plan or a backup system for a website service provider) to keep and maintain certain computer the purposes of continuity of the service and a safety policy data (e.g. IP address, logs) depending upon the characteristics of the or measures for the information system, which must at least service provider. Examples are the requirement to keep relevant meet the standards prescribed in the BOT notifications. computer traffic data in order to be able to identify the user from Moreover, e-payment service providers are required to keep the beginning of the use of the service and the log showing the use customer data confidential throughout and after the use of its services, with certain exceptions. The OETC may also by such user, and store it for not less than 90 days after the end of the service period. The competent official is empowered on

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 181 © Published and reproduced with kind permission by Global Legal Group Ltd, London R&T Asia (Thailand) Limited Thailand

a case-by-case basis to order a service provider to maintain such computer traffic data for a period not exceeding two years. 7 Employees

7.1 Are there any specific requirements under Applicable 5 Litigation Law regarding: (a) the monitoring of employees for the purposes of preventing, detection, mitigating and responding to Incidents; and (b) the reporting of cyber 5.1 Please provide details of any civil actions that may be risks, security flaws, Incidents or potential Incidents brought in relation to any Incident and the elements of by employees to their employer? that action that would need to be met.

Thailand No, there are not any specific requirements under Applicable Law. Issues relating to Incidents are governed by the Civil and Commercial Code (“CCC”) under the section relating to a “wrongful act” (i.e. Section 420 of the CCC). A wrongful act is similar to a tort. Under 7.2 Are there any Applicable Laws (e.g. whistle-blowing this provision of law, if any Incident, whether wilfully or negligently, laws) that may prohibit or limit the reporting of cyber unlawfully damages or injures another person’s life, body, health, risks, security flaws, Incidents or potential Incidents by an employee? liberty, property or any right, the party in breach is said to have committed a wrongful act and is bound to make compensation for damages suffered. General guidance from the Thailand Supreme No, there are not any Applicable Laws that may prohibit or limit the Court’s decisions is that the injured party is entitled to claim actual reporting of the above. damage suffered, with the burden of proof being on the claimant. 8 Investigatory and Police Powers 5.2 Please cite any specific examples of cases that have been brought in your jurisdiction in relation to Incidents. 8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that In 2016, the accused was arrested in connection with the attacks that may be relied upon to investigate an Incident. caused some government websites to be blocked and non-public files to be leaked. The legal status of the accused is not yet available For the benefit of an investigation, if there is reasonable cause to to the public. believe that there is a perpetration of an offence under the CCA, or there is a request by the inquiry official, the competent official is 5.3 Is there any potential liability in tort or equivalent empowered to acquire evidence to prove an offence and to identify legal theory in relation to an Incident? the accused, for example, by: (i) issuing an inquiry letter to any person related to the commission of an offence to give statements, Yes. Please see the response to question 5.1 above. forward written explanations or any other documents, data or evidence in a comprehensible form; (ii) require computer traffic data related to communications from a service user via a computer system 6 Insurance or from other relevant persons; (iii) instruct a service provider to (a) deliver user-related data that is required to be retained under the CCA requirements or that is in the service provider’s possession or 6.1 Are organisations permitted to take out insurance against Incidents in your jurisdiction? control to the competent official, or (b) keep the data for later; or (iv) seize or attach a computer system for the purposes of obtaining Yes, organisations are permitted to take out insurance against details of the offence and the person who committed the offence. Incidents in our jurisdiction. 8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT 6.2 Are there any regulatory limitations to insurance systems for law enforcement authorities or to provide coverage against specific types of loss, such as law enforcement authorities with encryption keys? business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover? Yes. As mentioned in question 8.1 above, the competent official has the authority to access a computer system, computer data, computer No, there are no regulatory limitations. traffic data or a computer data storage device and to decrypt the computer data of any person, provided that the competent official has obtained a Court order to do so.

182 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London R&T Asia (Thailand) Limited Thailand

Saroj Jongsaritwang Sui Lin Teoh R&T Asia (Thailand) Limited R&T Asia (Thailand) Limited 973 President Tower 973 President Tower 12th Floor Units 12A – 12F 12th Floor Units 12A – 12F Ploenchit Road Lumpini Pathumwan Ploenchit Road Lumpini Pathumwan Bangkok 10330 Bangkok 10330 Thailand Thailand

Tel: +66 2 656 1991 Tel: +66 2 656 1991 Email: [email protected] Email: [email protected] URL: th.rajahtannasia.com URL: th.rajahtannasia.com

Saroj is a Partner in the Corporate & Commercial Practice of R&T Asia Sui Lin is the Deputy Managing Partner of R&T Asia (Thailand) Thailand (Thailand) Limited, the Bangkok office of Rajah & Tann LLP. Saroj Limited, the Bangkok office of Rajah & Tann LLP. Sui Lin graduated graduated with a Bachelor of Laws from Thammasat University in with a Bachelor of Laws from the University of London, and is solicitor 1999, and is a licensed Thai lawyer. qualified in England & Wales. Before joining Rajah & Tann, Sui Lin was Of Counsel in the dispute resolution group of an international law Prior to joining Rajah & Tann, Saroj was a legal counsel (AVP) at a firm in Thailand. Prior to that, she was a partner in a leading local law leading Thai consumer finance business, and before that he was firm. She has more than 23 years of experience in Thailand, advising in private practice at a local Thai law firm. Saroj has several years’ on general corporate and commercial matters, including advising experience in advising on corporate, commercial and consumer clients in the telecommunications sector and e-commerce businesses finance matters (including personal loans, credit cards and insurance) on setting up operations in Thailand, and on the handling and use and agreements relating to the consumer finance business. He is of data under Thai law. She also regularly advises on employment also recommended by The Legal 500 from the years 2015–2016 and matters. Sui Lin is fluent in spoken Thai. Chambers Asia Pacific (2016–2017) as a recommended lawyer in TMT and Banking.

Based in Bangkok, the team in R&T Asia (Thailand) Limited has an impressive base of international, regional and local clients. We have many years of experience in advising on a range of Thai law matters, including representing clients in civil, criminal or administrative proceedings, international and domestic arbitration, government investigations and compliance proceedings, structuring foreign direct investment and mergers and acquisitions involving private or listed companies, and general corporate commercial matters for foreign investors in Thailand. The team has particular expertise in representing clients in highly regulated industries, such as telecoms, tobacco, food and beverage, insurance and manufacturing, and can provide full support in large-scale litigation, transactions and investigations. The team comprises a majority of Thai nationals who are qualified to advise on Thai law. Our Thai lawyers are fluent in Thai and English and are fully conversant with the practical application of the law within Thailand’s business and cultural landscapes.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 183 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 28

USA Laura R. Hall

Allen & Overy LLP Kurt Wolfe

Any other activity that adversely affects or threatens the 1 Criminal Activity security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data 1.1 Would any of the following activities constitute a In addition to the statutes identified above, the U.S. criminal code criminal offence in your jurisdiction? If so, please includes statutes that criminalise activity that adversely affects or provide details of the offence, the maximum penalties threatens the security, confidentiality, integrity or availability of IT available, and any examples of prosecutions in your systems, infrastructure, communications networks, devices or data. jurisdiction: For example, the Wiretap Act criminalises the unauthorised Yes; hacking (i.e., unauthorised access), denial-of-service attacks interception of a communication or the subsequent disclosure or (DDoS attacks), phishing, infection of IT systems with malware use of an intercepted communication, as well as the manufacture, (including ransomware, spyware, and viruses), possession or use distribution, or possession of equipment to be used for unlawful of hardware, software or other tools used to commit cybercrime interception. Violators may face up to five years in prison, a fine (e.g., hacking tools), identify theft or identity fraud (e.g., in and, in certain circumstances, civil damages. connection with access devices), and electronic theft (e.g., breach In addition, the CAN-SPAM Act creates several computer crimes of confidence by a current or former employee, or criminal copyright involving spam email, including accessing a computer without infringement) may constitute criminal offences in the United States. authorisation to send spam email, falsely registering for email Computer crimes are principally prosecuted under the Computer accounts or domain names to send spam, materially falsifying email Fraud and Abuse Act (CFAA). The CFAA criminalises hacking, header information, and hiding the origin of spam email. Violators DDoS attacks, malware, identify theft, and electronic theft. may face up to three years in prison and fines of over $40,000 for Violators may face up to 20 years in prison, restitution, criminal each email sent in violation of the statute. forfeiture, and/or a fine. In addition, in some circumstances, the Failure by an organisation to implement cybersecurity measures CFAA allows the victims of computer crimes to bring civil actions No federal statutes criminalise an organisation’s failure to implement against violators for compensatory damages and injunctive or other cybersecurity measures. There are, however, sector-specific data equitable relief. protection regulations that may result in regulatory enforcement Additional crimes defined in Title 18 of the United States Code that action, including potential fines and/or exposure to damages in a civil may be committed through a breach of cybersecurity are: action (e.g., the Gramm-Leach-Bliley Act discussed in section 3.2(a) ■ Sections 1028 and 1028A criminalise identity theft and below and the Health Insurance Portability and Accountability Act). aggravated identity theft. Violators may face up to 15 years In addition, the Federal Trade Commission may assess penalties in prison, restitution, criminal forfeiture, and/or a fine. against organisations that fail to take reasonable cybersecurity ■ Section 1029 criminalises access device fraud and has been precautions to protect consumer data. used to prosecute phishing and identity theft. Violators may In addition, many states have laws or regulations that impose face up to 20 years in prison, restitution, criminal forfeiture, cybersecurity, data protection, or notification requirements on and/or a fine. covered organisations. For example, New York’s Department ■ Section 2701 (also known as the Stored Communications of Financial Services recently implemented its Cybersecurity Act) criminalises unlawful access to stored communications, Regulation, which requires banks, insurance companies, and including electronic theft. Violators may face up to one year other covered entities to establish and maintain a cybersecurity in prison, restitution, criminal forfeiture, and/or a fine. programme designed to protect consumers and ensure the safety and In recent years, there have been several high-profile “hacking soundness of New York State’s financial services industry. and trading” prosecutions that demonstrate how various criminal statutes interact in relation to computer crimes. For example, in August 2015, the U.S. Department of Justice charged nine people 1.2 Do any of the above-mentioned offences have extraterritorial application? in an international scheme to hack business newswire companies to steal non-public financial information that the individuals used to make stock trades that generated $30 million in illegal profits. The Several of the statutes that create the above-mentioned offences charges included wire fraud, securities fraud, money laundering, provide explicitly for extraterritorial jurisdiction. Even in the computer fraud, and aggravated identity theft. absence of an explicit provision for extraterritorial jurisdiction,

184 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP USA

however, U.S. prosecutors often take a broad view of the statutes’ information of state residents. Some states also have sector-specific jurisdictional reach and will likely assert jurisdiction over computer statutes, such as New York’s Cybersecurity Regulation, applicable crimes that were intended to cause or actually caused detrimental to banks, insurance companies, and other covered entities. effects within the United States, including any damage or illicit The Electronic Communications Privacy Act (ECPA) establishes access to systems or servers in the U.S. privacy protection for data and electronic communications in transit or in storage and prohibits warrantless pen register and trap and 1.3 Are there any actions (e.g. notification) that might trace operations involving electronic communications. mitigate any penalty or otherwise constitute an The United States maintains a comprehensive export control exception to any of the above-mentioned offences? regime that is governed by the Arms Export Control Act (AECA), USA the International Traffic in Arms Regulations (ITAR), the Export A number of factors, including cooperation with investigators, Administration Regulations (EAR), and the Commerce Control List use of outside counsel and experts to conduct a thorough (CCL). These laws impose export controls on cryptographic and internal investigation, and remediation efforts, are relevant to other cybersecurity-related technology. Additionally, the United the determination of criminal and civil penalties imposed by States is party to the Wassenaar Arrangement on Export Controls government regulators in enforcement proceedings. As discussed in for Conventional Arms and Dual-Use Goods and Technologies, question 7.2 below, disclosure of information by “whistleblowers” which was amended in 2013 to cover export controls on “intrusion is also protected under a number of statutes. software” and “carrier class network surveillance tools”, but has not fully implemented the controls specified in the agreement. 1.4 Are there any other criminal offences (not specific In addition to the Applicable Laws described above, criminal laws to cybersecurity) in your jurisdiction that may arise in the United States address various computer crimes. Applicable in relation to cybersecurity or the occurrence of an cybersecurity-related criminal statutes are discussed in section 1 of Incident (e.g. terrorism offences)? Please cite any this chapter. specific examples of prosecutions of these offences in a cybersecurity context. 2.2 Are there any cybersecurity requirements under In appropriate circumstances, U.S. prosecutors may prosecute Applicable Laws applicable to critical infrastructure computer crimes under other criminal statutes, even if the conduct in your jurisdiction? For EU countries only, how (and according to what timetable) is your jurisdiction expected might also be prosecuted as computer crimes. For example, to implement the Network and Information Systems prosecutors may proceed under piracy, intellectual property, Directive? Please include details of any instances harassment, espionage, or securities fraud statutes, because those where the implementing legislation in your jurisdiction is statutes have more generous statutes of limitation, provide greater anticipated to exceed the requirements of the Directive. investigative authority, or authorise higher penalties. As noted in question 1.1 above, charges for wire fraud, securities fraud, money Under the USA PATRIOT Act, 16 sectors (including laundering, computer fraud, and aggravated identity theft have been communications, critical manufacturing, defence industrial base, brought against hackers who traded on the non-public information nuclear reactors, and transportation systems) have been designated they obtained. as comprising critical infrastructure as to which the federal government must enhance cybersecurity and deepen engagement with private sector actors. 2 Applicable Laws Executive Order 13636 (Improving Critical Infrastructure Cybersecurity), Presidential Policy Directive/PPD-21 (Critical 2.1 Please cite any Applicable Laws in your jurisdiction Infrastructure Security and Resilience), and Executive Order 13800 applicable to cybersecurity, including laws applicable (Strengthening the Cybersecurity of Federal Networks and Critical to the monitoring, detection, prevention, mitigation Infrastructure) direct the federal agencies that oversee the designated and management of Incidents. This may include, sectors to develop cybersecurity risk management rules. To for example, laws of data protection, intellectual property, breach of confidence, privacy of electronic varying degrees, the Departments of Agriculture, Defense, Energy, communications, information security, and import / Health and Human Services, Homeland Security, Transportation, export controls, among others. and Treasury have promulgated sector-specific requirements and recommendations, and have established sector-specific programmes In the United States, numerous federal and state laws and regulations that involve relevant private parties and state governments. govern cybersecurity issues, with the applicability of particular regulations depending on the sector and geographic operations of 2.3 Are organisations required under Applicable Laws, the organisations in question. or otherwise expected by a regulatory or other There is no overarching federal data protection or Incident authority, to take measures to monitor, detect, prevent management law, but federal law does prescribe requirements or mitigate Incidents? If so, please describe what measures are required to be taken. for healthcare providers (in the Health Insurance Portability and Accountability Act (HIPAA)) and the financial services and telecommunications sectors (as discussed in section 3 of this Yes, federal law requires organisations in certain sectors to take chapter). Nearly every state, by contrast, has enacted laws requiring measures to monitor, detect, prevent or mitigate Incidents. Several notification of affected individuals and/or state regulators following federal regulatory agencies, notably the Securities and Exchange cybersecurity Incidents, and many states also have information Commission, have indicated that they will monitor regulated security statutes. For example, Massachusetts’s Standards for entities’ cybersecurity risk management systems and controls, and the Protection of Personal Information of the Residents of the require public disclosure relating thereto. Commonwealth imposes regulations to safeguard the personal As noted in question 2.1, at least 47 states have implemented laws applying Incident-related requirements on organisations.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 185 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP USA

defensive measures with certain government or quasi-government 2.4 In relation to any requirements identified in question entities (including federal, state, and local governments and 2.3 above, might any conflict of laws issues regulatory authorities). arise? For example, conflicts with laws relating to the unauthorised interception of electronic communications or import / export controls of 2.7 Are organisations required under Applicable Laws, or encryption software and hardware. otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Federal cybersecurity regulations are largely consistent, though Incidents to any affected individuals? If so, please organisations that operate in multiple regulated sectors could provide details of: (a) the circumstance in which

USA this reporting obligation is triggered; and (b) the encounter conflicting requirements or expectations. nature and scope of information that is required to be The greatest risk of conflict of laws issues exists with respect to state reported. law systems, which may vary greatly. For example, many states have data breach notification requirements, which require covered In certain sectors governed by federal law and under many state organisations to provide notifications to particular individuals or laws, organisations are required to notify affected individuals that entities, in particular formats, and within specified time periods. their information has been compromised. The content and timing of State law requirements on those points may be inconsistent. the required notifications varies. Differing notification requirements create a significant compliance challenge for companies operating in multiple jurisdictions. 2.8 Do the responses to questions 2.5 to 2.7 change if the information includes: (a) price sensitive information; 2.5 Are organisations required under Applicable Laws, or (b) IP addresses; (c) email addresses (e.g. an email otherwise expected by a regulatory or other authority, address from which a phishing email originates); (d) to report information related to Incidents or potential personally identifiable information of cyber threat Incidents to a regulatory or other authority in your actors; and (e) personally identifiable information of jurisdiction? If so, please provide details of: (a) the individuals who have been inadvertently involved in circumstance in which this reporting obligation is an Incident? triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) The sharing of such information with regulators or other law the nature and scope of information that is required enforcement authorities is explicitly authorised by the CISA. to be reported (e.g. malware signatures, network vulnerabilities and other technical characteristics In addition, items (b) through (d) are unlikely to be protected identifying an Incident or cyber attack methodology); information under U.S. law and may be disclosed more broadly. and (d) whether any defences or exemptions exist by which the organisation might prevent publication of 2.9 Please provide details of the regulator(s) responsible that information. for enforcing the requirements identified under questions 2.3 to 2.7. Yes. Applicable Laws include a number of sector-specific Incident notification requirements. For example, HIPAA imposes The enforcement of federal Incident-related laws varies by sector. notification requirements on healthcare providers who suffer data For example, the Office for Civil Rights at the Department of breach Incidents. Under HIPAA, in the event of a data breach, Health and Human Services investigates violations of HIPAA’s covered entities must notify the Secretary of Health and Human cybersecurity requirements, the SEC investigates federal securities Services. The timing of the notification depends on the number of laws relating to cybersecurity, the Federal Trade Commission individuals whose protected health information was compromised. (FTC) investigates compromise of consumer information through Covered entities are not required to include data like malware cybersecurity breaches, and the Department of Justice prosecutes signatures or other technical information, though investigators may violations of criminal cybersecurity statutes. seek access to this information if the Incident becomes the source of Most states have similar sector-specific enforcement frameworks. a criminal investigation. Because HIPAA only requires notification For example, the Superintendent of the New York Department of for breaches of protected health information, certain healthcare Financial Services is responsible for enforcing the Cybersecurity providers have not provided notification for other Incidents, such as Regulation. Other states may grant enforcement authority to the ransomware attacks. Attorney General or agencies responsible for consumer protection. In addition, many states have Incident notification laws. For example, New York’s Cybersecurity Regulation requires covered financial entities to provide notice to the Superintendent ofNew 2.10 What are the penalties for not complying with the York’s Department of Financial Services within 72 hours after requirements identified under questions 2.3 to 2.8? certain cybersecurity events. There is no overarching penalties framework for violations of federal laws. Rather, penalties vary depending on the particular 2.6 If not a requirement, are organisations permitted by laws, rules or regulations at issue. For example, HIPAA imposes Applicable Laws to voluntarily share information maximum fines up to $50,000 per violation and $1.5 million per related to Incidents or potential Incidents with: (a) a regulatory or other authority in your jurisdiction; (b) a organisation per calendar year. regulatory or other authority outside your jurisdiction; Similarly, there is no overarching penalties framework for violations or (c) other private sector organisations or trade of state laws and possible penalties may vary greatly from state to associations in or outside your jurisdiction? state. Some states’ penalties frameworks are based on consumer protection laws or specific cybersecurity statutes; some states’ Yes, the Cybersecurity Information Sharing Act (CISA) authorises cybersecurity laws, including New York’s Cybersecurity Regulation, private entities to voluntarily share cyber threat indicators or are silent on penalties.

186 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP USA

2.11 Please cite any specific examples of enforcement 3.2 Are there any specific legal requirements in relation action taken in cases of non-compliance with the to cybersecurity applicable to organisations above-mentioned requirements. in: (a) the financial services sector; and (b) the telecommunications sector? The failure of companies to implement adequate cybersecurity programmes to protect against and mitigate Incidents has resulted (a) Financial Services Sector in enforcement action across numerous sectors. For example, in Federal laws, as well as regulatory agency rules or regulations, 2016, Morgan Stanley Smith Barney LLC agreed to pay the SEC a impose data protection and cybersecurity requirements on organisations in the financial services sector. Examples

$1 million penalty to settle charges for failure to protect customer USA data after a former employee impermissibly transferred information include: on over 700,000 customer accounts to his personal server, which ■ The Gramm-Leach-Bliley Act (GLBA) requires financial was then hacked by third parties. In 2016, the Canadian company institutions to “establish appropriate standards” to safeguard Ashley Madison settled FTC and state charges for its 2015 customer customer information and imposes fines of up to $100,000 for institutions and $10,000 for individual officers for each data breach, ultimately paying $1.6 million. In 2015, Wyndham violation. Hotels settled FTC charges for failing to prevent or mitigate multiple data breaches. The settlement established a 20-year compliance ■ The Safeguards Rule (also known as SEC Regulation S-P) requires regulated firms to adopt and implement written programme for Wyndham, requiring them to implement a security policies and procedures to protect customer information. programme and receive regular audits and assessments. ■ The Federal Deposit Insurance Act (FDIA) imposes Between 2003–2017, the HHS Office of Civil Rights has settled “operational and management standards”, which include 52 cases against organisations alleged to have violated HIPAA data “internal controls, information systems, and internal audit security requirements, resulting in almost $73 million in aggregate systems”. penalties. ■ The Interagency Guidelines Establishing Information Security Standards set forth information security standards under the FDIA and require financial institutions to 3 Specific Sectors maintain an information security programme to safeguard the confidentiality and security of customer information and ensure the proper disposal of customer information. 3.1 Does market practice with respect to information security (e.g. measures to prevent, detect, mitigate ■ The Fair and Accurate Credit Transactions Act (FACTA) and respond to Incidents) vary across different requires the proper disposal of customer information. business sectors in your jurisdiction? Please include ■ The Red Flags Rule (also known as the Identity Theft details of any common deviations from the strict legal Rule or SEC Regulation S-ID) imposes on regulated firms requirements under Applicable Laws. a duty to detect, prevent and mitigate identity theft. ■ The Securities Exchange Act of 1934 requires firms to Yes, market practice with respect to information security varies preserve electronically-stored records in a non-rewritable, significantly across industry sectors. Organisations in well-regulated non-erasable format. industries like the financial services sector are more likely to have State laws, rules or regulations may also impose data established cybersecurity processes in accordance with the relevant protection and cybersecurity requirements on organisations regulations (e.g., SEC-regulated firms must have written policies to in the financial services sector. Importantly, New York’s protect customer information under SEC Regulation S-P). Financial Cybersecurity Regulation requires covered entities to services firms also recognise the financial risk of customer financial establish and maintain a cybersecurity programme designed information being released – a 2014 FINRA survey of broker-dealer to protect consumers and ensure the safety and soundness of New York State’s financial services industry. firms reveals that firms are most concerned about data breaches from external hackers and firm insiders. Other industries that perhaps (b) Telecommunications Sector have fewer cybersecurity regulations or face competing priorities The Communications Act requires telecommunications are less likely to have established robust cybersecurity practices. carriers to take steps to ensure that customer proprietary For example, the retail industry – where narrow profit margins network information (CPNI) is protected from unauthorised might discourage the deployment of expensive defensive software disclosure. To that end, the Communications Act directs covered entities to follow FCC standards for protecting or equipment – only recently began investing significant resources CPNI. into cybersecurity after a number of high-profile data breaches. Additionally, state laws, rules or regulations in relation to In addition to the differences in market practice across sectors, cybersecurity requirements may apply to, or have specific market practices can differ greatly within a specific sector based on requirements for, the telecommunications sector. the size and sophistication of individual entities. For example, even though the healthcare industry must protect customer information under the Security Rule of the Health Insurance Portability and 4 Corporate Governance Accountability Act (HIPAA), the rule is flexible and allows smaller healthcare providers to incorporate less advanced cybersecurity practices based on their capability, technical infrastructure, and 4.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, ability to cover the cost of a solution. In fragmented industries like mitigate, manage or respond to an Incident amount to healthcare, market practice will vary significantly and many smaller a breach of directors’ duties in your jurisdiction? entities will be less capable of preventing, detecting, mitigating or responding to cybersecurity Incidents. The failure to implement and maintain an adequate cybersecurity programme might expose directors and officers to liability in

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 187 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP USA

shareholder derivative lawsuits. Directors and officers owe fiduciary such as healthcare facilities, which are required under HIPAA to duties to their shareholders that include overseeing enterprise risk notify affected individuals through various media following a management. Directors and officers who are not meaningfully breach. involved in overseeing the risk management of the company, or who Separately, at least 47 states have passed laws requiring are negligent in their response to cyber Incidents, may face liability. organisations to notify affected individuals of security breaches in The 2013 Target Corp data breach is a noteworthy example. In the which personal information was compromised. While state law ensuing lawsuit, the plaintiffs argued that Target Corp’s directors notice requirements differ, many require individual notifications failed to adequately manage the risk of a cybersecurity Incident to affected individuals, as well as notifications to state authorities both before and after the data breach. Following a two-year special or consumer reporting agencies. For example, New York’s USA litigation committee investigation, the derivative action against Cybersecurity Regulation requires notice to the Department of Target Corp and its directors was dismissed because the company Financial Services Superintendent following cybersecurity events and its directors made consistent, deliberate efforts to address that impact covered entities. cybersecurity requirements and risks.

4.4 Are companies (whether public or listed) subject to 4.2 Are companies (whether listed or private) required any other specific requirements under Applicable under Applicable Laws to: (a) designate a CISO; Laws in relation to cybersecurity? (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, This chapter outlines the principal federal laws and requirements including for third party vendors; and (d) perform relating to cybersecurity. State laws and regulations, like New York’s penetration tests or vulnerability assessments? Cybersecurity Regulation, may establish additional requirements with respect to cybersecurity. In addition, other federal or state The Safeguards Rule (SEC Regulation S-P) requires financial laws that do not relate specifically to cybersecurity may include institutions, broker-dealers, and investment firms to designate requirements (e.g., privacy requirements) that bear on cybersecurity. one or more employees to coordinate its information security programme. In addition, the New York Cybersecurity Regulation requires covered entities to designate a CISO. 5 Litigation The Interagency Guidelines Establishing Information Security Standards direct covered entities to include Incident response 5.1 Please provide details of any civil actions that may be programmes in their information security programmes. In brought in relation to any Incident and the elements of addition, the SEC and the Financial Industry Regulatory Authority that action that would need to be met. (FINRA) have stated that their examination programmes will test the implementation of cybersecurity procedures and controls The Computer Fraud and Abuse Act (CFAA) establishes a private by investment advisors and broker-dealers. The New York cause of action for intentional harm caused by electronic means that Cybersecurity Regulation requires covered entities to have a written covers hacking, denial-of-service attacks, infection of IT systems Incident response plan. Other states’ laws may require Incident with malware, and computer-related fraud, among others. Recovery response plans for certain organisations that operate in their in damages is available for “any impairment to the integrity or jurisdiction. availability of data, a program, a system or information” as well as The Interagency Guidance on Response Programs for Unauthorized “any reasonable cost to any victim, including the cost of responding Access to Customer Information and Customer Notice directs to an offense, conducting a damage assessment, and restoring the financial institutions to conduct risk assessments as part of their data, program, system, or information to its condition prior to the information security programmes. The guidance also directs offense, and any revenue lost, cost incurred, or other consequential institutions to address Incidents in systems maintained by third- damages incurred because of interruption of service”. To be party service providers. In addition, the New York Cybersecurity actionable, the misconduct must cause at least $5,000 in losses in Regulation requires covered entities to conduct regular risk and a one-year period, cause physical injury, affect medical treatment vulnerability assessments, including risk assessments of third-party or public health or safety, or affect a computer used by a U.S. service providers. Other states’ laws may require risk assessments government entity in the area of justice, national defence or national by organisations that operate in their jurisdiction. security. The Interagency Guidelines Establishing Information Security The Electronic Communications Privacy Act (ECPA) prohibits Standards direct covered entities to regularly test information unauthorised intentional interception, use, or disclosure of any security controls, systems and procedures. The guidelines wire, oral, or electronic communication and permits a person whose recommend that the tests be performed, or reviewed, by independent wire, oral, or electronic communication is intentionally intercepted, third parties. The New York Cybersecurity Regulation requires disclosed, or used without authorisation to recover actual and covered entities to perform annual penetration testing and bi- punitive damages, attorneys’ fees, litigation costs, and equitable annual vulnerability assessments. Other states’ laws may require relief. penetration testing or vulnerability assessments by organisations The Stored Communications Act (SCA) prohibits intentional that operate in their jurisdiction. unauthorised access to stored electronic communications, and unauthorised disclosure of any stored communications by a provider 4.3 Are companies (whether listed or private) subject of remote computing services or electronic communication services to any specific disclosure requirements in relation and relief may include preliminary and other equitable or declaratory to cybersecurity risks or Incidents (e.g. to listing relief, actual damages, attorneys’ fees, and litigation costs. authorities, the market or otherwise in their annual reports)? As discussed in question 5.3, an Incident may also give rise to claims under a number of state law tort theories. Federal law establishes breach notification only for specific sectors,

188 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP USA

as costs related to Incidents are typically excluded from coverage 5.2 Please cite any specific examples of cases that under general business insurance policies. have been brought in your jurisdiction in relation to Incidents. 6.2 Are there any regulatory limitations to insurance Many litigated cases relate to Incidents committed by current or coverage against specific types of loss, such as business interruption, system failures, cyber extortion former employees of the targeted company who exceed authorisations or digital asset restoration? If so, are there any legal or violate confidentiality obligations in misappropriating electronic limits placed on what the insurance policy can cover? information for use on behalf of a new employer. In such cases, claims have been sustained under the CFAA where the employer There are no regulatory or legal limitations to what cyber insurance USA could show it was required to take investigative measures that policies can cover, though losses due to the insured’s failure to cost more than the $5,000 statutory loss threshold, while other remedy known security flaws are typically excluded. claims have been dismissed for failure to allege sufficient damage. State law claims for misappropriation of trade secrets and unfair competition have also succeeded on such facts. 7 Employees In Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000), the court issued a preliminary injunction under the CFAA 7.1 Are there any specific requirements under Applicable and state law trespass to chattels against a defendant who used a bot Law regarding: (a) the monitoring of employees for to systematically query plaintiff’s domain name registry to compile the purposes of preventing, detection, mitigating and information for mass marketing. The requisite damage was held to responding to Incidents; and (b) the reporting of cyber be established by the impairment of the plaintiff’s server capacity by risks, security flaws, Incidents or potential Incidents by employees to their employer? the activity of the defendant’s bot.

Liability under the ECPA was held to be established and statutory (a) Employers monitoring their employees are generally subject damages of $100 per day of violation awarded, albeit on a default to the ECPA’s prohibition on intentionally intercepting wire, judgment, in DirecTV, Inc. v. Perrier, 2004 U.S. Dist. LEXIS oral or electronic communications while in transit, accessing 9258 (W.D.N.Y. 2004), where the defendants used an “Unlooper” stored wire or electronic communications, or disclosing or that was “designed to permit the viewing of plaintiff’s television using the contents of such communications. programming without authorisation by or payment to plaintiff” and Two exceptions, however, are commonly applicable to could not have had any other significant purpose. employers: In a case involving “a pattern of suspicious logins to numerous ■ the business purpose exception, which permits employers subscriber accounts” of a real estate listing website, Kaufman v. to monitor oral, wire and electronic communications as Nest Seekers, LLC, 2006 U.S. Dist. LEXIS 71104 (S.D.N.Y. Sep. long as employers can show a legitimate business purpose 26, 2006), the court held that the subscribers’ ability to email listings for doing so, and to other subscribers or third parties rendered the site an “electronic ■ the employee consent exception, which allows employers communication service” protected by the SCA. to monitor employee communications, provided that they have their employees’ consent to do so. (b) There are no specific requirements under Applicable Law 5.3 Is there any potential liability in tort or equivalent regarding the reporting of cyber risks, security flaws, legal theory in relation to an Incident? Incidents or potential Incidents by employees to their employer. There may be applicable provisions in employer Some Incidents may satisfy the elements of the torts of conversion, policies or employees’ contracts of employment that could trespass to chattel, or fraud under state law in New York and create such requirements. likely other states. In Hecht v. Components International, Inc., 867 N.Y.S.2d 889 (Sup. Ct. 2008), involving an ex-employee’s 7.2 Are there any Applicable Laws (e.g. whistle-blowing unauthorised access to a company’s computer system, the court held laws) that may prohibit or limit the reporting of cyber that deletion of emails or other electronically-stored information risks, security flaws, Incidents or potential Incidents could constitute trespass to chattel if it thereby deprived the plaintiffs by an employee? of the use of such information, or “impaired [] its condition, quality or value”, but found that the company failed to establish that the There is no U.S. federal law specific to the reporting of cyber risks, emails deleted by the ex-employee were valuable to the company. security flaws, Incidents or potential Incidents by an employee. With respect to computer systems themselves, the court in School However, there are a number of laws protecting whistleblowers in of Visual Arts v. Kuprewicz, 771 N.Y.S.2d 804 (Sup. Ct. 2003), held particular contexts that may apply to such reports: that allegations that the defendant intentionally sent large volumes ■ the Sarbanes-Oxley Act, applicable to reports of fraud and of unsolicited emails that “depleted hard disk space, drained securities violations at publicly traded companies; processing power, and adversely affected other system resources on ■ the Dodd-Frank Wall Street Reform and Consumer Protection [plaintiff’s] computer system” stated a claim for trespass to chattels. Act, applicable to reports of securities violations; ■ the Occupational Safety and Health Act, applicable to reports 6 Insurance of occupational health and safety violations; ■ the Financial Institutions Reform Recovery and Enforcement Act, applicable to reports of legal violations at banks and 6.1 Are organisations permitted to take out insurance other depository institutions; against Incidents in your jurisdiction? ■ the Energy Reorganization Act, applicable to reports by employees in the nuclear industry of violations of that law, Yes. Cyber insurance policies are available on a standalone basis, the Atomic Energy Act, or Nuclear Regulatory Commission regulations; and

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 189 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP USA

■ the Defend Trade Secrets Act, which applies to employees who disclose a trade secret (a) in confidence to a 8.2 Are there any requirements under Applicable Laws governmental official or an attorney, solely for the purposes for organisations to implement backdoors in their IT of reporting or investigating a suspected violation of law, or systems for law enforcement authorities or to provide (b) in a document that is filed under seal in a lawsuit or other law enforcement authorities with encryption keys? proceeding. There are no federal laws that require organisations to implement backdoors in their IT systems for law enforcement authorities or to 8 Investigatory and Police Powers provide law enforcement authorities with encryption keys. USA 8.1 Please provide details of any investigatory powers of Acknowledgment law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that In addition to lead authors Laura R. Hall and Kurt Wolfe, Brian may be relied upon to investigate an Incident. Jebb, Senior Counsel in Allen & Overy’s employment and labour law practice, and Keren Livneh, an associate focusing on intellectual The U.S. Department of Justice and other sector-specific regulatory property transactions, counseling and litigation, contributed authorities have the authority to investigate cybersecurity Incidents. substantially to the preparation of this chapter. Special thanks The Department of Justice has broad authority to investigate as well to summer associates Jake Reed and Amna Ilyas for their potential criminal offences. Nevertheless, certain laws, including invaluable assistance. the Stored Communications Act (SCA), the Wiretap Statute, and the Communication Assistance for Law Enforcement Act (CALEA), provide particular powers or tools that the Department of Justice has at its disposal to investigate possible computer crimes. Sector- specific regulatory agencies, such as the U.S. Securities and Exchange Commission or the Financial Industry Regulatory Agency, have the authority to investigate, and issue requests for documents and information, relating to Incidents that appear to violate laws, rules or regulations within their purview.

190 WWW.ICLG.COM ICLG TO: CYBERSECURITY 2018 © Published and reproduced with kind permission by Global Legal Group Ltd, London Allen & Overy LLP USA

Laura R. Hall Kurt Wolfe Allen & Overy LLP Allen & Overy LLP 1221 Avenue of the Americas 1101 New York Avenue New York N.W., Washington, D.C. 20005 New York, 10020 USA USA Tel: +1 202 683 3800 Tel: +1 212 610 6300 Email: [email protected] Email: [email protected] URL: www.allenovery.com URL: www.allenovery.com USA

Cybersecurity and data protection are integral parts of Laura’s cross- Kurt has experience representing financial services firms and their border litigation practice, in which she assists clients in navigating employees in connection with complex internal investigations and the intersection of domestic and foreign legal regimes. Laura high-profile enforcement actions. He helps clients deconstruct has represented technology and financial services companies in complicated fact patterns while navigating demands from regulators, investigating suspected and confirmed cybersecurity breaches, and he is regularly called on by clients to design and execute risk- economic espionage and theft of trade secrets, including pursuing based internal investigations. In non-contentious matters, Kurt is perpetrators through litigation in multiple countries and cooperation frequently asked to help clients develop and implement compliance with law enforcement. Laura also advises companies on best policies and procedures and he regularly conducts compliance training practices and compliance with U.S. and foreign law in data privacy for employees. Kurt has particular expertise in matters involving and laws in connection with U.S. litigation and in the alleged securities or financial fraud, insider trading, FCPA compliance, development of connected products. and Ponzi scheme allegations.

Allen & Overy’s U.S. cybersecurity and data protection team is led by partners Laura R. Hall and William E. White and is integrated with the firm’s global cybersecurity practice to deliver seamless advice on cross-border issues. The U.S. team, like the global cybersecurity practice, spans the numerous practice areas involved in protecting against and responding to potential cybersecurity breaches, including corporate transactions, regulatory compliance, investigations, and litigation.

ICLG TO: CYBERSECURITY 2018 WWW.ICLG.COM 191 © Published and reproduced with kind permission by Global Legal Group Ltd, London Current titles in the ICLG series include:

■ Alternative Investment Funds ■ Insurance & Reinsurance ■ Anti-Money Laundering ■ International Arbitration ■ Aviation Law ■ Lending & Secured Finance ■ Business Crime ■ Litigation & Dispute Resolution ■ Cartels & Leniency ■ Merger Control ■ Class & Group Actions ■ Mergers & Acquisitions ■ Competition Litigation ■ Mining Law ■ Construction & Engineering Law ■ Oil & Gas Regulation ■ Copyright ■ Outsourcing ■ Corporate Governance ■ Patents ■ Corporate Immigration ■ Pharmaceutical Advertising ■ Corporate Investigations ■ Private Client ■ Corporate Recovery & Insolvency ■ Private Equity ■ Corporate Tax ■ Product Liability ■ Cybersecurity ■ Project Finance ■ Data Protection ■ Public Investment Funds ■ Employment & Labour Law ■ Public Procurement ■ Enforcement of Foreign Judgments ■ Real Estate ■ Environment & Climate Change Law ■ Securitisation ■ Family Law ■ Shipping Law ■ Fintech ■ Telecoms, Media & Internet ■ Franchise ■ Trade Marks ■ Gambling ■ Vertical Agreements and Dominant Firms

59 Tanner Street, London SE1 3PL, United Kingdom Tel: +44 20 7367 0720 / Fax: +44 20 7407 5255 Email: [email protected]

www.iclg.com