What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?

Technology (3rd edition)

Armenia Small Flag Armenia

a) obligations as to the maintenance of cybersecurity; and

There is no separate law or regulation which specially regulates the cybersecurity. However there is a specific field regulation law which convers cybersecurity issues related to the activities in that particular fields.

b) the criminality of hacking/DDOS attacks?

The Chapter 24 “Crimes against computer information security” of Criminal Code of Armenia criminalize the followings:

  • Access (penetration) into computer information system without permission.
  • Change in computer information
  • Computer sabotage
  • Illegal appropriation of computer data
  • Manufacture or sale of special devices for illegal penetration into a computer system or network.
  • Manufacture, use and dissemination of hazardous software.
  • Breach of rules for operation of a computer system or network

Dominican Republic Small Flag Dominican Republic

Law 53-07 on Cyber Crimes is based on the Dominican Republic´s Constitution; and on the guarantee of human rights principles that are mandated by the various international treaties subscribed by our country, namely: The Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights under the auspices of the United Nations and the Inter-American Convention on Human Rights. It forbids the fraudulent access of registered personal information and sanctions the active subjects (legal entities or individuals, national or foreign) be it inside or outside the Dominican territory, that engage in unlawful access to an electronic, automation, telecommunications or telematic system storing personal information of service providers’ clients. The sanction consists of the payment of an amount equivalent to 1 to 200 current national minimal wage and 3 to 12-month imprisonment. Consequently, internet access and its content is mainly self-regulated, except as to the punitive part under the abovementioned law, which also addresses improper behavior, child pornography, service denial attacks and other means of cybercrime activities, including terrorism.

Egypt Small Flag Egypt

a) There are no general statutory guidelines or legislation providing for the obligation to maintain cybersecurity. However, the Cyber Crimes Law obliges service providers of IT and Telecommunications services to ensure confidentiality of the customers’ data. This shall include maintaining cybersecurity.

b) According to Article 16 of the Cyber Crimes Law, hacking and cyber attaches are punishable by imprisonment for a period of no less than one year and/or a fine of no less than EGP 50,000 and not exceeding EGP 250,000.

Estonia Small Flag Estonia

a) The Estonian Cybersecurity Act (Küberturvalisuse seadus), which transposed Directive (EU) 2016/1148 (also known as the NIS Directive), details the requirements and obligations for providers of essential services as well as the bases for the prevention and resolution of cyber incidents. The Cybersecurity Act is also applicable for digital service providers, who are online marketplaces, search engines or cloud computing services.

The Cybersecurity Act gives general guidelines regarding the security measures of service providers and digital service providers, as well as setting the obligation to notify the Estonian Information System Authority, who is also the authority exercising state supervision, in cases of cyber incidents.

b) Hacking is regulated in the Estonian Penal Code (Karistusseadustik) § 217(1) as illegal obtaining of access to computer systems by elimination or avoidance of means of protection. Legal literature has explained that the means of protection could be either a physical or a software solution or a combination thereof. Examples of a physical solution would be a secure door restricting access to a server farm or also biometric protection, such as fingerprint or iris scanning. The software solution could be a password or other measure intended to restrict access, such as a firewall.

The penalty is either a pecuniary punishment or up to three years imprisonment. If the act causes significant damage, access was obtained to a computer system containing a state secret, classified foreign information or information prescribed for official use only or if access was obtained to a computer system of a vital sector, the potential penalty is a pecuniary punishment or imprisonment up to 5 years.

During a DDoS attack the targeted service is overwhelmed by a flood of traffic originating from multiple sources. The aim is to render the service incapable of responding to the multitude of queries. Because the attack is distributed, i.e. has multiple sources, it is difficult to stop since You cannot block the access for one specific source. In Estonia, DDoS attacks are qualified under § 207(1) of the Penal Code, which regulates illegal interference with or hindering the functioning of computer systems by way of transmitting data. The maximum penalty is a pecuniary punishment or up to three years imprisonment. If the attack is committed against numerous computer systems, committed by a group, interferes with or hinders the functioning of a computer system of a vital sector or causes significant damage, the potential penalty is a pecuniary punishment or up to five years imprisonment.

Estonia has experience with DDoS type attacks from 2007, when Estonia fell under a cyber-attack lasting twenty-two days. The attack prompted NATO to establish its Cyber Defence Centre in Tallinn. The affected services included banks, news media and the public sector. The website of the prime minister party at the time was also attacked and the person responsible received a pecuniary penalty.

France Small Flag France

a) obligations as to the maintenance of cybersecurity; and

Key legal provisions in respect of cybersecurity include in particular:

  • Article 32 et seq. of the GDPR which require the data controller and the data processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk incurred by the personal data they process, and to notify breaches to the supervisory authority (the CNIL), except those unlikely to result in a risk to the rights and freedoms of natural persons;
  • the Military Programming Act of 18 December 2013, pursuant to which the State must rule on certain obligations such as the prohibition of certain systems connected to the internet; encourage the implementation of detection systems by certified providers; audit the security level of critical information systems; and, in the event of a major crisis, impose the necessary measures on Operators of Vital Importance (OIV);
  • EU directive 2016/1148 of 6 July 2016 and the Act no.2018-133 of 26 February 2018 which provide for, amongst other measures, a high common level of security of networks and information systems between member States, including through standardization; for security and notification requirements on operators of ‘essential services’ as well as on digital service providers; for the creation of a computer security incident response team network (see Question 13);
  • the European Cybersecurity Act adopted on 7 June 2019 reinforces the missions of ENISA, the European Cybersecurity Agency, to coordinate and develop cybersecurity policies throughout the Union, and sets up a European cybersecurity certification framework.

b) the criminality of hacking/DDOS attacks?

The Act no.88-19 of 5 January 1988 on software fraud creates various offenses such as fraudulent access or continued presence within all or part of an automatic data processing system and covers the criminality of hacking and DDOS attacks. This act was amended recently in order, in particular, to increase the quantum of applicable penalties.

China Small Flag China

a) obligations as to the maintenance of cybersecurity;

The PRC Cybersecurity Law provides a general principle that operators should take measures to secure the safety of networks and that individuals and organizations may neither engage in activities endangering cybersecurity, including illegally invading or interfering with others’ networks (see further below, Question 23(b), nor provide programs or tools specifically used for activities endangering cybersecurity. Further, under PRC law, cybersecurity includes network operation security and network information security.

For network operation security, all network operators must, among other things:

  • formulate internal security management systems and operating instructions, determine the persons responsible for cybersecurity and implement cybersecurity protection measures;
  • take technological measures to prevent computer viruses, network attacks, network intrusions and other actions endangering cybersecurity; and
  • take technological measures to monitor and record the network operation status and cybersecurity incidents, preserving relevant web logs for no less than six months.

CIIOs have additional obligations, including to:

  • set up independent security management institutions, designate persons responsible for security management and review their and other key personnel’s security backgrounds;
  • periodically conduct cybersecurity education, technical training and skill assessments;
  • formulate contingency plans for cybersecurity incidents and periodically carry out drills; and
  • make disaster recovery backups of important systems and databases.

For network information security, all operators must follow the principles of ‘legitimacy, rightfulness and necessity’, disclose their rules of data collection and use, clearly express the purposes, means and scope of collecting and using the information and obtain data subjects’ consent, including to provide the personal information to others. Operators must adopt technical and any other necessary measures to ensure the security of the personal information they have collected and to prevent such information from being divulged, damaged or lost.

b) the criminality of hacking/DDOS attacks?

Illegally invading others’ networks, interfering with the normal functions of others’ networks and stealing cyber data or providing tools for such actions is prohibited. The PRC Criminal Law includes provisions specifically aimed at activities such as hacking. For example, the following acts in relation to hacking/DDOS attacks are subject to criminal liability:

  • invading computer information systems in the fields of state affairs, national defence construction or sophisticated science and technology;
  • invading any other computer information system to obtain data stored, processed or transmitted in the system or to exercise illegal control over it;
  • deleting, altering, adding or jamming the functions of any computer information system, making the system impossible to operate normally and causing serious consequences;
  • deleting, altering or adding the data stored in or handled or transmitted by the system, causing serious consequences; and
  • intentionally creating or disseminating destructive programs, such as computer viruses, thus affecting the normal operation of a computer system and causing serious consequences.

Israel Small Flag Israel

a) obligations as to the maintenance of cybersecurity; and

With respect to obligations as to the maintenance of cybersecurity, the Privacy Protection Regulations (Data Security), 5777-2017 (“Data Security Regulations”), implemented the data security requirements of Israel’s Protection of Privacy Law, 5741-1981. The Data Security Regulations require owners and possessors of personal data to implement various security measures to protect personal data (such as access controls, monitoring for vulnerabilities, use of encryption, etc.).

In addition, specific regulators have issued regulations imposing minimum standards with respect to cybersecurity, such as the guidelines to financial institutional entities published by the Commissioner of the Capital Market, Insurance and Savings at the Israeli Ministry of Finance, which includes guidelines for managing cyber risks within specified institutions and adopting certain measures to enhance cyber protection; the guideline issued by the Banking Supervision Department of the Bank of Israel applicable to banks; the position statement published by Israel Securities Authority (ISA), addressing public companies’ required disclosures for all cyber-related issues; and more.

b) The criminality of hacking/DDOS attacks?

The two main Israeli cybersecurity-related statues addressing the criminality of hacking/DDOS attacks are the Computers Law, 5755-1995, and the Penal Law of 5737-1977.

Both the Computers Law and the Penal Law criminalizes hacking and prohibits, among others, programming software to carry out an illegal operations, including:

  • Disrupting the proper operation of a computer or interfering with its use, or deleting, altering or disrupting computer material;
  • Unlawfully penetrating computer material;
  • Composing a software program in a manner that enables it to cause damage to or disruption of a non-specific computer or computer material.

Italy Small Flag Italy

a) obligations as to the maintenance of cybersecurity; and

Under Section 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security adequate to the risk, taking into account the state of the art and relevant costs, and the characteristics of the data processing activities. This means that, pursuant to the accountability principle, each entity shall assess its own situation and adopt the security measures that it deems appropriate.

It should be noted that the previous version of the Privacy Code provided for a technical annex which included the minimum-security measures to be taken. Following the entry into force of the GDPR, those minimum measures are now obsolete and there is currently no list of what can be considered as minimum-security measures.

Cybersecurity measures are also dealt with by the Directive (EU) no. 2016/1148 (“NIS Directive”), implemented by Italian Legislative Decree no. 65/2018. Said regulation is aimed at setting at adequate measures in order to pursue a high level of security within network and information systems through, inter alia, a cybersecurity national strategy.

b) the criminality of hacking/DDOS attacks?

Hacking/DDOS attacks could be considered as criminal offences according to Italian criminal law, Decree no. 1398/1930 (“Criminal Code”).

The main computer crimes identified under the Criminal Code are the following:

  • computer fraud, under Section 640ter, which consists of altering the functioning of a computer system in order to obtain an unfair profit and damaging third parties;
  • illegal access to a computer or telecommunications system, under Section 615-ter;
  • the unauthorised possession and dissemination of access codes to computer and telematic systems, under Section 615-quater;
  • the dissemination of equipment, devices or computer programs aimed at damaging or interrupting a computer or telecommunications system, under Section 615-quinquies.

Japan Small Flag Japan

a) obligations as to the maintenance of cybersecurity; and

The key laws imposing obligations on companies to maintain cybersecurity include the Basic Cybersecurity Act and the APPI. More generally, an internal control system required under the Companies Act and the Financial Instruments and Exchange Act may, but is not necessarily required to, include the measures to maintain cybersecurity.

The Basic Cybersecurity Act provides that, in accordance with the basic principles set forth under the Act, cyberspace-related business entities (referring to those engaged in business regarding the maintenance of the Internet and other advanced information and telecommunications networks, the utilization of information and telecommunications technologies, or those involved in business related to cybersecurity) and other business entities must make a voluntary and proactive effort to ensure cybersecurity in their businesses and to cooperate with the measures on cybersecurity taken by the national or local governments.

The APPI does not directly set forth obligations to maintain cybersecurity, but the APPI and sector-specific guidelines provide rules for information security concerning personal information. For instance, under the APPI, a business operator handling personal information is required to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security of the personal data.

b) The criminality of hacking/DDOS attacks

The Penal Code and the Unauthorised Computer Access Prohibition Act cover the criminality of hacking/DDOS attacks. Also, the acquisition of a trade secret or a specially designated secret through an unauthorised access or the like may be subject to criminal penalty under the Unfair Competition Prevention Act or the Specially Designated Secret Protection Act, respectively.

Malaysia Small Flag Malaysia

A) obligations as to the maintenance of cybersecurity?

There is currently no single legislation governing cybersecurity. In April 2019, the Malaysian government indicated that it is studying the possibility of introducing an Act on cybersecurity, however no definite timeframe has been set for its development. The current legislation applicable to cybersecurity are:

(a) Computer Crimes Act 1997 (“CCA”): The CCA provides for offences relating to the misuse of computers and applies if the computer, programme or data was in Malaysia or capable of being connected to or sent to or used by or with a computer in Malaysia at the material time. The act(s) of gaining unauthorized access into computers or networks, committing or facilitating the commission of further offences, unauthorized modification of the contents of any computer and/or wrongful communication are all offences under the CCA and depending on the offence, upon conviction, applicable fines range from RM25,000 to RM150,000 and/or imprisonment of 3 to 10 years.

(b) CMA: The CMA was enacted to provide for and to regulate the converging communications and multimedia industries and regulates network facilities, network services, applications services, content applications services and includes the prescription of the licensing framework relating to such services and the activities undertaken by licensees thereunder. Section 263(1) of the CMA prescribes that “A licensee shall use his best endeavour to prevent the network facilities that he owns or provides or the network service, applications service or content applications service that he provides from being used in, or in relation to, the commission of any offence under any law of Malaysia.” The CMA prohibits inter alia the fraudulent or improper use of network facilities or network services; the use and possession of counterfeit access devices; the use of equipment or devices to obtain unauthorized access to any network services; and interception of any communications except with lawful authority.

(c) CA: It is an offence under Section 36A of the CA to circumvent (or the cause or authorization thereof) of any technological protection measure that is applied to a copy of copyright work. Technological protection measure is defined as “any technology, device or component that, in the normal course of its operation, effectively prevents or limits the doing of any act that results in an infringement of the copyright in a work”. The CA also expressly prohibits anyone from (a) designing, producing, adapting or performing for the purpose of enabling or facilitating the circumvention of technological protection measure; and (b) to manufacture, import or sell any technology or device for the purpose of circumventing any technological protection measure.

(d) Penal Code (“PC”): Where specific cybersecurity-related offences are not captured under the CCA, CMA or CA, the PC which codifies most criminal offences and procedures in Malaysia, may be relied on to prosecute such offences.

(e) PDPA: The PDPA applies to any person who processes and has control over or authorises the processing of any “personal data” in respect of commercial transactions. There are 7 data protection principles that form the basis of protection under the PDPA, one of which is the Security Principle. Pursuant to Section 9(1) of the PDPA, a data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access of disclosure, alteration or destruction. In addition to the provisions of the PDPA, the Regulations also require data users to develop a security policy to ensure that personal data is protected from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. The Department of Personal Data Protection published the Personal Data Protection Standard which enumerates the minimum security standards for personal data processed electronically and non-electronically. The SC on 31 October 2016 also published Guidelines on Management of Cyber Risk making it mandatory for entities to have clear and comprehensive cyber policies and procedures which are commensurate with their risk profiles.

(f) Strategic Trade Act 2010 (“STA”): As part of Malaysia’s international obligations on national security, the STA controls the export, transhipment, transit and brokering of strategic items and technology, including arms and related materials, as well as activities that will or may facilitate the design, development, production and delivery of weapons of mass destruction. Section 7 of the STA provides that the Minister of International Trade and Industry may, by order published in the Gazette, prescribe any items as strategic items for the purposes of the STA.

(g) Other Applicable Guidelines or Regulations: The National Cyber Security Policy (“NCSP”) was implemented by the Malaysian government with the aim to develop and establish a comprehensive programme and a series of frameworks to ensure the effectiveness of cybersecurity controls over vital assets and various sectors comprising the Critical National Information Infrastructure (“CNII”). While there are generally no minimum protective measures required, the Malaysian government has stipulated ISO/IEC 27001 Information Security Management Systems as the basis for information security standards and has proposed for all CNII sectors to be appropriately certified. There are also sector-specific guidelines that deal with cybersecurity in Malaysia. These include the Data Management and Management Information System Framework and Guidelines on Internet Insurance issued by the Central Bank of Malaysia.

B) What key laws exist in terms of the criminality of hacking/DDOS attacks?

A. Hacking

Hacking, being the unauthorised intrusion into or control over computer network security systems for some illicit purpose, is encapsulated in Section 3(1) of the CCA which provides that

A person shall be guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that is the case.”

Section 4 of the CCA further provides that:

“(1) A person shall be guilty of an offence under this section if he commits an offence referred to in section 3 with intent—

(a) to commit an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code [Act 574]; or

(b) to facilitate the commission of such an offence whether by himself or by any other person.

(2) For the purposes of this section, it is immaterial whether the offence to which this section applies is to be committed at the same time when the unauthorized access is secured or on any future occasion.”

A person found guilty of an offence under Section 3 of the CCA is liable to a fine not exceeding RM50,000 and/or imprisonment not exceeding 5 years while a person found guilty of an offence under Section 4 of the CCA is liable to a fine not exceeding RM150,000 and/or to imprisonment for a term not exceeding 10 years.

Hacking is also a criminal offence under the CA in respect of the circumvention (or the cause or authorisation thereof) of any technological protection measure that is applied to a copy of a copyrighted work. Section 41(1)(h) of the CA provides that “any person who during the subsistence of copyright in a work or performers’ right circumvents or authorizes the circumvention of any effective technological measures referred to in subsection 36A(1) shall, unless he is able to prove that he had acted in good faith and had no reasonable grounds for supposing that copyright or performers’ right would or might thereby be infringed, be guilty of an offence and shall on conviction be liable…a fine of not less than RM4,000 and not more than RM40,000 for each contrivance in respect of which the offence was committed and/or to imprisonment for a term not exceeding 10 years and for any subsequent offence to a fine of not less than RM8,000 and not more than RM80,000 for each contrivance in respect of which the offence was committed and/or to imprisonment for a term not exceeding 20 years”.

Persons who commit hacking offences may also be penalised under the PC and other applicable legislation for other ancillary offences, which include Section 378 of the PC for taking dishonestly without consent any movable property, or dishonest misappropriation of property under Section 403 of the PC, or identity theft under Section 416 of the PC.

B. Distributed Denial of Service (“DDOS”) Attack

While there is no specific legislation for DDOS attacks, Section 233(1)(b) of the CMA provides that a person who initiates a communication using any application service, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address, commits an offence.

A person found guilty of an offence under Section 233(1)(b) of the CMA is liable to a fine not exceeding RM50,000 and/or to imprisonment for a term not exceeding 1 year and shall also be liable to a further fine of RM1,000 for every day during which the offence is continued after conviction.

Additionally, Section 431A of the PC provides that a person who commits mischief by cutting or injuring any electric telegraph cable, wire, line, post, instrument or apparatus for signalling, shall be punished with imprisonment for a term which may extend to 2 years and with a fine.

Malta Small Flag Malta

a) obligations as to the maintenance of cybersecurity; and

Maltese legal instruments dealing with various aspects of cybersecurity include the following:

  • the Maltese Criminal Code provisions dealing with cybercrime under a chapter heading entitled ‘Of Computer Misuse’;
  • Processing of Personal Data (Electronic Communications Sector) Regulations (SL 586.01);
  • the Electronic Communications Networks and Services (General) Regulations (SL 399.28); and
  • the Council of Europe Cybercrime Convention, to which Malta has been a signatory since 2001, and which was ratified in April 2012.

b) the criminality of hacking/DDOS attacks?

The Maltese Criminal Code provisions dealing with cybercrime under a chapter heading entitled ‘Of Computer Misuse’.

New Zealand Small Flag New Zealand

a) obligations as to the maintenance of cybersecurity; and

There are no specific laws relating to the maintenance of cybersecurity.

Under the Privacy Act, an agency holding personal information must ensure that it is protected by security safeguards which are reasonable in the circumstances to take against loss, unauthorised access, use, modification or disclosure or other misuse.

Other more general obligations may also be relevant, for example the Companies Act 1993 obliges directors of companies to exercise due care, skill and diligence in undertaking their role. For most companies, reliance on technology and data is business critical, meaning that the management of cyber risk is likely to form part of a director's obligations under this duty.

b) the criminality of hacking/DDOS attacks?

Under New Zealand criminal law, it is an offence to:

  • intend to access, or to access, a computer system dishonestly or by deception;
  • intentionally or recklessly destroy, damage or alter a computer system knowing, or where one ought to know, that danger to life is likely to result;
  • intentionally or recklessly and without authorisation
    - damage, delete or otherwise interfere or impair with any data or software in a computer system;
    - cause any of the above to occur; or
    - cause any computer system to fail, or to deny service to any authorised users; or
  • access a computer system without authorisation.

These sections are drafted very widely and cover hacking and distributed denial of service. The maximum penalties under these offences include a prison term not exceeding 10 years.

Germany Small Flag Germany

a) obligations as to the maintenance of cybersecurity; and

There are diverse regulations on cybersecurity depending on the industry sector and depending on which data is processed. When personal data is processed, section 32 GDPR requires a level of security appropriate to the risk. Telecommunications operators are obliged to take measures for the security of the secrecy of telecommunications and against unauthorized access to personal data in accordance with section 109 TKG. Section 8a BSI-Act (BSIG) [21] regulates obligations for operators of critical infrastructure to ensure their technical functionality. The implementation of the NIS EU directive in the member states led to a high common security level of network and information systems in the EU.

b) the criminality of hacking/DDOS attacks?

Hacking/DDOS attacks are often considered as criminal offence according to sections 202a to 202d StGB. These regulations punish spying on data, data interception, the preparing of spying and intercepting as well as unauthorized data receiving. Additionally section 263a StGB regulate computer fraud and sections 303a and 303b StGB cover data alteration and computer sabotage.

[21] Gesetz über das Bundesamt für Sicherheit in der Informationstechnik

Indonesia Small Flag Indonesia

a) obligations as to the maintenance of cybersecurity; and

In principle the Law 11/2008 provides general provision in the operation of secure electronic activities. While it does not lay out greater details on the cybersecurity requirements, the Law 11/2008 stipulates sanction to any action that affects/possesses danger to security of electronic system, information, and transaction.

Provisions on the security measure of electronic system and transaction are dealt further under GR 82/2012 primarily. This regulation consequently deals with the operation as well security to any electronic system carrying out transaction. Despite of the absence on “cybersecurity” terms on its provision, the GR 82/2012 includes provision stipulating requirement relevant to security of electronic system that must be adhered by any ESP in operating its electronic system.

When personal data is involved, MCI 20/2016 shall apply. MCI 20/2016 stipulates additional cybersecurity measure when processing personal data in electronic system.

b) the criminality of hacking/DDOS attacks?

Pursuant to Law 11/2008 any unlawful access, transmission, interception to other’s electronic system by any means including breaching, infringing, surpassing, or penetrating security system of an electronic system is considered as criminal offence.

Under Law 11/2008, DDOS attack can be considered as an act of knowingly and without right causing interreference to electronic system and/or causing the electronic system not to work properly. This act is prohibited under Law 11/2008.

The above criminal offenses are subject to maximum 6-10 years imprisonment and/or maximum fine of IDR 600 million to IDR 10 billion.

Pakistan Small Flag Pakistan

a) obligations as to the maintenance of cybersecurity; and

While there are no general obligations in the applicable law vis-à-vis maintenance of cybersecurity, PECA criminalizes any unauthorized access to information system, unauthorized copying of any data, access to any critical infrastructure, electronic fraud, tampering with communication information, offences against person modesty or decency, writing malicious codes or their transmission, cyber stalking, hate speech or glorification of an offence.

PECA provides for the constitution of a Computer Emergency Response Teams (CERT), to respond to any threat against or attack on any critical infrastructure information systems or critical infrastructure data, or widespread attack on information systems in Pakistan. In order to achieve this, PTA has prepared an implementation framework titled “CERT (Computer Emergency Response Team) – Pakistan Telecom Sector Implementation Plan”. The framework is pertinent to the country’s telecom sector and recommends steps to be taken by PTA in order to establish such teams. The framework delineates upon functions and roles of the CERT.

Further, sectoral regulators, such as the State Bank of Pakistan (SBP) and Securities and Exchange Commission of Pakistan (SECP) prescribe cybersecurity measures to be adhered to by the players within their respective domains. For example, SBP requires financial institutions to develop, document, implement and regularly review a formal comprehensive IT security framework and policy for their branch-less banking systems.

Additionally, a National Response Centre for Cyber Crime (NR3C) has been established by the Federal Investigation Agency (FIA) to identify and curb the phenomenon of technological abuse in society, and to deal with technology-based crimes in Pakistan.

b) the criminality of hacking/DDOS attacks?

The Information Technology Act, 2000 (IT Act) contains sufficient provisions to criminalize both hacking and DDOS attacks; shall be punishable with imprisonment, under the, are prohibited, when committed in the absence of consent from the owner or person in charge of such computer, computer system or computer network. Providing assistance to any person involved in any of the above listed activities is also treated at par with the actual act committed. The nature and intent of hacking/ conduct of DDOS attacks may also trigger provisions under the Indian Penal Code, 1860.

PECA contains provisions to criminalize both hacking and DDOS attacks. Though these terms are not defined under PECA, activities such as gaining unauthorized access to any information system or data, copying or otherwise transmitting or causing to be transmitted any data, or interfering with or damaging or causing to be interfered with or damaging any part or whole of an information system or data, or interfering with or damaging, or causing to be interfered with or damaged, any part or whole of a critical information system, or data are prohibited and punishable, when committed in the absence of consent from the owner or person in charge of such information system or data.

Additionally, depending on the nature and intent of hacking/ conduct of DDOS attack(s), relevant provisions under the Pakistan Penal Code 1860 may also be triggered.

Romania Small Flag Romania

a) obligations as to the maintenance of cybersecurity; and

Government Decision no. 271/2013 regulates Cyber security strategy of Romania.

The provisions of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (“NIS Directive”) related to cloud computing services has been fully transposed by Law no. 362/2018 concerning measures for a high common level of security of network and information systems ("Law 362/2018").

Law 362/2018 applies to operators of essential services ("OESs”) in the following fields:

  • energy;
  • oil;
  • natural gases;
  • air transport;
  • railway transport;
  • water transport;
  • road transport;
  • banking;
  • financial market infrastructure;
  • health;
  • water supply;
  • digital infrastructure.

Law 362/2018 is also applicable to digital service providers (“DSPs”).

Amongst others, Law 362/2018 requires OESs and DSPs to:

  • take appropriate measures to secure their networks and information systems;
  • implement measures to prevent and minimize the impact of security incidents affecting the security of their networks and information systems;
  • notify the competent authority (the Romanian National Computer Security Incident Response Team or “CERT-RO”) of any security incidents having a severe impact on service continuity;
  • interconnect with CERT-RO’s alerts and co-operation system.

From a GDPR perspective, the obligations of OESs and DSPs to notify CERT-RO as regards security incidents do not interfere in any way with their obligations to notify data security breaches to the Romanian Supervisory Authority and data subjects, where applicable.

b) the criminality of hacking/DDOS attacks?

The following cyber crime related laws are particularly relevant:

  • Law no. 161/2003 on certain measures for transparency in the exercise of public functions and the business environment and for the prevention and sanctioning of corruption - Title III - Prevention of cyber crime;
  • Law no. 64/2004 ratifying the Council of Europe Convention on Cybercrime (E.T.S. no. 185, November 23, 2001); since said ratification, Romanian national laws have been amended so as to comply with the requirements of the convention regarding the collection, search, seizure, making available and interception of data; and
  • the Criminal Code (Law no. 286/2009).

South Korea Small Flag South Korea

a) What key laws exist in terms of:obligations as to the maintenance of cybersecurity; and

Under the Network Act, all information and communications service providers must implement certain technical and managerial measures stipulated by law in order to ensure the secure processing of personal information and prevent the loss, theft, leakage, forgery, alteration, or damage of the personal information. The detailed standards of such required measures are set forth in Article 15 of the Enforcement Decree of the Network Act and the Network Act’s implementing regulation called “Standards of Technical and Managerial Security Measures.”

Also, information and communications service providers (excluding small business owners) must designate a chief information security officer (“CISO”) for handling cybersecurity matters and report the designation of the CISO to the MSICT.

b) The criminality of hacking/DDOS attacks?

Hacking: Under the Network Act, no one may intrude on an information and communications network without the right authorisation or access rights, or by going beyond the permitted scope of access. Failure to comply with such prohibition may result in imprisonment of up to 5 years or a fine of up to KRW 50,000,000.

DDOS attack: Under the Network Act, no one shall cause trouble to an information and communications network in order to purposefully interfere with the stable operation of the information and communications network by sending large amounts of signals or data, thereby letting the network process an illegitimate order. Failure to comply with such prohibition may result in imprisonment of up to 5 years or a fine of up to KRW 50,000,000.

Spain Small Flag Spain

Please note that Spain has a complex network of laws that aim to cover the various situations involving cybersecurity. As the study and analysis of cybersecurity is essential to ensure adequate protection of companies, institutions and citizens, a Law Code for Cybersecurity was published by the Spanish Official Gazette ("BOE") in 2016 outlining the main laws impacted by cybersecurity. This code is regularly updated by the National Institute of Cybersecurity ("INCIBE") and can be accessed here: https://www.boe.es/legislacion/codigos/codigo.php?id=173¬a=1&tab=2

a) obligations as to the maintenance of cybersecurity; and

There are two main pieces of regulation in terms of maintenance of cybersecurity:

  • The NIS RD. This Royal Decree implements EU Directive 2016/1148 in Spain. It concerns certain measures for achieving a common high level of security for network and information systems across the Union (NIS Directive), and is regarded as a key element in Spain's regulatory framework for cybersecurity. Through the enactment of the NIS RD, important security obligations are established for operators of essential services and digital services providers, as well as a system for the notification of incidents.
  • Law 8/2011, of 28 of April on Critical Infrastructures. This law defines Critical Operators as those entities responsible for the investments or the daily operation of an installation, network, system, or physical equipment or information technology designated as critical infrastructure. According to this law, critical infrastructures are those strategic infrastructures whose operation is essential and does not allow alternative solutions, so that their disruption or destruction would have a serious impact on essential services. This law also defines strategic infrastructures as those facilities, networks, systems and physical equipment and information technology on which the operation of essential services rests. Amongst other obligations, Critical operators have the obligation to develop an Operator Security Plan ("OSP") or (if required by subsequent regulation) a Specific Security Plan for each of the Infrastructures considered critical. OSP are the strategic documents that define the general policies of the Critical Operators to guarantee the security of all the facilities or systems under their ownership or management.

b) the criminality of hacking/DDOS attacks?

  • The Spanish Criminal Code (Organic Law 10/1995) includes the so-called "computer –related crimes". Whether an act of hacking falls within one of the types of crime will depend on the circumstances of the case. However, most of hacking actions would fit into Article 197 of the Spanish Criminal Code that regulates the illegality of obtaining data from third parties through unauthorized entry into computer servers.

Sweden Small Flag Sweden

a) obligations as to the maintenance of cybersecurity; and

The GDPR contains some provisions regarding the maintenance of cybersecurity. They are however mostly concentrated on the protection of personal data.

When it comes to the protection of technical infrastructure, the newly adopted NIS directive (EU 2016/1148), which will be implemented in Swedish law via the Swedish Act on IT Protection for Socially Important and Digital Services Act (Sw. lag om informationssäkerhet för samhällsviktiga och digitala tjänster) 1 August 2018, serves as the main framework. The purpose of the directive is to achieve a high level of security in networks and information systems that belong to:

1. services crucial to society within the sectors of

  • energy,
  • transport,
  • banking,
  • infrastructure of the finance market,
  • healthcare,
  • delivery and distribution of drinking water,
  • digital infrastructure, and

2. digital services in general.

Different rules apply for services that belong to categories 1 and 2.

b) the criminality of hacking/DDOS attacks?

Chapter 4, section 9 c of the Penal Code (Sw. Brottsbalken) stipulates the illegality of DDOS attacks and hacking. The punishment is a fine or imprisonment for up to two years. If the DDOS attack or hacking can be considered severe, the punishment is imprisonment for up to six years.

Taiwan Small Flag Taiwan

a) obligations as to the maintenance of cybersecurity; and

On June 6, 2018, the very first cybersecurity legislation of Taiwan, the “Cybersecurity Management Act” (the “Cybersecurity Act”), has become an official statute of Taiwan. Pursuant to the Cybersecurity Act, government agencies, and the non-government agencies that provide "critical infrastructures" shall maintain cybersecurity, adopt certain cybersecurity measures, and report to the relevant authorities for any cybersecurity incidents, and work with the authorities to resolve such incidents. To our understanding, the Taiwan government has not completed the designation as to what shall be deemed as "critical infrastructures" thus far but it will be completed soon.

b) the criminality of hacking/DDOS attacks?

Pursuant to the Taiwan Criminal Code, hacking or DDOS attacks may trigger criminal liabilities of up to three-year imprisonment, detention, and/or criminal fines. The criminal penalties shall be increased up to one-half of the above if it is the computer system of the government that was attacked. The person who produces computer software for the others to conduct hacking/DDOS attacks may be subject to criminal penalties of up to 5 year imprisonment, detention, and/or criminal fines.

Turkey Small Flag Turkey

a) obligations as to the maintenance of cybersecurity; and

DPL is imposing obligations on data controllers regarding cybersecurity within the scope of data safety obligations. Accordingly, data controllers are obliged to take all technical and administrative measures in order to ensure an adequate level of security including cybersecurity.

Regulation on Network and Information Security overseen by the ICTA also imposes extensive obligations regarding cybersecurity including an obligation to form a team to address and resolve cybersecurity issues.

Communiqué on the Management and Audit of Payment Institutions and Electronic Money Institutions’ Data Systems also imposes obligations to act upon cybersecurity incidents and maintain the security of data systems.

b) the criminality of hacking/DDOS attacks?

Hacking/DDOS attacks are considered as the crime of illegal access to computing systems under Turkish Criminal Code. Besides the DPL also prohibit illegal access to personal data.

United Kingdom Small Flag United Kingdom

a) Obligations as to the maintenance of cybersecurity;

The key laws imposing obligations on companies to maintain cyber-security include the General Data Protection Regulation ("GDPR"), the Data Protection Act 2018 ("DPA 2018"), the Network and Information Systems Regulations 2018 ("NIS Regulations"), the Communications Act 2003 ("2003 Act") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("2003 Regulations").

Under the DPA 2018, which implements the GDPR, controllers are subject to various obligations including to select a processor that sufficiently guarantees appropriate technical and organisational measures. Specifically, Article 32 of the GDPR requires controllers and processors to implement measures that ensure a level of data security appropriate for the level of risk presented by processing personal data – this incudes encryption. In the event of a data breach, there is a mandatory legal duty to notify the ICO of the breach having occurred (within 72 hours of a controller having become aware of such incident (Article 33)). This must be notified directly to data subjects concerned where the breach is likely to result in a high risk to the rights and freedoms of natural persons.

The NIS Regulations focus on the availability of crucial network and information systems in order to protect critical infrastructure and apply to Operators of Essential Services ("OES") and Digital Service Providers ("DSP"), requiring OESs and DSPs to: (i) take appropriate technical and organisational measures to secure their network and information systems; (ii) take into account the latest developments and consider the potential risks facing the systems; (iii) take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and (iv) notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.

Under the 2003 Act, public electronic communications network ("PECN") providers and public electronic communications service ("PECS") providers have an obligation to take technical and organisation measures to manage risks in respect of electronic communications (section 105A). This includes notifying Ofcom of any breaches (section 105B). PECS providers are also subject to obligations under the 2003 Regulations, which require them to take appropriate technical and organisational measures to safeguard the security of their services (Regulation 5(1)). PECS providers must inform the Information Commissioner's Office ("ICO") if there is a personal data breach (Regulation 5A(2)) and the individuals concerned if the breach is likely to adversely affect the personal data or privacy of the subscriber or user (Regulation 5A(3)).

Businesses operating in the financial services sector are also subject to the Senior Management Arrangements Systems and Controls ("SYSC") set out in the FCA Handbook and the STAR and CBEST standards developed by the Council for Registered Ethical Security Testers and the Bank of England. The SYSC provides obligations relating to governance, systems and controls that can directly or indirectly impose cyber security obligations on financial service providers (e.g. securing systems, managing risks, reducing the risk of financial crime and protecting client confidentiality). The STAR and CBEST standards allow financial services providers to demonstrate their cyber-security assurance by passing stipulated penetration and vulnerability tests.

Company directors also have an obligation to maintain cyber-security through the fiduciary duties they owe to their company, which are set out in the Companies Act 2006. These include the duty to promote the success of the company and to exercise reasonable care, skill and diligence while conducting their role (sections 172 and 174). Failure to understand and mitigate cyber risk (e.g. by failing to implement appropriate cyber-security measures) could equate to a breach of these duties, which could lead to a claim being brought against the directors by the company or its shareholders.

On 19 March 2019, the Cybersecurity Act ("2019 Act") was approved by the EU Parliament and will shortly be submitted to the EU Council for approval. The 2019 Act aims to, strengthen the European Union Agency for Network and Information Security ("ENISA") as the EU competent authority on cybersecurity matters; and to also introduce a common cybersecurity certification framework in a broad range of digital products and services. This 2019 Act will give ENISA a permanent mandate throughout the EU and give the EU the power to adopt cybersecurity certification schemes which will apply across the EU and may create further obligations on businesses as to the maintenance of cybersecurity. The extent to which Brexit will affect the implementation of the 2019 Act within the UK remains to be seen,

b) The criminality of hacking/DDOS attacks?

The Computer Misuse Act 1990 ("CMA 1990") covers the criminality of hacking and DDOS attacks. The Regulation of Investigatory Powers Act 2000 ("RIPA") also creates offences in respect of the unlawful interception of communications.

The CMA 1990 creates various offences relating to cybercrime including: unauthorised access to computer material (section 1(1)), unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer (section 3) and impairing a computer such as to cause serious damage or a significant risk of causing serious damage of a material kind (section 3ZA(1)). Persons found guilty of an offence under sections 1(1) or 3 of the CMA 1990 are liable for a prison term of up to 12 months, or a fine, or both (sections 1(3) and 3(6)). Those found guilty of an offence under section 3ZA(1) are liable for a prison term of up to 14 years, or life if the offence creates a significant risk of serious damage to human welfare or national security, or a fine, or both (section 3ZA(6) and (7)).

Under RIPA, it is an offence to intentionally and without lawful authority intercept a communication in the course of its transmission via a public or private telecommunications system (section 1). Persons found guilty are liable to a prison term of up to two years, or a fine, or both (section 7).

United States Small Flag United States

a) obligations as to the maintenance of cybersecurity;

Cybersecurity requirements are set forth in a number of different federal and state laws. As previously noted, both HIPAA and GLBA have security regulations that require the covered entity or institution to maintain administrative, physical and technical measures to protect the controlled data. A federal appellate court has upheld the enforcement authority of the FTC with respect to companies using inadequate measures to secure consumer information.

States may also regulate cybersecurity requirements. New York State's NYDFS Cybersecurity Regulation requires covered financial services companies to adopt a program to identify cybersecurity threats and responses, maintain a cybersecurity policy consistent with ISO 270001, appoint a chief information security officer, use multi-factor authentication for inbound network connections and encrypt sensitive data. Entities must certify compliance annually.

Massachusetts enacted a comprehensive law, the Standards for the Protection of Personal Information of Residents of the Commonwealth, that requires all persons or entities that maintain personal information of a Massachusetts resident to implement a written information security plan containing appropriate administrative, technical and physical safeguards for such data.

When it goes into effect in 2020, California’s CCPA will allow aggrieved consumers to sue companies for unauthorized access or disclosure of personal data in violation of a business' duty to implement and maintain reasonable security procedures and practices.

b) the criminality of hacking/DDOS attacks?

Hacking and DDoS attacks implicate the following statutes:

The primary federal criminal statute regulating “hacking”, distributed denial of service attacks or other computer crimes, in themselves, is the Computer Fraud and Abuse Act (the “CFAA”), 18 U.S.C. § 1030. The CFAA criminalizes various computer-related conduct, such as intentional access to protected computers without authorization obtaining information (18 U.S.C. § 1030(a)(2)(c)); knowing access to protected computers with intent to defraud if the value of the use exceeds $5,000 (18 U.S.C. § 1030(a)(4)); knowing transmission of programs, information, codes, or commands and thereby intentionally causing damage to protected computers (18 U.S.C. § 1030(a)(5)(A)); intentional access to protected computers without authorization and the resulting damage (18 U.S.C. § 1030(a)(5)(B-C)). The phrase “protected computer” in the CFAA refers to any computer used in interstate or foreign commerce or communication. 18 U.S.C. § 1030(e)(2)(B).

It also should be noted that certain other federal statutes, such as the Securities Act of 1933, have been amended to cover computer-related conduct, and, therefore, each such statute must be addressed separately. Moreover, computer-related crimes such as hacking also can be prosecuted under numerous other federal statutes, including, e.g., the Copyright Act, the National Stolen Property Act, mail and wire fraud statutes, the Electronic Communications Privacy Act of 1986, the Telecommunications Act of 1996, and the Child Pornography Prevention Act of 1996.

Finally, many states have enacted anti-hacking and/or anti-wiretapping laws designed to address computer-related crimes. State consumer fraud statutes and other state tort and contract theories (e.g., trespass, invasion of privacy) also may be used to address computer crimes such as hacking.

Australia Small Flag Australia

a) What key laws exist in terms of obligations as to the maintenance of cybersecurity?

APP 11 outlines the obligations of an organisation to maintain cybersecurity with respect to an individual's personal and sensitive information. It requires an organisation to take reasonable steps to protect an individual's information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The Notifiable Data Breach Scheme (NDB Scheme) in the Privacy Act requires organisations to notify the Privacy Commissioner and affected individuals of 'eligible data breaches'. An eligible data breach includes any breach that a reasonable person would conclude would be likely to cause serious harm to the affected individuals.

In addition to the above, there is also industry specific legislation. APRA's Prudential Standard CPS 234 came into effect on 1 July 2019 and applies to all APRA regulated entities (e.g. authorised deposit taking institutions, insurers and superannuation licensees). CPS 234 requires those APRA regulated entities to regularly review and invest in effective data security practices, and notify APRA within 72 hours of becoming aware of data security incidents.

b) What key laws exist in terms of obligations as to the criminality of hacking / DDoS attacks?

Chapters 10.6 and 10.7 of the Criminal Code Act 1995 (Cth) govern the criminality of telecommunications services and cybercrime in Australia. The penalties range from 1 year to 10 years imprisonment based on the nature of the offence committed. The various offences created in these chapters include:

(a) computer intrusions;

(b) unauthorised modification of data, including data destruction;

(c) DDoS attacks using botnets;

(d) creation and distribution of malicious software; and

(e) interference with telecommunications services.

There are also a number of offences relating specifically to telecommunications services in the Telecommunications Act. These include the contravention of carrier licence conditions or cabling requirements, and each offence carries a specified number of penalty units with a maximum of 20,000. Under the Crimes Act 1914 (Cth), a penalty unit is presently valued at AUD210.

Updated: August 27, 2019