The Cyber Security Agency of Singapore (CSA) cooperated with the Personal Data Protection Commission (PDPC) and Singapore Police Force to publish an e-handbook outlining the distinctions between the Cybersecurity Act, the Computer Misuse Act, and the Personal Data Protection Act. This e-handbook introduces the Computer Misuse Act to aid organizations and people in safeguarding their computer systems more effectively.
The Computer Misuse Act
The Computer Misuse Act (CMA) was enacted in 1993 to criminalize unauthorized access to or manipulation of computer files, as well as other computer offenses. The Act regulates investigations and prosecutions of cybercriminals.
As computer use grows more ubiquitous, the potential of misuse increases as criminals conduct more and more activities in cyberspace. Prior to the enactment of the CMA, the reported computer or computer-assisted crimes were handled under existing laws, such as the Penal Code. Due to the intricacies of computer technology, however, it has become increasingly impossible to continue under the generic laws.
Between 2013 and 2018, the CMA was renamed the Computer Misuse and Cybersecurity Act and updated to permit the implementation of effective and timely countermeasures against cyber threats that pose harm to national interests or security. After the 2018 implementation of the CS Act, the law reverted to its former moniker, CMA.
Cybercriminals are investigated and prosecuted by the CMA. It makes crimes such as hacking into a system, Denial of Service (DoS) attacks, and Wireless Mooching or Piggybacking illegal. The Computer Fraud and Abuse Act (CFAA) also stipulates harsher penalties for computer-related crimes.
Some of the cybercrimes punishable under the Computer Misuse Act
Section 3(1) of the Computer Misuse Act makes it illegal to deliberately cause a computer to execute any function with the intent of gaining unauthorized access to any software or computer. For a first offense, a first-time offender is subject to a maximum fine of $5,000 and a maximum prison sentence of two years.
A denial-of-service (“DOS”) attack is a cyberattack designed to disable a machine or network, thereby preventing its intended users from accessing it. A person is guilty of an offense under section 7(1) of the CMA if they knowingly and without authority or lawful excuse: (a) interferes with, interrupts, or obstructs the lawful use of a computer; or (b) impedes or prevents access to, or diminishes the usefulness or effectiveness of, any program or data stored in a computer. A first-time offender who is convicted is subject to a fine of up to $10,000, imprisonment for up to three years, or both.
While phishing may not be a crime in and of itself, a number of provisions penalize actions that may constitute phishing. Under section 3 of the CMA, it is a crime to cause a computer to perform any function with the intent of gaining unauthorized access to any data stored in a computer.
For a first offense, a violator convicted under this provision is subject to a fine of up to $5,000, imprisonment for up to two years, or both.
Infection of IT systems with malware (including ransomware, spyware, worms, trojans, and viruses)
A person commits an offense under section 5 of the CMA if he understands that his actions will result in the unauthorized modification of the contents of a computer. Because the infection of IT systems with malware would result in the illegal change of the contents of the infected computer, this could constitute a violation of section 5 of the CMA.
For a first offense, the offender is subject to a fine of up to $10,000, imprisonment for a term of up to three years, or both.
Extraterritorial Application of the Computer Misuse Act
Section 11 of the CMA stipulates that the requirements of the CMA shall apply to any individual, regardless of his nationality or citizenship, both inside and outside of Singapore. Where an offense is committed outside Singapore, the offender may be treated as if the offense had been committed within Singapore if:
- The accused was in Singapore at the relevant time.
- The computer, program, or data was in Singapore at the relevant time (for an offense under sections 3, 4, 5, 6, 7, or 8 of the CMA).
- The offense causes or creates a significant risk of serious harm in Singapore.
Consequently, a person who commits an offense under the CMA from a location outside of Singapore may nonetheless be prosecuted under the CMA as if the offense had been committed within Singapore.
What does this means to Organizations?
While the CMA punishes cybercriminals for their actions, organizations are not exempt from accountability when the personal information on their computers is compromised. Inadequate measures to secure their cybersecurity posture could have a crippling effect on the availability of essential services in Singapore, as well as cause damage to their reputation, loss of trust, confidentiality, integrity, information availability, and financial losses for businesses and individuals.
How a DPO can help organizations
The Protection Obligation is the most common obligation under the PDPA that is violated by organizations, especially SMEs. Of course, when Organizations fail to observe such obligation, a financial penalty can be imposed by the PDPC. To ensure that this will never happen to your organization, a DPO can help.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of cyber threats and instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we regularly conduct a penetration testing to see if the organization’s systems have vulnerabilities that can be exploited or taken advantage of, and patch it up as quickly as possible before any bad actor can do it.
DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.
As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.