John P. Formichella, Naytiwut Jamallsawat and Artima Brikshasri
Thailand has rapidly grown its digital economy, and has made a concerted push towards technological innovation. As technology has evolved within the country, however, so has the threat of cybersecurity issues.
In order to tackle this looming threat, the government of Thailand released the Cybersecurity Act B.E. 2562 (2019) (“Cybersecurity Act”), which was published in the Government Gazette on 27 May 2019 and is now in effect. The Cybersecurity Act endeavors to enforce legal safeguards to ensure the security of cyberspace, and in particular, sets out a cybersecurity risk assessment plan to prevent and mitigate against cybersecurity threats that may affect the stability of national security and the public interest, including interests related to the economy, healthcare, international relations and other governmental functions, among other areas.
The Cybersecurity Act applies to both public and private sector entities that: i) own information and communication infrastructure which are integral for the maintenance of vital societal functions, otherwise known as Critical Information Infrastructure (“CII”); and ii) are engaged in the following services:
- National security;
- Material public service;
- Banking and finance;
- Information technology and telecommunications;
- Transportation and logistics;
- Energy and public utilities;
- Public health; and
- Others areas that may be further prescribed by the relevant cybersecurity authority.
Under the Cybersecurity Act, these companies must put in place internal guidelines for managing cybersecurity issues, and these guidelines must be in accordance with the national cybersecurity master plan.
In addition to the Cybersecurity Act, cybersecurity matters are addressed in the Computer Crimes Act B.E. 2550 (2007) (“CCA”) which stipulates that any import, dissemination or forwarding of data through a computer system that may cause damage to the public (i.e., public security, the national economy, public infrastructure, etc.) shall be considered as an offense under the CCA.
There are two main cybersecurity regulatory authorities, as follows:
- a) National Cyber Security Committee
The National Cyber Security Committee (“NCSC”) is comprised of the Prime Minister of Thailand as the chairman, and directors from the government and the private sector that hail from areas that are of benefit to cybersecurity such as engineering, law and information technology. The NCSC sets out general cybersecurity policies and action plans as well as minimum standards for computer systems used in both government agencies and CII entities, in accordance with the national cybersecurity master plan.
The NCSC also has the authority to determine the levels of cybersecurity threats under the Cybersecurity Act (i.e., non-critical, critical and crisis) as well as the preventive and mitigative measures that should be in place for each of these levels. To enable this, the NCSC is empowered to request information and documents from and access the facilities of private entities, subject to the owner’s consent to analyze and evaluate the impact of critical cyber threat in order to determine cybersecurity threat levels and appropriate preventive and mitigative measures.
- b) Cyber Security Regulatory Committee
The Cyber Security Regulatory Committee (“CSRC”) consists of the Minister of the Ministry of Digital Economy and Society as the chairman, and similar to the NCSC, has directors from the government and the private sector from areas that benefit cybersecurity. The role of the CSRC is to set out codes of practice and minimum standards for cybersecurity in the public and private sectors relating to CII, including risk assessment and mitigation plans against cyber threats. In addition, the CSRC may order public and private sector entities to prevent, mitigate and/or re-evaluate cyber threats in line with prescribed cybersecurity minimum standards.
If a critical level threat is discovered, the CSRC is empowered to perform any action to prevent or mitigate such threat. For example, the CSRC may order an owner or user of a computer that is the subject of a cyber threat to fix defects or eliminate undesirable programs. Furthermore, if judicial permission is granted, the CSRC may access information and/or seize computer systems, data and related equipment for a maximum of 30 days to prevent and mitigate cyber threats.
In the case of a crisis-level threat, the National Security Council shall be in charge to carry out its duties. For any crisis-level threat which requires an immediate response, however, the CSRC is authorized to perform any act warranted as necessary without judicial permission.
In addition to the two main regulatory authorities above, there are two other relevant authorities, including the Computer Security Coordination Center and competent regulators responsible for monitoring and taking action against cyber threats as well as regulating cybersecurity minimum requirements for CII entities under their supervision.
Regulatory Authority Guidance
The guidance on cybersecurity under the Cybersecurity Act relates to the development of security mechanisms to safeguard CII and enhance the prevention and mitigation of national cyber threats. The guidance also emphasizes the importance of cooperation between public and private sectors as well as international organizations in order to cope with cyber threats. Development of cybersecurity research and local expertise, including effective cybersecurity related laws and regulations are also considered as key factors in enforcing cybersecurity. The NCSC’s policies and plans on cybersecurity measures must be formulated in line with this general guidance.
Scope of Application
There are a number of main concepts in cybersecurity that are addressed or have been adopted under the Cybersecurity Act, as follows:
- a) Network and Information Systems
Network and information systems may be similar to CII under the Cybersecurity Act, which again refers to information and communication infrastructure such as a computer system of either public or private entities that is essential for the maintenance of core societal functions including national security, public safety, or public utility infrastructure. A computer system in this context is considered to be a network and have information that is critical to national security and the public interest, and therefore must be protected from cyber threats by implementing cybersecurity standards issued by regulatory authorities.
- b) CII Operators
Under Section 3 of the Cybersecurity Act, CII operators refers to any public or private entity responsible for information which is critical to national security and the public interest such as banking, information technology, telecommunications, and transportation. CII Operators are required to have cybersecurity measures that comply with standards specified by their local regulators, code of practice and other relevant authorities such as the NCSC and CSRC.
- c) Operator of Essential Services
An operator of essential services is similar to a CII operator. Any public or private entity that provides a service that is essential for the maintenance of vital societal functions must have standard cybersecurity measures in place in order to cope with cybersecurity incidents.
- d) Cloud Computing Services
Cloud computing service is not specifically defined in the Cybersecurity Act. These services, however, can be subject to the Cybersecurity Act as they can be categorized as information technology and telecommunications services, which are services relating to CII and therefore services which are subject to the Cybersecurity Act.
- e) Digital service providers
Digital service provider is not specifically defined in the Cybersecurity Act, however, similar to cloud computing services these providers can be considered as CII Operators as digital service falls within the classification of CII; these providers would therefore be subject to the Cybersecurity Act.
- f) Other
The term “cyber threat” is a key definition in the implementation of the Cybersecurity Act, and refers to any illegal actions that use computers, network systems or offensive programs to cause or that are likely to cause an adverse impact on a computer, a computer network or data.
The Cybersecurity Act further elaborates on “cyber threat” by categorizing it into three levels, as follows:
(i) Non-critical – any threat that may negatively impact the performance of a CII Operator’s computer system or services provided by government entities;
(ii) Critical – any threat to a computer system or computer data that is significantly increased with the intention to attack CII relating to national infrastructure, national security, the economy, healthcare, international relations, governmental functions, etc., and such an attack would impair the provision of CII-related services; and
(iii) Crisis – any threat greater than a critical-level event, which may have a widespread impact such as causing the government to lose control of a computer system, or any threat that may lead to mass destruction, terrorism or an overthrow of the government.
Details of cyber threats as well as the preventive and mitigative measures employed for each level of cyber threat shall be further determined by the NCSC.
- a) Security Measures
Under Sections 44 and 56 of the Cybersecurity Act, each government entity, competent regulator and CII entity must have in place a code of practice, organizational measures and a cybersecurity framework that complies with prescribed cybersecurity minimum standards. The code of practice must at least cover cybersecurity risk identification and assessment performed by either an internal or external independent auditor at least once a year (which must be reported to the NCSC office within 30 days) and a cyber threat response plan.
CII entities must further provide monitoring mechanisms for cyber threats and cybersecurity incidents that threaten their CII according to standards as prescribed by the NCSC or CSRC. CII entities must also participate in cybersecurity testing organized by the NCSC in order to assess and ensure their readiness in responding to cyber threats.
- b) Notification of Cybersecurity Incidents
There is an obligation to notify the competent regulatory authority in the event of a cybersecurity incident.
In the event of a cybersecurity incident involving the CII of either public or private entities, these entities must investigate all of their information, computer data and computer systems, including any circumstances related to the incident to evaluate the cyber threat, with measures under the code of practice and cybersecurity standards followed in responding to and mitigating the cyber threat and notify the NCSC office and competent regulator of each entity involved in the cybersecurity incident.
A specific timeline for the notification is not addressed under the Cybersecurity Act. It does, however, include details on process and requirements, and a timeline for the notification may be prescribed by the CSRC in the future.
- c) Registration with Regulatory Authority
There is no requirement to register with a regulatory authority. Under the Cybersecurity Act, the NCSC shall be responsible for designating entities which have services relating to CII, to be deemed as CII Operators, which shall be subject to obligations under the Cybersecurity Act. The criteria for making such designations shall be published in the Royal Gazette, which may be periodically revised as deemed necessary.
- d) Appointment of a Security Officer
There is an obligation to appoint a security officer as prescribed under Section 46 of the Cybersecurity Act. Each government entity, competent regulator and CII entity must notify the names of its personnel at both management level and practitioner level to the NCSC office to coordinate cybersecurity matters. If there is a change of responsible personnel, this change must be notified to the NCSC office. However, no specific timeline for the notification is stipulated in the Cybersecurity Act.
- e) Other Requirements
Under Section 52 of the Cybersecurity Act, for coordination purposes, CII operators are required to notify the names and contact details of owners, possessors and administrators of their computers and computer systems that have management-level control over the entity to the NCSC office, the competent regulator and the Computer Security Coordination Center within 30 days from the date the NCSC publishes criteria designating entities which have services relating to CII in the Royal Gazette. In the event of a change of owner, possessor or administrator, the notice must be sent to each responsible authority at least seven days prior to the change.
CII operators that fail to report cybersecurity incidents to the NCSC office and their competent regulator, without reasonable cause, shall be subject to a maximum fine of THB 200,000.
Any person who refuses to provide information and documents required for the assessment of a cyber threat and its impacts, without reasonable cause, shall be subject to a maximum fine of THB 100,000.
During a critical-level threat, any owner, possessor, user or administrator of a computer or computer system who fails to monitor and/or verify the computer or computer system to search for defects or assess impacts from cyber threats as ordered by a competent officer shall be subject to a maximum fine of THB 300,000 and an additional daily fine of up to THB 10,000 until the order is complied with.
In addition, a failure to fix defects and/or eliminate undesirable programs, retain any computer or computer system for forensic purposes or access any computer or computer system to prevent a cyber threat as ordered by a competent officer shall be subject to imprisonment of up to one year and/or a maximum fine of THB 20,000.
During a critical-level threat, any person who obstructs or refuses a competent official access to information or premises and/or the seizure of computer systems, data and related equipment endeavoring to prevent and mitigate a cyber threat, without reasonable cause, shall be subject to imprisonment of up to three years and/or a maximum fine of THB 60,000.
If an offender is a juristic person or an authorized person of the juristic person who is involved in an offense, either by performing unlawful actions or failing to perform certain actions that cause the juristic person to commit an offense, shall be subject to the above penalties.
The contents herein are for informational purposes only and should not be relied upon as legal advice. For more information, please contact John P. Formichella, Partner at Blumenthal Richter & Sumet, at firstname.lastname@example.org.