[BreachExchange] Singapore extends cybercrime laws to include firms that use breached data

Tue Apr 4 20:28:16 EDT 2017

http://www.zdnet.com/article/singapore-extends-cybercrime-
laws-to-include-firms-that-use-breached-data/

Singapore has extended its laws to allow anyone that uses or transacts with
illegally obtained personal information to be prosecuted, even if they are
not responsible for causing the security breach.

First mooted earlier this month, the bill to amend the Computer Misuse and
Cybersecurity Act was passed in parliament on Tuesday, with some MPs
voicing concerns about the changes.

The amended laws now criminalised any act of dealing in personal
information obtained via acts considered illegal, such as hacking and
identity fraud. This meant that businesses or individuals that provided,
obtained, or retained hacked personal details could be charged, even though
they were not responsible for the security breach.

The act prohibited unauthorised access to computer data, access with intent
to commit or facilitate an offence, as well as unauthorised modification of
computer data. It also outlawed illegal interception of computer services,
unauthorised obstruction of computer use, and illegal disclosure of access
codes.

Under the changes, anyone caught illegally accessing or dealing with
hacking tools such as malware and port scanners now could be prosecuted.
Amendments to the act also would apply to perpetrators that commit the
offences while overseas as well as using a system located overseas. These
offenders would be charged if their actions caused or created "significant
risk of serious harm" in Singapore, including illness, injury, or
disruptions to essential services in the country.

The government said the amendments were necessary to address the
"increasing scale and transnational nature of cybercrime".

The laws also now enabled prosecutors to combine repeated acts of hacking
into a system, launched over a year or less, under one charge in order to
push for a higher penalty.

Senior Minister of State for Home Affairs Desmond Lee said in parliament
that the amendments would better arm law enforcers to combat increasingly
complex cybercrime acts and evolving methods used by cybercriminals.

Several MPs, though, highlighted the complexity of prosecuting offences
that involved cross-border elements as well as the need to raise awareness,
in particular, among small and midsize businesses that might unwittingly
use illegally obtained personal data.

They noted that investigating offences that involved overseas systems, for
instance, would be complex since it likely meant having to deal with
foreign laws. Furthermore, data hosted on the cloud might be stored in
servers located outside Singapore, making it tough to investigate incidents
involving such systems.

In response to a question about researchers and journalists having access
to breached personal data, Lee said no crime would have occured as long as
the information was not published or made publicly available.

Depending on the circumstances, however, he stressed that "indiscriminately
making available hacked personal information" might be deemed an offence.

There also were concerns that prosecutors no longer had the burden of proof
in bringing such charges to court.

Dennis Tan, executive council member and vice chair of media for opposition
group, The Workers' Party, pointed to an amended clause that stated "it is
not necessary for the prosecution to prove the particulars of
contravention, such as who carried out the contravention and when it took
place".

Tan noted: "This section is doing away with the need for the prosecution to
prove the particulars of contravention such as who carried out the
contravention and when it took place. I am somewhat uncomfortable with the
prosecution being relieved of the burden to prove the particulars of the
contravention in question.

"I think these are fundamental issues which the prosecution should prove
before another person can be charged and convicted of obtaining or
retaining or making use of the information in question," he said.

He added that while it was necessary to bolster Singapore's efforts in
combating cybercrimes, the government should limit "easing the burden of
proof" through such provisions or establish strong justification for it
before doing so.

Tan also asked for updates on the country's standalone cybersecurity act,
scheduled to be announced later this year.

The new act was expected to provide the Singapore government powers to
audit business sectors and ensure organisations had implemented cyber
defense systems. The new bill would detail what these powers would entail,
for example, in a large-scale cyberattack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170404/eeca90d1/attachment.html>