The new Cybersecurity Act of 2019 has come into full effect after having been published in the Royal Thai Gazette on 24^th May 2019. The Act will allow the Thai government to track, monitor, and access digital data if it deems that ‘cyber threats’ are damaging to the critical digital infrastructure of the Kingdom.

According to Digital Economy Promotion Agency (“DEPA”) Deputy Permanent Secretary Vunnaporn Devahastin, the new legislation aims to combat cyber threats and equip law enforcement personnel with the ability to protect the country’s digital infrastructure. While authorities will have the right to seize incriminating computers and systems, they must, for the most part, do so with court warrants and comply with established procedures involved in securing one.

The Act goes further by classifying cyber threats into three tiers: non-critical threats, critical threats, and crisis-level treats. Relevant officers will hold different degrees of powers and authority depending on which tier a particular cyber threat or attack will fall under.

 

Private organization obligations

It also breaks down the obligations of private organizations that use or provide computer systems for key areas including national security, financial services, and services targeted towards the public. Under the Act, they are required to:

• Provide the names and contact details of key stakeholders who own, use, or possess computer systems;
• Conform to code of conduct and cybersecurity standards as prescribed by law;
• Conduct thorough risk assessment; and
• Notify instances of cyber threats to stakeholders.

 

If a cyber threat occurs, organizations dealing with information infrastructure must investigate the affected data, check the systems that have been threatened, and mitigate the risks involved.

Private organizations that are not party of “key” infrastructure are also required to fulfill a set of obligations stipulated by the Act, including:

• Giving access to relevant data, computer systems, or other information in the event of a cyber threat;
• Monitoring computers and computer systems;
• Permitting authorities to test or cease the operation of computers and other equipment

 

Conclusion

We recommend that organizations holding critical infrastructure systems stay mindful of the Act’s developments and ensure that they comply with its requirements. This means organizing IT systems and reviewing legal documents, policies, and breach notifications on top of raising awareness in their organization cybersecurity – all of which Silk Legal can assist with.

For more information about the new Cybersecurity Act, please feel free to contact us using the form provided.