Businesses in Asia and their general counsel are faced with safeguarding against increasingly sophisticated cyber-threats while navigating a complex regulatory framework for incident disclosure. Chandu Gopalakrishnan reports
On 27 February this year, the general counsel of Australian businesses woke up to a new and worrying decision by the Australian government.
The authorities issued guidelines for boards of directors of companies operating in the region on better and timely action during cybersecurity incidents. What was unprecedented was the decision to hold the board responsible for timely disclosure of a cyber-crisis, and to make it liable for improper disclosure or no disclosure at all.
“Cybersecurity is the responsibility of everyone, including business,” wrote Clare O’Neil, Australia’s minister for cybersecurity, on her social media channels.
According to her, the new and stringent governance guidelines will hold Australian company directors to higher standards and help them respond “swiftly, accurately and transparently” during attacks.
“It will help companies know their obligations when it comes to protecting their cyber security and how best to respond to cyberattacks and ransom demands,” she wrote.
However, the newly issued guidelines do not mention any time window for the affected companies to make mandatory disclosure of an incident, the damage done and the possible ramifications.
“Organisations may also be required to notify contractual counterparties of the incident within a specific timeframe, and third parties may have a contractual right to attend the organisation’s premises for auditing purposes,” says an explanation under a section titled “Contractual implications”.
This clearly puts the onus of reporting an incident at the earliest and avoiding any form of misreporting firmly on the company board and, by extension, the general counsel of the business.
An exploratory look by Asia Business Law Journal has revealed that policy mindsets are similar across Asia.
EU developments, Asia effects
Data protection and data breach disclosure norms across the world faced a watershed moment in May 2018, when the EU implemented the General Data Protection Regulation, or GDPR.
Under the GDPR, organisations must report a personal data breach to the relevant supervisory authority without delay and, when feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to personal rights and freedoms.
If the notification is not made within 72 hours, it should be accompanied with reasons for the delay.
When the data breach is likely to result in a high risk to individuals, the organisation must also reveal the incident to those affected without undue delay.
Under the GDPR, failure to report a data breach within a 72-hour window, or failure to comply with any other requirement related to handling data breaches, can result in significant penalties.
The penalties for non-compliance with the GDPR, including failure to report a data breach on time, can be up to EUR20 million (USD21.7 million) or 4% of the firm’s total global annual turnover of the preceding financial year, whichever is higher.
The exact penalty within this framework depends on several factors including the nature, gravity and duration of the infringement, any actions taken by the firm to mitigate the damage, and any previous infringements by the firm.
The ambit of the GDPR goes beyond the EU. Under the regulations, if a company or organisation outside the EU offers goods or services to people in the EU or monitors their behaviour, the GDPR still applies to them.
Sensing the economic ramifications, several countries around Asia quickly moved to ensure their data security laws align with the GDPR, with Japan and South Korea leading the way. Both countries even made it onto the EU’s “white list” of countries outside the EU offering an adequate level of data protection.
US moves to centralisation
In the US, there is no single federal law that dictates a uniform timeframe for reporting cybersecurity incidents for all organisations across every sector. Instead, the US has a patchwork of state and sector-specific laws and regulations that govern data breach notifications.
Nearly every state in the US has its own data breach notification law, and these laws vary in terms of what constitutes a breach, what types of data are covered, and the timeline for notification.
Most states require notification of affected individuals without unreasonable delay, with specific timeframes usually set at 30 or 45 days after discovery of the breach.
There are also federal regulations, like the Health Insurance Portability and Accountability Act, that include data breach notification requirements for specific sectors.
The US federal government recently started working to establish more unified cybersecurity incident reporting requirements, particularly for critical infrastructure sectors.
For instance, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires certain critical infrastructure entities to report substantial data breaches to the Cybersecurity and Infrastructure Security Agency within 72 hours, and ransomware payments within 24 hours.
The US also imposes big-ticket penalties for non-disclosure of cybersecurity incidents.
One of the most significant penalties for the non-disclosure of a cyberattack involved the credit reporting agency Equifax. In September 2017, the company disclosed a massive data breach that had exposed the personal information of about 147 million people.
In response to the breach and its mishandling, including delays in disclosure and inadequate security measures that led to the breach, Equifax agreed to a global settlement that included the Consumer Financial Protection Bureau, the Federal Trade Commission, and 50 US states and territories.
The settlement, announced in July 2019, required Equifax to pay at least USD575 million and up to USD700 million as part of the penalty, and to provide affected consumers with credit monitoring services, which further increased the company’s costs associated with the breach.
Meanwhile, Asian counterparts were still playing catch-up when it came to disclosure norms.
Japan, then South Korea
In Japan, the Act on the Protection of Personal Information was revised significantly in 2020. While the act requires businesses to take necessary and proper measures to prevent leaks of personal data, it does not specify a strict timeline for reporting data breaches.
However, guidelines suggest promptly notifying affected individuals and the relevant authority, the Personal Information Protection Commission, when a significant breach occurs. Penalties for non-compliance include imprisonment for up to six months or fines of up to JPY500,000 (USD3,400), depending on the nature of the violation.
Other Asian countries soon followed suit. While cybersecurity incident disclosure became mandatory in most Asian countries, none of these respective provisions give specific time windows for organisations to report breaches, nor are they clear about what constitutes misreporting.
In South Korea, in the event of a data breach, the Personal Information Protection Act requires data handlers to immediately notify the affected individuals and, for breaches affecting more than 1,000 people, to also notify the Korea Internet & Security Agency and the Personal Information Protection Commission.
Keun Woo Lee, a partner at Yoon & Yang in Seoul, says: “If a cyber incident occurs, it must be reported unconditionally regardless of whether or not any personal information leak has occurred. Furthermore, if a personal information leak has indeed occurred, if certain standards are met as described above, a separate and additional report must be made as well.
“Companies may not want to report cyber incidents, but the current law imposes a reporting obligation in the event of an accident. Accordingly, a response must be prepared in the event of an accident.”
Under the current legal provisions, entities neglecting to report an incident could face fines of up to KRW10 million (USD7,500). The consequences intensify if the breach involves a personal information leak.
Under provisions of the Personal Information Protection Act, failure to report such incidents could result in fines of up to KRW30 million as well as criminal penalties including imprisonment for responsible parties.
However, again, there is no blanket provision on the time window in which the disclosure must be made.
“Laws pertaining to electronic financial transactions and medicine provide special regulations and reporting obligations regarding cyber incidents,” says Lee.
“As such, financial companies, electronic financial businesses and medical institutions must make reports as required under such laws and regulations.”
Singapore stands out
Singapore is a rare exception when it comes to imposing disclosure deadlines.
The Personal Data Protection Act (PDPA) in Singapore requires organisations to notify the Personal Data Protection Commission (PDPC) and affected individuals as soon as practicable if there is a data breach that is likely to significantly harm or impact the individuals concerned.
The PDPA was amended in 2020 to introduce mandatory data breach notification requirements, with organisations required to assess the breach and notify if it meets certain criteria, typically within 72 hours of assessment.
Fines for non-compliance can go up to SGD1 million (USD749,000) or 10% of the organisation’s annual turnover in Singapore, whichever is higher.
“The PDPC may also publish its decision that the organisation failed to comply with the PDPA, which may lead to negative publicity for the organisation,” says Lam Chung Nian, a partner at WongPartnership in Singapore.
The PDPA also provides for various offences relating to non-cooperation with the PDPC, he adds. “In the case of an individual, if convicted, they may be liable to be fined up to SGD10,000 and/or imprisoned for up to 12 months.”
The highest financial penalty imposed to date under the PDPA in a single decision amounted to a total of SGD1 million, comprising a SGD750,000 penalty imposed on a healthcare technology provider and a SGD250,000 penalty imposed on a healthcare provider.
“These financial penalties were imposed in 2019, before amendments to the PDPA in 2022, which increased the maximum financial penalty. Future financial penalties may be higher on account of the increased maximum quantum,” says Lam.
China, India, and 2 billion reasons
Cybersecurity incidents invite stricter scrutiny and harsher penalties if personal data is breached. By that standard, India and China – the world’s two most populous countries – are the biggest minefields for companies and their general counsel.
The Cybersecurity Law of China, effective from June 2017, requires network operators to take immediate measures to address cybersecurity incidents, mitigate the impacts, and file reports to the relevant authorities.
The Personal Information Protection Law, effective November 2021, further strengthens these requirements, especially concerning personal data protection, and sets out obligations for reporting breaches.
Penalties for non-compliance can be severe, including fines of up to CNY50 million (USD6.9 million) or 5% of the annual turnover of the previous year, whichever is higher.
Meanwhile, India’s approach to data protection is in a state of transition, with the Personal Data Protection Bill still under discussion.
The primary legal framework for cybersecurity incident reporting comes from the Information Technology Act, 2000, and the rules and guidelines issued by the Indian Computer Emergency Response Team (CERT-In).
However, if the proposed act is imposed without any changes, businesses in India would face the tiniest window in the world for incident disclosure.
As per the directions dated 28 April 2022, issued by CERT-In, a cyber incident must be reported to it within six hours of the service provider, intermediary, data centre, body corporate or government organisation becoming aware of it.
Failure to report the breach may result in both imprisonment of up to one year and a fine that may extend to INR10 million (USD121,000).
The evolution of legal provisions across the world shows that such tight deadlines and harsh penalties are usually imposed after landmark cases. No big penalty has been imposed on any entity in India so far, says Vikrant Singh Negi, a partner at DSK Legal in Mumbai.
“However, sometime in October 2023, the Ministry of Electronics and Information Technology sent a notice to Apple after the latter had warned iPhone customers in India that their devices may have been targeted in a ‘state-sponsored’ attack,” he adds.
“Given the sensitivity and complexity of the issue involved, the ministry reminded Apple that such security breaches are required to be reported to CERT-In within six hours of occurrence.”
Cybersecurity incidents: the legal definition
Major Asian jurisdictions have adopted largely uniform approaches in defining cybersecurity incidents.
Speaking on the Indian Computer Emergency Response Team rules, Vikrant Singh Negi, a partner at DSK Legal in Mumbai, says: “‘Cyber incident’ has been defined very widely. It includes any real or suspected adverse event that is likely to cause an offence or harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity or availability of electronic information, systems, services or networks, and which further results in unauthorised access, denial of service, or disruption of the system.”
He adds: “It also includes unauthorised use of a computer resource, data or information manipulation, or an action that threatens public safety, undermines public confidence, has a negative effect on the national economy, or diminishes the security posture of the country.”
In Singapore, the Personal Data Protection Act of 2012 defines a data breach in relation to personal data as: (1) The unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or (2) The loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
“Accordingly,” says Lam Chung Nian, a partner at WongPartnership in Singapore, “the definition is fairly broad and can include situations that do not involve hacking, such as the loss of a laptop containing personal data or a phone containing personal data, which will fall under [point] (2).
“The definition also encompasses situations where personal data is not leaked, such as where it is deleted without authorisation by malware, or where it is encrypted without authorisation by ransomware – such situations will fall under [point] (2).”
In South Korea, the law puts the entire set of developments under an umbrella term, says Keun Woo Lee, a partner at Yoon & Yang in Seoul. The Information and Communication Network Act defines a cybersecurity incident as a “computer security incident”, and its scope is wider than a simple case of hacking or data breach, says Lee.
This includes various forms of cyberattacks such as hacking, but it also covers other methods that disrupt these systems. For example, incidents can involve the use of computer viruses, logic bombs, email bombs, denial of service attacks, or even high-power electromagnetic waves that aim to compromise network security.
He says it also includes situations in which someone installs a program or device within a network or system that allows them to bypass the usual security measures and gain unauthorised access.
The pan-Asian picture
The legal landscape around data protection and cybersecurity, including incident reporting and penalties for non-disclosure, varies across other major Asian jurisdictions.
Thailand’s Personal Data Protection Act, which came into full effect in June 2022, requires data controllers to notify the Personal Data Protection Committee and the data subjects “without delay” on discovering a data breach that is likely to result in a risk to the rights and freedoms of individuals.
The exact timeframe for notification depends on the specifics of the breach, but should be as prompt as possible. Penalties for non-compliance include fines, which can be substantial, depending on the nature of the violation.
In Malaysia, the Personal Data Protection Act 2010 does not explicitly mandate a timeframe for reporting data breaches to the authorities or affected individuals.
However, it requires the implementation of security measures to protect personal data. In practice, organisations are encouraged to report breaches to the Personal Data Protection Commissioner and notify affected individuals, especially if the breach poses significant harm. Penalties for failing to protect data include fines and imprisonment.
The Philippines’ Data Privacy Act of 2012, like that of Singapore, requires personal information controllers to notify the National Privacy Commission and affected individuals within 72 hours on knowledge of or reasonable belief that a data breach involving sensitive personal information has occurred and is likely to affect individuals’ rights and freedoms. Penalties for non-compliance include fines and imprisonment.
Indonesia’s data protection framework is primarily governed by the Regulation of the Minister of Communication and Informatics No. 20 of 2016, requiring electronic system operators to maintain the confidentiality, integrity and availability of personal data. While there is an obligation to notify the authorities in the event of a data breach, the regulation does not specify a strict timeline for such notifications. Indonesian legislators are currently working on a comprehensive Personal Data Protection Bill.
In Vietnam, cyber incidents fall under the Law on Cyber Information Security (LOCIS) and the Law on Cybersecurity, with the latter also including issues related to personal data breaches as outlined in Decree No. 13 on Personal Data Protection.
However, the financial penalty for non-compliance is merely a token amount, says Tran Manh Hung, co-chair of Baker McKenzie Joint Asian Offices’ IPTech Practice Group.
If someone fails to report a cyber incident as required by the LOCIS, they could be fined up to VND20 million (USD810). Additionally, for both cybersecurity and data privacy concerns, as soon as an IT system administrator becomes aware of any breach, they must notify the appropriate authorities.
“From the perspective of IT laws, the existing penalty imposed on a Vietnamese [business] for non-reporting is merely a monetary sanction, which is relatively low. Meanwhile, relevant sanctions against violations of cybersecurity laws remain absent,” says Tran. “Failure to report a cybersecurity incident (if detected) may be considered a violation of cybersecurity laws, triggering a cybersecurity audit conducted by the cybersecurity authority.”
Companies in Vietnam are not required to disclose an incident to the public on its occurrence, and the state authorities are obliged to keep relevant information confidential, says Tran.
“Thus, considering the severity of the situation, the type of data affected and the potential harm to individuals or the company itself, the affected company can, at its discretion, determine if the incident should be published.”
Cambodia does not have a comprehensive data protection law. The legal framework related to data privacy and cybersecurity is scattered across various legislation, and there are no specific requirements or timelines for reporting cybersecurity incidents.
Efforts have been made to draft and propose a personal data protection law, but as of early 2024, no comprehensive law had been enacted.
Hong Kong’s Personal Data (Privacy) Ordinance makes the requirement that data users to take all practicable steps to protect personal data from unauthorised or accidental access, processing, erasure, loss or use.
While there is no mandatory data breach notification law, the Privacy Commissioner for Personal Data has issued guidance encouraging voluntary notification of serious data breaches as soon as possible. Penalties for non-compliance with the Ordinance can include fines and imprisonment, depending on the violation.
Geographic limitations
The legal definition of the geography of a cybersecurity incident often revolves around several factors including the location of the affected data subjects, the location of the data processing facilities, and the jurisdiction of the entity that experiences the breach.
The complexity of defining the geography of a cybersecurity incident is magnified in the context of the digital realm, as data flows across borders and attackers can operate from any location. Laws and regulations typically focus on the nexus between the affected individuals or entities and the jurisdiction enforcing the regulation.
In Singapore, the PDPA applies to organisations that collect, use or disclose personal data within the city-state. However, it also has extraterritorial reach if the organisation is engaged in international activities.
The focus is on the responsibility of organisations within its jurisdiction, or those that affect Singaporean residents, rather than the physical location of the cybersecurity incident itself.
Japan’s Act on the Protection of Personal Information applies to personal information handlers within Japan and to those outside Japan if the personal information of residents of Japan is managed, used or disclosed.
This means that the geography of a cybersecurity incident under the act is defined by the impact on Japanese residents, regardless of where the breach occurred.
South Korea’s Personal Information Protection Act is applicable to personal information controllers operating within the country.
However, it also considers the location of the data subjects. If the data subjects are in South Korea, the requirements for incident reporting and data protection measures apply, focusing on the protection of Korean citizens.
India’s approach to cybersecurity is outlined in the Information Technology Act and the proposed Personal Data Protection Bill. The jurisdiction is generally considered to be applicable to entities operating in India and handling the data of Indian citizens.
How to get it right, on time
Given the varying legal landscapes, general counsel of business organisations agree that they play an important and constantly evolving role in preparing for and responding to cybersecurity incidents.
Almost all law firm partners and general counsel contacted by Asia Business Law Journal agreed that effective preparation is crucial in getting the response right to mitigate legal risks and financial liability. For that, counsel must shift from an advisory role to a participatory one, they point out.
“Preparation for a cyber incident should begin far in advance before any such incident occurs,” says WongPartnership’s Lam. “Organisations should maintain a vigilant cybersecurity posture even in peacetime by implementing and executing a robust data protection management programme addressing cybersecurity and data protection issues.
“Such a programme should include a comprehensive data inventory to ensure that the organisation is aware of what data it holds and can address any gaps in its current practices, as well as a data breach response plan that facilitates a prompt and effective response to data breaches and cyber incidents.”
According to Lee at Yoon & Yang, preparation should happen “on a quotidian basis”.
“In the case of Korea, individual laws stipulate in detail what obligations should be observed and how through notices, etc., the preparation to prevent cyber incidents includes the establishment of countermeasures in the event of a cyber incident. What is ultimately important is such preparation ahead of time, along with regular vulnerability checks with respect to the status of information security,” he says.
Preparations should go far beyond satisfying the regulatory checklist, says DSK Legal’s Negi. “The companies will have to align their systems and protocols to not only meet the statutory reporting requirements but also to handle the crises in an effective and efficacious manner.
“To achieve this, organisations will have to internally assess their practices and determine how and where changes are required, and make appropriate investment in robust technologies and manpower resources.”
If needed, general counsel should seek external professional help to get the internal assessment practice and threat response plan right, advises Tran, of Baker McKenzie.
“Seeking assistance from a trusted law firm with the relevant expertise can assist the company in navigating through the cybersecurity legal procedure, providing the best suitable solution, and working with relevant authorities,” he says.
Supratim Chakraborty, a partner at Khaitan & Co in Kolkata, suggests the following guidelines that counsel across the region can use to stay prepared and mitigate the effects if a crisis occurs.
- Development of playbooks and standard operating procedures. A cornerstone of preparedness is the creation of detailed playbooks and standard operating procedures that outline specific steps to be taken in response to a cybersecurity incident. These documents are vital for clarifying the roles and responsibilities across different organisational tiers, ensuring that every team knows exactly what to do and when. Regular updates to these guides are crucial to adapt to the ever-changing cyber threat landscape and regulatory adjustments.
- Enhanced training and awareness programmes. An informed workforce is the first line of defence against cyber threats. Regular training sessions are imperative to keep employees abreast of the latest cybersecurity risks and preventive measures. Cultivating a strong cybersecurity culture within the organisation encourages vigilance and proactive behaviour among employees, significantly reducing the risk of incidents.
- Streamlining reporting mechanisms. Efficiency in reporting is key to compliance and effective incident management. Organisations should aim to standardise their reporting process, possibly through a unified template that meets the requirements of regulatory bodies. This streamlined approach can lead to quicker, more consistent reporting during critical times.
- Rigorous incident response drills. The theoretical planning for cyber incidents must be complemented with practical, periodic testing. Through simulated cyberattack scenarios, organisations can assess the effectiveness of their response strategies, identify weaknesses, and refine their action plans to ensure swift, co-ordinated responses to threats. General counsel have to be particularly careful about the vetting process of possible partners.
- Engagement with regulatory bodies. Keeping abreast of the changing regulatory landscape is vital. Organisations should seek to understand and anticipate shifts in disclosure requirements and stay in contact with relevant authorities. This proactive engagement can provide insights into regulatory expectations and foster a collaborative approach to managing cybersecurity challenges.
