In the second part of a special series on technology in the legal sector, Leo Long looks at how governments across Asia are updating cybersecurity and data protection laws in anticipation of the next cyber-attack. Law firms pose a preferred target for the confidential information they hold
While the world was still reeling from the WannaCry ransomware back in May, a newer, nastier and more intelligent virus called Petya broke the following month. Within the Asia Pacific region, the virus did the most amount of damage in India as per cybersecurity provider Symantec.
This pair proved calamitous for many businesses and individuals, but more than that, the events hit home on the need for urgency in both regulation and adequate security of digital information, and nowhere is that more pertinent than with sensitive information banked at law firms and company legal departments.
While the cyber community is still trying to work out where the two attacks came from, for many, once abstract concepts of data protection and cybersecurity are quickly gaining traction. Security firm McAfee in its 2018 Threats Predictions Report warned that cyber-attacks and data breaches are expected to become more disruptive as hackers develop new variations of “cyber-crime business models”.
“[The attacks] add another element of urgency that calls for especially large organizations to beef up their cyber intrusion detection and mitigation strategy – one of the major selling points of the China Cybersecurity Law,” Stephen Yu, a director at AlixPartners in Hong Kong, said recently.
Regarding internal risk management, how businesses can handle personal data without breaches is a challenge. Incidents of data theft around Asia are numerous. A report by security firm ThreatMetrix, which provides online authentication services, found 11.8% of e-commerce transactions in the Asia-Pacific involved fraudulent login attempts, as cyber-criminals leverage patched-together stolen identities to carry out attacks on digital transactions.
Law firms are among the prominent potential targets “because of the confidential and privileged data that they hold, especially relating to M&A activity”, says Paul Jackson, the Asia-Pacific leader of cybersecurity and investigations at Kroll, a global provider of risk solutions.
The international Association of Corporate Counsel in March published data security guidelines for in-house counsel, which among other things set out in-house expectations of external lawyers that have access to sensitive company data.
Improving landscape
New rules and regulations on cybersecurity are expected to have a significant impact on businesses wanting to insure themselves against risks involved with the internet of things (IoT), big data and mobile payments.
For example, Japanese companies are showing great interest in the potential uses of big data and artificial intelligence (AI) in their businesses, according to Christopher Hunt, a Tokyo-based partner of Herbert Smith Freehills. “Japanese companies are increasingly taking an interest in how to insure against cyber risks as their understanding and awareness of the potential exposures grows,” says Hunt.
Jackson adds that, “APAC entities are generally – although not always – lagging behind when it comes to their cybersecurity posture and levels of spending to address this issue, but things are changing as stronger legal and regulatory frameworks are rapidly being implemented across the region, coupled with a greater understanding at a leadership level of the business impacts of data breaches.”
The resolution to change can be seen as notable campaigns are launched by governments, such as Singapore’s Smart Nation initiative, India’s Digital India, and Australia’s Cyber Security Strategy.
[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”3″ ihc_mb_template=”2″ ]
Regulators in some APAC jurisdictions are reviewing or amending existing laws and regulations to adapt to more challenging legal landscapes. For example, Japan’s reformed Act on the Protection of Personal Information was put into full effect in May 2017. And in July, Singapore sought opinions on proposed amendments to the Personal Data Protection Act (PDPA), and proposed a cybersecurity bill.
With scattered language in various rules and regulations on cybersecurity and data protection, some maturing countries are working hard to introduce more comprehensive laws. One of the notable results is the implementation of China’s Cybersecurity Law, which came along with relevant regulations and rules in mid-2017.
Another is Indonesia’s issuance of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (PDP Regulation) in December 2016, while some other major amendments were also made in the archipelago in the past year.
Zacky Zainal Husein, a Jakarta-based partner of Assegaf Hamzah & Partners, says the PDP Regulation is the first comprehensive data protection regulation under Indonesian law, although it is limited to personal data that is stored in electronic form.
“However, it is still much in its infancy when compared to EU countries or Indonesia’s Southeast Asian neighbours, Singapore and Malaysia,” says Husein.
This developing status might also apply to neighbours like Thailand and India, where comprehensive laws on either cybersecurity or data protection are yet to be put in place.
“The Information Technology Act, 2000, has been the only law dealing specifically with cyber-crimes in India. Considering the dynamic nature of cyber-crimes and ever-evolving nature of technology, the IT Act has been criticized for its lack of effectiveness, even after the amendments made in the past 17 years,” says Salman Waris, head of TMT and IP practice at TechLegis Advocate & Solicitors in New Delhi.
Europe’s GDPR
Europe’s General Data Protection Regulation (GDPR), which will be implemented in 2018, stands out in the eyes of many countries for its relevant cyber and data legislation. For example, in the implementing rules and regulations of the Philippines’ Data Privacy Act, a mandatory 72-hour data breach notification requirement is believed to be borrowed from the GDPR. Hong Kong’s Privacy Commissioner for Personal Data was also determining a possible revision of its two-decade-old Personal Data (Privacy) Ordinance in 2016 when reviewing the GDPR.
“It is being touted as the most stringent data privacy law around the world,” says Waris of TechLegis. “There are a few rights (as prescribed by GDPR) that the Indian data protection and privacy law should have as well.”
Another ground-breaking rule borrowed from the GDPR for APAC is the “right to be forgotten”. In 2016, Indonesia introduced the right to be forgotten, claiming to be the first country in Asia to adopt the concept. In May 2016, South Korea also released guidance indicating that individuals can request website administrators and search engines to remove certain content related to personal data.
However, it is pointed out that this might prove problematic for marketplace or content producers. “The novelty of updating Indonesia’s main technology legislation to contemporary developments might be overshadowed by the inadequacy and brevity of the provision pertaining to ‘the right to be forgotten’,” says Husein.
Greater stringency
A clear trend is that legal frameworks are becoming more stringent in many APAC countries as risks become clearer, and this can be demonstrated in many ways. One is the regulation of authorities’ power and the obligations of individuals and businesses within a jurisdiction.
“With respect to how advanced the cybersecurity framework is in China, we believe that China is taking a more stringent approach to cybersecurity and data security than, for example, the EU,” says David Tang, a Shanghai-based partner at Han Kun Law Offices.
Tang says this is because of the breadth of what types of data are proposed to be localized in China, the extent that cyberspace is actively regulated, and also the policy positions that the current administration has expressed regarding the concept of “cyberspace sovereignty”.
In another case, Singapore’s recent draft cybersecurity bill includes the powers of authorities like the Cyber Security Agency of Singapore (CSA), the obligations of persons, and the regulation of critical information infrastructure (CII) and cybersecurity service providers.
“The Cybersecurity Bill gives the CSA powers to require any person to assist and cooperate in investigations, and also to take steps to prevent and respond to cybersecurity threats and cybersecurity incidents,” says Jack Ow, a Singapore-based partner at RHTLaw Taylor Wessing. “The amount of information to be provided and the degree of cooperation that is expected will depend on the potential impact and/or the severity of the cybersecurity threat or cybersecurity incident,” he said.
Under the bill, there is also a pioneering licensing regime where certain cybersecurity service providers will be required to obtain a licence. Singapore is also considering a mandatory data breach notification system. In Australia, meanwhile, in February 2017 the federal senate passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, establishing a mandatory notification system for data breaches.
Similarly, Indonesia’s PDP Regulation introduced a new policy that all electronic system providers that manage personal data electronically must certify their electronic systems according to the applicable standards under Indonesian law.
“However, since such certification has not been further stipulated under an implementing regulation, and is not carried out in practice, there is still much uncertainty for businesses on how to meet this requirement, especially considering that the PDP Regulation transitional period is ending on 1 December 2018,” says Husein.
In Thailand, the legal framework for data protection and cyber security is not well developed but the government is aware of the issues and is in the process of drafting relevant bills.
“Still, we do not expect that cybersecurity legislation will include any mandatory public disclosure obligations in the event of a breach in the foreseeable future. More likely is that we will see a possible reporting regime similar to the proposed new regime adopted by Singapore,” says Jeffrey Blatt, a Bangkok-based of counsel at Tilleke & Gibbins.
Data localization
The requirements for data localization are also stringent in countries like Australia, China, Indonesia and South Korea.
“Presently, the Cybersecurity Law [in China] provides that CII operators must localize personal information and important data that is collected or generated within China, and then such information may be subject to a security assessment if the collector wishes to transmit the information abroad due to business needs,” says Tang, who also expects current draft regulations in China will effectively broaden its requirement to all network operators, which would initially appear to be challenging with respect to both compliance and enforcement.
Indonesia also has particularly strict data localization rules specified in the EITS Regulation. Like some of its neighbours, Indonesia has restrictions on specific sectors, such as health and banking. Its PDP Regulation also requires notification of overseas personal data transfers.
“However, in practice it is unclear which sort of ‘overseas personal data transfer’ is required to be reported,” says Husein. Although no express localization requirement exists in some jurisdictions, there are relevant regulations concerning the transfer of personal data.
In Singapre, says Ow, “Where international transfers of personal data are concerned, then it is an express requirement under the PDPA that the transferring party must ensure, before transferring personal data overseas, that the receiving foreign party is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to the standard of protection prescribed in Singapore.”
Uncertainties
Despite the introduction of various laws, uncertainties still remain, some caused by the unclear definitions or scopes of key words in new regulations.
Victor Fu, a Beijing-based international partner at Haiwen & Partners, points out that the following two topics are frequently discussed in China: (1) regarding cross-border data transfer control, is it true that any network operator must be subject to the rules under recent opinion-seeking regulations; and (2) how will the scope of the CII be determined in practice.
“These two questions are quite important for companies – especially multinational companies that have been used to setting up their IT resources abroad rather than localizing their resources in China – to decide where to put more IT resources,” says Fu.
In Japan, the Basic Cybersecurity Act, which came into force in November 2014, poses similar questions.
“Consistent with its name, the act is somewhat basic in its requirements for businesses, imposing only very limited obligations on ‘critical infrastructure operators’, a term that the act does not define,” says Hunt.
“The act’s introduction certainly reflects a step in the right direction. However, absent further legislative input, there remains a noticeable disparity between the cybersecurity obligations imposed on businesses operating in, say, the US or the EU, and those operating in Japan.”
Towards harmony
With all the differing approaches to laws on cybersecurity and data protection in the APAC region, many believe it is critically important that countries consider how they can adopt standards to facilitate activities like cross-border data transfer through a harmonization of the various regimes.
Some regional organisations are working hard in this direction. The Association of Southeast Asian Nations (ASEAN) put forward basic agreed principles at both national and regional level for member countries to boost data protection in the region in a joint statement in 2016.
“This is clearly an area where some harmonization is required, optimally by treaty and possibly led by ASEAN,” says Blatt of Tilleke & Gibbins. “Cross-border data transfers are a reality today, as is government lawful access of data for data stored/transiting a jurisdiction.”
The updated Privacy Framework (2015) of the Asia-Pacific Economic Cooperation (APEC) also mentions its aim to promote cross-border cooperation. The Cybersecurity Law of China, an APEC member-state, says its goal on international exchange and co-operation in cyberspace governance is to create “a multilateral, democratic and transparent network governance system”.
Tang thinks that it is uncertain to what extent relevant rules in China will restrain the efficient cross-border flow of information and become an obstacle for enterprises doing business in China, because the regime has not been fully developed.
“In that regard, we would expect China to moderate its regulatory approach and devise compliance and enforcement mechanisms with its trading partners so as to balance the demands of business and national security,” he says.
This remains a stumbling block on the road towards regional harmonization. “Among other reasons, there are many countries in the Asia-Pacific bloc at different levels of economic development,” adds Ow. However, he says there is reason for optimism. “The cross-border exchange of digital goods, services and even ideas between Asian economies could very well be a key driver toward harmonization in order to facilitate and regulate intra-Asia trade.”
Up close and personal
In China, Fu says, for businesses related to IoT and big data, a more important issue is that such businesses heavily rely on the collection of information, and major impacts come from the broadly defined term “personal information”, which under the Cybersecurity Law and relevant rules refers to various information recorded in electronic or any other form, and used alone or in combination with other information to recognize the identity of a natural person.
“If the coverage of personal information is broad and the requirement on personal information collection is applied, the collection of information and data in such businesses may be subject to various rules,” says Fu.
There is still plenty of room for improvement. Blatt says the issues relating to biometrics and IoT are being inadequately dealt with in the Asia-Pacific. “With regard to IoT cybersecurity issues, there is relatively little regulation at this point, or minimum standards. IoT devices are, and will continue to become, ubiquitous, and be a weak link in cybersecurity,” he says.
Biometrics is another sector that needs attention. Some APAC jurisdictions like Japan and Taiwan introduced the concept of “sensitive personal data”, which includes a person’s medical record. Hong Kong also released the Guidance on Collection and Use of Biometric Data in 2015.
Biometrics is especially an issue for India. In August, about 20,000 records were reported to have been leaked relating to India’s Aadhaar programme, which is the world’s largest biometric identity system, with over 1.1 billion enrolled members as of July 2017. India’s parliament passed the Aadhaar Act, 2016, in March of that year to provide legal backing to the project.
“The act restricts the authorities from disclosing biometric information to any third party and imposes criminal penalties in case of any breach. However, the act does not address privacy issues outside the use of Aadhaar numbers and biometric information associated with Aadhaar,” says Waris.
[/ihc-hide-content]
