Parliament Sitting on 9 November 2022


6. Mr Lim Biow Chuan: To ask the Minister for Communications and Information (a) whether IMDA can do more to educate businesses on the need to protect their customer's data from being hacked; and (b) whether the punishment against illegal hackers of such data can be enhanced.


1. Mr Speaker, our laws make clear the obligations that businesses must meet when they collect and store customers’ data.  In addition, the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) have published resources on their websites to educate organisations, including businesses, on the importance of data protection and cybersecurity.

2. The PDPC’s “Guide to Data Protection Practices for ICT Systems” compiles a set of good data protection practices that organisations can implement. PDPC has also published the common causes of breaches for (a) IT systems and (b) cloud-based applications, so businesses are aware of the risks they face. CSA’s website also has cybersecurity toolkits available for free, to guide organisations on the cybersecurity practices to protect themselves from cyber-attacks and data breaches. 

3. The Government has gone beyond education and raising awareness, and is doing more to encourage businesses to adopt good cybersecurity and data protection measures. Small and Medium Enterprises (SMEs) may participate in the Infocomm Media Development Authority (IMDA) and PDPC’s Data Protection Essentials programme (DPE). It helps them implement baseline data protection and cybersecurity practices such as antivirus, firewall, data backup and encryption, with support from a curated panel of service providers. CSA has also launched the Cyber Trust and Cyber Essentials marks, which businesses can apply for and be recognised for good cybersecurity practices. 

4. Unauthorised access to computer material is punishable under the Computer Misuse Act ("CMA”). Perpetrators are liable, upon conviction, for a fine not exceeding $5,000 or imprisonment for a term not exceeding two years or both. Knowingly obtaining or dealing in personal information that had been obtained through unauthorised access is also punishable under the CMA, with a fine of up to $10,000 or imprisonment up to three years, or both. Penalties are more severe for a second or subsequent conviction.

5. These two offences under the CMA are also listed as serious offences under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act. Persons who knowingly acquire, possess, use, conceal or transfer the benefits of such offences, or assist another to retain such benefits, are liable to a fine not exceeding $500,000 or to imprisonment for a term not exceeding 10 years or to both. The Courts can also confiscate any benefit arising from both offences under this Act. 

6. The Government takes illegal hacking very seriously and will ensure our laws remain effective in the development of a safe and secure cyberspace. Notwithstanding these penalties, it is ultimately the responsibility of businesses to be vigilant and adopt proper cybersecurity and data protection measures to keep their customers’ data safe. 
Singapore and the European Union sign Digital Partnership Press Releases Others, Cyber Security, Digital Defence, Digital Readiness, Government Technology 01 Feb 23
Speech by Minister Josephine Teo at the launch of Temus's Step IT Up Programme on 26 January 2023 Speeches Digital Readiness, Cyber Security 26 Jan 23
The Korea-Singapore Digital Partnership Agreement enters into force Press Releases Government Technology, Others, Digital Defence, Cyber Security 13 Jan 23
Speech by Senior Minister of State, Dr Janil Puthucheary at the techUK Digital Ethics Summit 2022 on 7 Dec 2022 Speeches Cyber Security, Digital Readiness, Government Technology, Others 07 Dec 22
Securing AI Collaborations between Singapore and Republic of Korea Press Releases Cyber Security, Digital Readiness, Government Technology, Others 06 Dec 22
Speech by Mrs Josephine Teo, Minister of Communications and Information, at the Global Technology Summit on 1 December 2022 Speeches Personal Data, Others, Cyber Security 01 Dec 22