Singapore proposed changes to the Computer Misuse and Cybersecurity Act

Published on 14th Mar 2017

The Singapore Ministry of Home Affairs (MHA) announced in a press release on 9 March 2017 proposed changes to the Computer Misuse and Cybersecurity Act (CMCA).

The Computer Misuse and Cybersecurity (Amendment) Bill (the Bill) is aimed at tackling the increasing scale and transnational nature of cybercrime. The press release was made after the amendment Bill was introduced in the First Reading in the Parliament.

There are four main highlights to the amendment Bill:

  1. Criminalising the act of dealing in personal information obtained via an act in contravention of the CMCA.

The Bill extends the scope of the CMCA by criminalising the act of obtaining or dealing with illegally obtained personal information from a computer (e.g. hacking) to commit or facilitate the commission of crimes (e.g. identity fraud). It covers acts done in relation to personal information of individuals that the perpetrator knows or has reason to believe has been obtained by committing a computer crime. For example, criminals may be caught by the CMCA if they trade hacked credit card information, even though they are not responsible for the very act of hacking.

The explanatory statement to the Bill elucidates that in proving whether the perpetrator knows or has reason to believe that the personal information was obtained by committing a computer crime, it is not necessary for the prosecution to prove the exact details of the commission of the crime. Hence, for example, if a person comes across personal information the nature of which suggests that it could only have been obtained by an unauthorised access to another person’s computer, the person must not do any of the prohibited acts with that information whether or not the person who carried out the unauthorised access is known or can be discovered.

The proposed punishment for this offence is a fine not exceeding S$10,000 or imprisonment for a term not exceeding 3 years, or both; and in the case of a second or subsequent conviction, a fine not exceeding S$20,000 or imprisonment for a term not exceeding 5 years, or both.

  1. Criminalising the act of dealing in items capable of being used to commit a CMCA offence

The amendment Bill introduces another new offence – the act of obtaining or otherwise dealing with items that are capable of facilitating the illegal access of a computer, in order to commit or facilitate or to intend for such items to be used for committing or facilitating the commission of a CMCA offence. Such items include hacking tools such as malware and port scanners, which are readily available online.

The proposed punishment for this offence is a fine not exceeding S$10,000 or imprisonment for a term not exceeding 3 years, or both; and in the case of a second or subsequent conviction, a fine not exceeding S$20,000 or imprisonment for a term not exceeding 5 years, or both.

  1. Extraterritorial application of CMCA offences with “serious harm” to Singapore

Under the current CMCA, it is not an offence if a person commits a CMCA offence while overseas, against a computer located overseas, even if the harm is felt in Singapore (currently, the CMCA only criminalises act committed overseas against computers in Singapore).

The Bill seeks to fill this gap by criminalising an act that “causes, or creates a significant risk of, serious harm in Singapore”. Such serious harm in Singapore would include, among other things, illness, injury or death of individuals in Singapore, as well as disruptions to essential services in Singapore.

  1. Amalgamation of charges of CMCA offences

The Bill also provides for increased penalties when multiple CMCA offences are committed over a period of time. The Bill allows for the offences to be combined as a single charge.

Comment

The proposed changes are definitely welcome in light to the rampant occurrences of cyberattacks globally, and to tackle the increasingly sophisticated and transnational nature of cybercrime. The amendment Bill is timely in light of the recent cyberattack targeted against the Singapore Ministry of Defence. It is also a logical following the Singapore Government’s push in establishing cybersecurity capabilities.

We will provide further updates on the development of the Bill.

Follow
Interested in hearing more from Osborne Clarke?

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?