Cybersecurity Law in Thailand
John P.
Formichella, Naytiwut Jamallsawat and Artima Brikshasri
Thailand has rapidly grown its digital economy, and has made a
concerted push towards technological innovation. As technology has evolved
within the country, however, so has the threat of cybersecurity issues.
In order to tackle this looming threat, the government of Thailand
released the Cybersecurity Act B.E. 2562 (2019) (“Cybersecurity Act”),
which was published in the Government Gazette on 27 May 2019 and is now
in effect. The Cybersecurity Act endeavors to enforce legal safeguards to
ensure the security of cyberspace, and in particular, sets out a cybersecurity
risk assessment plan to prevent and mitigate against cybersecurity threats that
may affect the stability of national security and the public interest,
including interests related to the economy, healthcare, international relations
and other governmental functions, among other areas.
The Cybersecurity Act applies to both public and private sector
entities that: i) own information and communication infrastructure which are
integral for the maintenance of vital societal functions, otherwise known as
Critical Information Infrastructure (“CII”); and ii) are engaged in the
following services:
1.
National security;
2.
Material public service;
3.
Banking and finance;
4.
Information technology and
telecommunications;
5.
Transportation and logistics;
6.
Energy and public utilities;
7.
Public health; and
8.
Others areas that may be
further prescribed by the relevant cybersecurity authority.
Under the Cybersecurity Act, these companies must put in place
internal guidelines for managing cybersecurity issues, and these guidelines
must be in accordance with the national cybersecurity master plan.
In addition to the Cybersecurity Act, cybersecurity matters are
addressed in the Computer Crimes Act B.E. 2550 (2007) (“CCA”) which
stipulates that any import, dissemination or forwarding of data through a
computer system that may cause damage to the public (i.e., public security, the national economy, public infrastructure, etc.) shall be considered as an
offense under the CCA.
Regulatory Authority
There are two main cybersecurity regulatory authorities, as follows:
a) National Cyber Security Committee
The National Cyber Security Committee (“NCSC”) is comprised
of the Prime Minister of Thailand as the chairman, and directors from the
government and the private sector that hail from areas that are of benefit to
cybersecurity such as engineering, law and information technology. The NCSC
sets out general cybersecurity policies and action plans as well as minimum
standards for computer systems used in both government agencies and CII
entities, in accordance with the national cybersecurity master plan.
The NCSC also has the authority to determine the levels of
cybersecurity threats under the Cybersecurity Act (i.e., non-critical, critical
and crisis) as well as the preventive and mitigative measures that should be in
place for each of these levels. To enable this, the NCSC is empowered to
request information and documents from and access the facilities of private
entities, subject to the owner’s consent to analyze and evaluate the impact of
critical cyber threat in order to determine cybersecurity threat levels and
appropriate preventive and mitigative measures.
b) Cyber Security Regulatory Committee
The Cyber Security Regulatory Committee (“CSRC”) consists of
the Minister of the Ministry of Digital Economy and Society as the chairman,
and similar to the NCSC, has directors from the government and the private
sector from areas that benefit cybersecurity. The role of the CSRC is to set
out codes of practice and minimum standards for cybersecurity in the public and
private sectors relating to CII, including risk assessment and mitigation plans
against cyber threats. In addition, the CSRC may order public and private
sector entities to prevent, mitigate and/or re-evaluate cyber threats in line
with prescribed cybersecurity minimum standards.
If a critical level threat is discovered, the CSRC is empowered to
perform any action to prevent or mitigate such threat. For example, the CSRC
may order an owner or user of a computer that is the subject of a cyber threat
to fix defects or eliminate undesirable programs. Furthermore, if judicial
permission is granted, the CSRC may access information and/or seize computer
systems, data and related equipment for a maximum of 30 days to prevent and
mitigate cyber threats.
In the case of a crisis-level threat, the National Security Council
shall be in charge to carry out its duties. For any crisis-level threat which
requires an immediate response, however, the CSRC is authorized to perform any
act warranted as necessary without judicial permission.
In addition to the two main regulatory authorities above, there are
two other relevant authorities, including the Computer Security Coordination
Center and competent regulators responsible for monitoring and taking action
against cyber threats as well as regulating cybersecurity minimum requirements
for CII entities under their supervision.
Regulatory Authority Guidance
The guidance on cybersecurity under the Cybersecurity Act relates to
the development of security mechanisms to safeguard CII and enhance the
prevention and mitigation of national cyber threats. The guidance also
emphasizes the importance of cooperation between public and private sectors as
well as international organizations in order to cope with cyber threats.
Development of cybersecurity research and local expertise, including effective
cybersecurity related laws and regulations are also considered as key factors
in enforcing cybersecurity. The NCSC’s policies and plans on cybersecurity
measures must be formulated in line with this general guidance.
Scope of Application
There are a number of main concepts in cybersecurity that are
addressed or have been adopted under the Cybersecurity Act, as follows:
a) Network and Information Systems
Network and information systems may be similar to CII under the
Cybersecurity Act, which again refers to information and communication
infrastructure such as a computer system of either public or private entities
that is essential for the maintenance of core societal functions including
national security, public safety, or public utility infrastructure. A computer
system in this context is considered to be a network and have information that
is critical to national security and the public interest, and therefore must be
protected from cyber threats by implementing cybersecurity standards issued by
regulatory authorities.
b) CII Operators
Under Section 3 of the Cybersecurity Act, CII operators refers to
any public or private entity responsible for information which is critical to
national security and the public interest such as banking, information
technology, telecommunications, and transportation. CII Operators are required
to have cybersecurity measures that comply with standards specified by their
local regulators, code of practice and other relevant authorities such as the
NCSC and CSRC.
c) Operator of Essential Services
An operator of essential services is similar to a CII operator. Any
public or private entity that provides a service that is essential for the
maintenance of vital societal functions must have standard cybersecurity
measures in place in order to cope with cybersecurity incidents.
d) Cloud Computing Services
Cloud computing service is not specifically defined in the Cybersecurity
Act. These services, however, can be subject to the Cybersecurity Act as they
can be categorized as information technology and telecommunications services,
which are services relating to CII and therefore services which are subject to
the Cybersecurity Act.
e) Digital service providers
Digital service provider is not specifically defined in the
Cybersecurity Act, however, similar to cloud computing services these providers
can be considered as CII Operators as digital service falls within the classification
of CII; these providers would therefore be subject to the Cybersecurity Act.
f) Other
The term “cyber threat” is a key definition in the implementation of
the Cybersecurity Act, and refers to any illegal actions that use computers,
network systems or offensive programs to cause or that are likely to cause an
adverse impact on a computer, a computer network or data.
The Cybersecurity Act further elaborates on “cyber threat” by
categorizing it into three levels, as follows:
(i) Non-critical – any threat that may negatively impact the
performance of a CII Operator’s computer system or services provided by
government entities;
(ii) Critical – any threat to a computer system or computer
data that is significantly increased with the intention to attack CII relating
to national infrastructure, national security, the economy, healthcare,
international relations, governmental functions, etc., and such an attack would
impair the provision of CII-related services; and
(iii) Crisis – any threat greater than a critical-level
event, which may have a widespread impact such as causing the government to
lose control of a computer system, or any threat that may lead to mass
destruction, terrorism or an overthrow of the government.
Details of cyber threats as well as the preventive and mitigative
measures employed for each level of cyber threat shall be further determined by
the NCSC.
Requirements
a) Security Measures
Under Sections 44 and 56 of the Cybersecurity Act, each government
entity, competent regulator and CII entity must have in place a code of
practice, organizational measures and a cybersecurity framework that complies
with prescribed cybersecurity minimum standards. The code of practice must at
least cover cybersecurity risk identification and assessment performed by
either an internal or external independent auditor at least once a year (which
must be reported to the NCSC office within 30 days) and a cyber threat response
plan.
CII entities must further provide monitoring mechanisms for cyber
threats and cybersecurity incidents that threaten their CII according to
standards as prescribed by the NCSC or CSRC. CII entities must also participate
in cybersecurity testing organized by the NCSC in order to assess and ensure
their readiness in responding to cyber threats.
b) Notification of Cybersecurity Incidents
There is an obligation to notify the competent regulatory authority
in the event of a cybersecurity incident.
In the event of a cybersecurity incident involving the CII of either
public or private entities, these entities must investigate all of their
information, computer data and computer systems, including any circumstances
related to the incident to evaluate the cyber threat, with measures under the
code of practice and cybersecurity standards followed in responding to and
mitigating the cyber threat and notify the NCSC office and competent regulator
of each entity involved in the cybersecurity incident.
A specific timeline for the notification is not addressed under the
Cybersecurity Act. It does, however, include details on process and
requirements, and a timeline for the notification may be prescribed by the CSRC
in the future.
c) Registration with Regulatory Authority
There is no requirement to register with a regulatory authority.
Under the Cybersecurity Act, the NCSC shall be responsible for designating
entities which have services relating to CII, to be deemed as CII Operators,
which shall be subject to obligations under the Cybersecurity Act. The criteria
for making such designations shall be published in the Royal Gazette,
which may be periodically revised as deemed necessary.
d) Appointment of a Security Officer
There is an obligation to appoint a security officer as prescribed
under Section 46 of the Cybersecurity Act. Each government entity, competent
regulator and CII entity must notify the names of its personnel at both
management level and practitioner level to the NCSC office to coordinate
cybersecurity matters. If there is a change of responsible personnel, this
change must be notified to the NCSC office. However, no specific timeline for
the notification is stipulated in the Cybersecurity Act.
e) Other Requirements
Under Section 52 of the Cybersecurity Act, for coordination
purposes, CII operators are required to notify the names and contact details of
owners, possessors and administrators of their computers and computer systems
that have management-level control over the entity to the NCSC office, the
competent regulator and the Computer Security Coordination Center within 30
days from the date the NCSC publishes criteria designating entities which have
services relating to CII in the Royal Gazette. In the event of a change
of owner, possessor or administrator, the notice must be sent to each
responsible authority at least seven days prior to the change.
Penalties
CII operators that fail to report cybersecurity incidents to the
NCSC office and their competent regulator, without reasonable cause, shall be
subject to a maximum fine of THB 200,000.
Any person who refuses to provide information and documents required
for the assessment of a cyber threat and its impacts, without reasonable cause,
shall be subject to a maximum fine of THB 100,000.
During a critical-level threat, any owner, possessor, user or
administrator of a computer or computer system who fails to monitor and/or
verify the computer or computer system to search for defects or assess impacts
from cyber threats as ordered by a competent officer shall be subject to a
maximum fine of THB 300,000 and an additional daily fine of up to THB 10,000
until the order is complied with.
In addition, a failure to fix defects and/or eliminate undesirable
programs, retain any computer or computer system for forensic purposes or
access any computer or computer system to prevent a cyber threat as ordered by
a competent officer shall be subject to imprisonment of up to one year and/or a
maximum fine of THB 20,000.
During a critical-level threat, any person who obstructs or refuses
a competent official access to information or premises and/or the seizure of
computer systems, data and related equipment endeavoring to prevent and
mitigate a cyber threat, without reasonable cause, shall be subject to
imprisonment of up to three years and/or a maximum fine of THB 60,000.
If an offender is a juristic person or an authorized person of the
juristic person who is involved in an offense, either by performing unlawful
actions or failing to perform certain actions that cause the juristic person to
commit an offense, shall be subject to the above penalties.
The contents
herein are for informational purposes only and should not be relied upon as
legal advice. For more information, please contact John P. Formichella at john@fosrlaw.com.