Cybersecurity 2025

SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC

the time of writing, the amendments have yet to come into force. Computer Misuse Act 1993 (CMA) The CMA sets out the enforcement and penalty framework against perpetrators of cyber-related offences, such as the unauthorised access to and modification of computer material, unau - thorised use or interception of a computer ser - vice, unauthorised obstruction of use of a com - puter and unauthorised disclosure of a password or access code. The CMA empowers the police and other government authorities to investigate and prosecute perpetrators of cybercrimes. Personal Data Protection Act 2012 (PDPA) The PDPA applies to all private sector organi - sations that collect, use, disclose or otherwise process personal data (both electronic and non- electronic data). Personal data is defined as data about an individual who can be identified from that data, or from that data and other informa- tion to which the organisation has or is likely to have access. As part of complying with the PDPA, organisa - tions are required to make reasonable security arrangements (which may include technical and cybersecurity measures) to protect personal data in their possession or under their control to prevent (i) unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks; or (ii) the loss of any storage device or medium on which personal data is stored. The PDPA also includes notification require - ments in the event of a data breach, that is (i) the occurrence of unauthorised access, col - lection, use, disclosure, copying, modification or disposal of personal data; or (ii) loss of any storage device or medium on which personal data is stored where unauthorised access, col -

lection, use, disclosure, copying, modification or disposal of personal data is likely to occur. The Do Not Call (DNC) provisions under the PDPA regulate the sending of certain market - ing messages to Singapore telephone numbers. These provisions are intended to give individuals more control over the type of marketing mes - sages they may receive by allowing individuals to register their telephone numbers with the DNC Registry and imposing obligations on organisa - tions in respect of sending marketing messages. This thereby reduces the number of unsolicited messages received by individuals and the risk of being exposed to cybersecurity attacks. The DNC provisions impose restrictions on whether an organisation may send specified messages (as defined in Section 37 of the PDPA) to a Singapore telephone number. Organisations must check that the Singapore telephone num - ber it intends to send a specified message to is not registered with the DNC Registry before sending the specified message, unless the user or subscriber of the Singapore telephone num - ber has given clear and unambiguous consent in evidential form. Further, Section 48B prohib - its organisations from sending any message to a recipient’s telephone number where that tel - ephone number was obtained by a dictionary attack or through address-harvesting software. Section 48A of the PDPA defines dictionary attack as the method by which the telephone number of a recipient is obtained using an auto - mated means that generates possible telephone numbers by combining numbers into numerous permutations. On the other hand, address- harvesting software refers to software that is designed for searching the internet for telephone numbers and harvesting those numbers. Thus, although the DNC provisions primarily target marketing messages, they serve a secondary

227 CHAMBERS.COM

Powered by