Results 1 to 2 of 2
  1. #1
    Member

    Join Date
    Jan 2020
    Last Online
    01-08-2023 @ 11:33 PM
    Posts
    510

    Are you Subject to Thailand's Cyber Security Laws? Know Your Rights and Obligations

    Are you Subject to Thailand's Cyber Security Laws? Know Your Rights and Obligations | | Insights | DLA Piper Global Law Firm

    Thailand’s Cyber Security Act B.E. 2562 (2019) (the CSA) came into effect on 28 May 2019. The CSA imposes a variety of obligations upon public and private organizations which are considered “Organizations of Critical Information Infrastructure” (OCII) i.e., an organization, either public or private, which provides “Critical Information Infrastructure” (CII) services.
    Up until recently, the ambiguity as to whether a service provider was considered an OCII remained a live issue, requiring further clarity. In an attempt to provide clarity, on 23 August 2021, the CSA’s regulator (i.e., the National Cybersecurity Committee, the “NCC”) issued a “Notification”1 which systematically categorizes specific types of businesses into CII service-providers, and delegates supervisory authority to different regulators (“Supervising Organizations”).
    A list of selected CII services under Thai law may be found here.
    Key obligations of OCIIs under the CSA are as follows:

    1. Observing compliance with the CSA Code of Practice and standard framework for maintenance of cybersecurity.
    2. Examining operations to ensure compliance with the minimum cybersecurity standards prescribed by the relevant Supervising Organization.
    3. Conducting annual risk assessments on “Maintaining Cybersecurity.” These risk assessments should be conducted by the OCII’s information security auditor, internal auditor or external independent authority, and the results must be submitted to the Office of the NCC.
    4. Upon learning that it is a subject of a “cyber threat”, the OCII must report to the Office of the NCC and the relevant Supervising Organization. The OCII must then carry out appropriate investigations and examinations relating to the “cyber threat.”

    The obligations imposed on OCIIs are in some ways aligned with those of other jurisdictions such as Singapore and China, as seen here.
    OCIIs are also subject to the jurisdiction of the Office of the NCC, should there be a “cyber threat” that reaches a “critical level.” Among other obligations in the context of a “cyber threat”, OCIIs will be required to cooperate during a dawn raid, respond to requests for information as well as respond to subpoenas for information, evidence, or witnesses.
    An OCII’s failure to comply with obligations under the CSA will result in fines. However, a failure to cooperate with orders issued by the Office of the NCC may result in a fine and/or imprisonment. Notably, offences under the CSA may extend to a director and/or person responsible for the operation of an organization, if it is established that the commission of the offence was a result of an order or omission of such person(s).
    Furthermore, private organizations subject to a “cyber threat” resulting in a data leak may be subjected to reporting obligations under Thailand’s Personal Data Protection Act B.E. 2562 (2019), which is scheduled to come into effect on 31 May 2022, should such an organization be considered a “Data Controller” under that law.


  2. #2
    Thailand Expat harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    @
    Posts
    96,555
    It's one of those suitably vague laws that if they want to fuck you, they'll fuck you.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •