Following our updates on the Thai Cybersecurity Bill (“Cybersecurity Bill” or “Bill“) in October 2018, the Bill was revised by experts from the National Cybersecurity Preparation Committee on 15 November 2018 and again on 30 November 2018.
The revisions address certain issues raised by the stakeholders during the previous public hearing.
The key amendments to the latest version of the Bill include:
1. New definitions of Cyber Threats, Code of Practice, Cybersecurity Incident, Cyber Security Solution, Information Asset, Supervising or Regulating Organization, and Private Organization
In summary, the terms “Cyber Threats” and “Information Asset” have been redefined. Personal data and communication data are removed from the definition of Information Asset. Definitions of “Code of Practice,” “Cybersecurity Incident,” and “Cybersecurity Solution” have been introduced in this Bill along with definitions for the terms “Supervising or Regulating Organization” and “Private Organization.” The definition of Cyber Threats was revised to focus on computer systems rather than data.
Please see the key definitions below.
“Cyber Threats” means any action or unlawful undertaking by using a computer, computer system, or undesirable program with an intention to cause any harm to the computer system or an Information Asset, or which constitutes an imminent threat to injure or affect the operation of a computer, computer system, or Information Asset.
“Supervising or Regulating Organization” means a Government Agency or Private Organization, or a person who is appointed by law with the duty and authority to supervise and regulate the operations of the Organization of Critical Information Infrastructure.
“Information Asset” shall mean:
- computer network systems, computer systems, computer operational systems, and information systems;
- computers, computers’ components, information recorders, and any other equipment; and
- data, electronics data, and computer data which is stored in or processed from or can be retrieved from (1) and (2), but not including personal data and data communicated from one person to another.
2. New committees and re-delegation of authority
Under the Bill, the relevant committees have been restructured and their authorities have been re-delegated, as follows.
- National Cybersecurity Committee, the main committee in charge of cybersecurity;
- Cybersecurity Regulating Committee, the main authorities are to supervise and operate the handling of Cyber Threats in specified circumstances and to prescribe the Code of Practice to be followed by the Organizations of Critical Information Infrastructure;
- Committee Supporting Critical Information Infrastructure Cybersecurity, the main authorities are to deal with Cyber Threats of the Organization of Critical Information Infrastructure and prescribe the duties of Organization of Critical Information Infrastructure; and
- Committee Supervising the Office of the Cybersecurity Committee (CSO), the main authority that handles general work of the Office of the National Cybersecurity Committee.
3. Cyber Threats have been categorized into three levels
Under this version of the Bill, Cyber Threats are re-defined into three levels: (1) monitoring level; (2) critical level; and (3) crisis level. Definitions of a monitoring-level Cyber Threat and a crisis-level Cyber Threat have been provided in the Bill.
4. The introduction of a Supervising or Regulating Organization concept to control and coordinate with the Organizations of Critical Information Infrastructure
Under the latest version of the Bill, the NCSC may prescribe the type, obligations, and responsibilities of the Cybersecurity Agency (CSA) and/or Cyber Security Operations Center (CERT) for the Organization of Critical Information Infrastructure to coordinate, monitor, deal with, and fix Cyber Threats. The NCSC may assign a Government Agency or the Supervising or Regulating Organizations to perform such duties for the Organization of Critical Information Infrastructure, in whole or in part.
5. Implementation of the necessity concept
The wording “only to the extent that it is necessary to prevent Cyber Threats” has been added to the authorities of the officials related to Cyber Threats at critical and a crisis levels.
6. Reintroduction of the judicial oversight
A court order requirement has been reintroduced for certain authorities of the officials. Per this requirement, a court order would be required for certain actions by officials.
However, the relevant officials still have certain authorities to order private sector entities without a court order in certain circumstances. In case of urgent necessity for crisis-level Cyber Threats or in case of emergency, the relevant officials are also authorized to order private sector entities without obtaining a court order and the National Security Council has full authority to maintain cybersecurity of the nation.
7. Prohibition to appeal
Under the Bill, a person who has suffered damage, or who may suffer damage as the inevitable result of an order related to the handling of Cyber Threats may appeal such order only for a monitoring-level Cyber Threat.
8. Reintroduction of the confidentiality obligation
Officials and any person are subject to liabilities for breaching the confidentiality obligation under the Bill. This concept was removed from the October version of the Bill but the latest Bill reintroduced the confidentiality obligation.
9. Removal of criminal penalties against the owner, possessor, or administrator of a computer system for risk assessment
In general, these revisions to the Bill improve and address several issues and concerns in the previous version issued in October 2018. However, certain concerns remain including, among others, the broad definition of Critical Information Infrastructure which could cause confusion as to whom will be subject to the duties and liabilities under the Bill (e.g. the term “information technology and telecommunications” could cover a range of operators, from application service providers to infrastructure service providers), certain authorities of the officials to order private sector entities without obtaining a court order, the prohibition to appeal the orders related to Cyber Threats at critical and crisis levels, etc.
The Bill was approved by the Cabinet on 18 December 2018. After the Cabinet’s approval, the Bill will be forwarded to the National Legislative Assembly (“NLA”) for further consideration. According to news reports, the Ministry of Digital Economy and Society expects the Bill should be revised and submitted to the NLA by the end of December 2018. Once the NLA endorses the Bill, it will be sent to His Majesty the King for final approval before being published in the Government Gazette. It will then come into force the day after the publication date. Therefore, the development of this Bill should be closely monitored.
Our TMT team at Baker McKenzie will keep you informed of any further updates as they happen.