Along with the Thailand Personal Data Protection Act, the Cybersecurity Act was also approved and endorsed by the National Legislative Assembly on 28 February 2019.
Once the Cybersecurity Act is published in the Government Gazette, it will become effective. It is expected that the act will be published in the gazette in April or May this year.
Definitions of cybersecurity and cyber threats. Under the current version of the act, “cybersecurity” means any measure or procedure established to prevent, handle, or mitigate the risk of cyber threats from both inside and outside Thailand, which affect national security, economic security, martial security and public order.
Cyber threats mean any action or unlawful undertaking done using a computer, computer system or undesirable programme with an intention to cause harm to computer systems, computer data, or other relevant data, and includes imminent threats that would cause damage or affect operation of the computer, computer systems or other relevant data.
Levels of cyber threats. The act has classed cyber threats into three levels:
- Non-critical level cyber threats;
- Critical level cyber threats; and
- Crisis level cyber threats.
The power and authority of relevant officials against private organizations
will depend on the level of a particular cyber threat.
Obligations of private organizations. Private organizations using computers and computer systems in the course of their operations to maintain national security, public security, national economic security or fundamental infrastructure for public interest could be deemed critical information infrastructure organizations under the act.
Critical information infrastructure organizations have various obligations under the act, including: (1) providing names and contact information of the owners, persons possessing the computer and persons monitoring the computer system; (2) complying with the code of practice and minimum cybersecurity standards; (3) conducting risk assessment; and (4) notifying of cyber threats.
In the event of a cyber threat, a critical information infrastructure organization is required to investigate related information, computer data and the computer system of such affected organization, and protect, handle and mitigate the risks from the cyber threats in accordance with the code of practice and cybersecurity standards. Critical information infrastructure organizations are also subject to the same obligations as private organizations.
Private organizations that are not critical information infrastructure organizations are also subject to the act.
In the event of a cyber threat, the relevant authorities may request co-operation from or order private organizations to perform various actions, such as: (1) providing access to relevant computer data or a computer system, or other information related to the computer system only to the extent it is necessary to prevent cyber threats; (2) monitoring the computer or computer system; and (3) allowing officials to test the operation of the computer or computer system, or seize or freeze a computer, a computer system, or any equipment.
Generally, such orders must be limited to the necessity of preventing or handling cyber threats. The extent of the orders will depend on the level of a particular threat. Certain orders would require a court order, while others would not. The penalties vary from fines to imprisonment.
Once the Cybersecurity Act is published in the Government Gazette, any entities that could be deemed critical information infrastructure organizations should monitor the development of the act closely and prepare for compliance. All other entities should prepare their IT systems and update relevant legal documents, including IT policies and breach notifications, and conduct personnel training to raise awareness on cybersecurity.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by emailing Danian Zhang at firstname.lastname@example.org.