Amendments to the Computer Misuse and Cybersecurity Act

The Computer Misuse and Cybersecurity (Amendment) Bill (the “Bill”) received its second reading and was passed by Parliament on 3 April 2017.  On coming into operation, the Bill will amend the Computer Misuse and Cybersecurity Act (Cap. 50A) (the “CMCA”) by introducing two new offences, amending the territorial scope of certain offences under the CMCA and permitting prosecutors to amalgamate charges in certain circumstances.

New Offences

The new offences carry potential fines and custodial sentences of up to three years (five years for repeat offenders) and may be summarised as follows:

• Acts done in relation to personal information of individuals that a perpetrator knows or has reason to believe has been obtained by committing a computer crime

The amendments make it an offence to obtain, retain, supply, offer to supply, transmit or make available personal information about an individual where a person knows or has reason to believe that such information was obtained by computer crime (e.g., hacking).

However, certain defences are provided for: an offence will not have been committed where a person obtained or retained the personal information for a purpose other than for use or making it available for use in committing or facilitating the commission of any offence.  Similarly, no offence is committed if a person acted for a purpose other than for the personal information to be used to commit or facilitate the commission of an offence and he or she did not know or have reason to believe that the personal information would or would be likely to be used to commit or facilitate the commission of an offence. 

• Acts done in connection with an item that is designed, adapted or capable of being used to commit a computer crime, or by which a computer or part of a computer is capable of being accessed

It will be an offence to obtain or retain certain specified items intending to use them to commit or facilitate the commission of a computer crime or with a view to such item(s) being made available for use in committing or facilitating the commission of such an offence.  Likewise, making, supplying or offering to supply or make available these items, intending them to be used to commit or facilitate the commission of a computer crime will also be an offence. 

The relevant ‘items’ for the purpose of this offence are any device (including a computer program) that is designed or adapted or capable of being used for the purpose of committing a computer crime (e.g., malware and hacking tools) and any password, access code or similar data with which the whole or part of a computer is capable of being accessed.

Territorial Scope

The Bill also extends the territorial scope of the CMCA by establishing that certain acts which take place outside Singapore may still constitute an offence under Singapore law if they cause, or create a significant risk of, ‘serious harm in Singapore’.[1]

Amalgamation of Charges

In order to reflect the way in which certain cybercrimes are carried out (e.g., through repeated unauthorised acts in preparation for an actual attack), the Bill introduces a provision allowing prosecutors to amalgamate two or more acts constituting the same computer offence, committed within a twelve month period and which relate to the same computer.  This will allow attacks to be described as a whole rather than as a series of individual acts being the subject of separate charges.