Parliament Sitting on 9 November 2022

QUESTION FOR ORAL ANSWER

6. Mr Lim Biow Chuan: To ask the Minister for Communications and Information (a) whether IMDA can do more to educate businesses on the need to protect their customer's data from being hacked; and (b) whether the punishment against illegal hackers of such data can be enhanced.

Answer:

1. Mr Speaker, our laws make clear the obligations that businesses must meet when they collect and store customers’ data.  In addition, the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) have published resources on their websites to educate organisations, including businesses, on the importance of data protection and cybersecurity.

2. The PDPC’s “Guide to Data Protection Practices for ICT Systems” compiles a set of good data protection practices that organisations can implement. PDPC has also published the common causes of breaches for (a) IT systems and (b) cloud-based applications, so businesses are aware of the risks they face. CSA’s website also has cybersecurity toolkits available for free, to guide organisations on the cybersecurity practices to protect themselves from cyber-attacks and data breaches. 

3. The Government has gone beyond education and raising awareness, and is doing more to encourage businesses to adopt good cybersecurity and data protection measures. Small and Medium Enterprises (SMEs) may participate in the Infocomm Media Development Authority (IMDA) and PDPC’s Data Protection Essentials programme (DPE). It helps them implement baseline data protection and cybersecurity practices such as antivirus, firewall, data backup and encryption, with support from a curated panel of service providers. CSA has also launched the Cyber Trust and Cyber Essentials marks, which businesses can apply for and be recognised for good cybersecurity practices. 

4. Unauthorised access to computer material is punishable under the Computer Misuse Act ("CMA”). Perpetrators are liable, upon conviction, for a fine not exceeding $5,000 or imprisonment for a term not exceeding two years or both. Knowingly obtaining or dealing in personal information that had been obtained through unauthorised access is also punishable under the CMA, with a fine of up to $10,000 or imprisonment up to three years, or both. Penalties are more severe for a second or subsequent conviction.

5. These two offences under the CMA are also listed as serious offences under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act. Persons who knowingly acquire, possess, use, conceal or transfer the benefits of such offences, or assist another to retain such benefits, are liable to a fine not exceeding $500,000 or to imprisonment for a term not exceeding 10 years or to both. The Courts can also confiscate any benefit arising from both offences under this Act. 

6. The Government takes illegal hacking very seriously and will ensure our laws remain effective in the development of a safe and secure cyberspace. Notwithstanding these penalties, it is ultimately the responsibility of businesses to be vigilant and adopt proper cybersecurity and data protection measures to keep their customers’ data safe.