I was interviewed by The Star on the new Cyber Security Bill 2024 (CSB). I said the following-
Foong Cheng Leong, writer and lawyer specialising in privacy and data protection laws, cautions that the broad powers granted to the chief executive (CE) of the National Cyber Security Agency under the Act should be tightened to prevent abuse.
For example, section 10(1)(a) of the CSB 2024 states that the CE has the duty to advise and make recommendations to the National Cyber Security Committee on policies, strategies, and strategic measures relating to national cyber security.
“In this situation, what kind of information and documents would be relevant to the CE? The CE may, for example, claim that a telecommunication company to disclose all subscribers’ details for him to formulate policies.
“If that is the case, what would be the level of security imposed by the CE to ensure that there is no data leakage on their side?” says Foong. “The CE should, like any other entities, go through a Court process to obtain information or documents.”
Licensing of cybersecurity service providers might also become a sticking point for the industry, as Section 27 of the CSB 2024 will require any cyber security service provider to register with the Government before they can provide cyber security services.
“The definition of cyber security services will be prescribed by the Government after the law is passed. At this juncture, we do not know what are those services. Would that be as simple as installing an anti virus software and firewall for customers?” Foong adds.
The power mentioned in the excerpt above was in reference to section 14 of the CSB which sets out the power of the CE to gather information. Section 14 provides the following-
Power to gather information
- (1) Notwithstanding any other written law, if the Chief Executive has reasonable grounds to believe that any person—
(a) has any information, particulars or document that is relevant to the performance of the Chief Executive’s duties and powers under this Act; or
(b) is capable of giving any evidence which the Chief Executive has reasonable grounds to believe is relevant to the performance of the Chief Executive’s duties and powers under this Act,
the Chief Executive may, by notice in writing, direct that person—(A) to give any such information or particulars to the Chief Executive in the form and manner and within the period as specified in the notice or such extended period as the Chief Executive may grant;
(B) to produce any such document, whether in physical form or in electronic media, to the Chief Executive in the manner and within the period as specified in the notice or such extended period as the Chief Executive may grant;
(C) to make copies of any such document and to produce those copies to the Chief Executive in the manner and within the period as specified in the notice or such extended period as the Chief Executive may grant;
(D) if the person is an individual, to appear before an authorized officer at the time and place specified in the notice to give any evidence, either orally or in writing, and produce any document, whether in physical form or
in electronic media, in the manner and within the period as specified in the notice or such extended period as the Chief Executive may grant;
(E) if the person is a body corporate or a public body, to cause a competent officer of the body corporate or public body to appear before an authorized officer at the time and place specified in the notice to give any evidence, either orally or in writing, and produce any document, whether in physical form or in electronic media, in the manner and within the period as specified in the notice or such extended period as the Chief Executive may grant; or
(F) if the person is a partnership, to cause an individual who
is a partner in the partnership or an employee of the partnership to appear before an authorized officer
at the time and place specified in the notice to give any evidence, either orally or in writing, and produce any document, whether in physical form or in electronic media, in the manner and within the period as specified in the notice or such extended period as the Chief Executive may grant.(2) Where the Chief Executive directs any person to produce any document under subsection (1) and the document is not in the custody of that person, that person shall—
(a) state, to the best of his knowledge and belief, where the document may be found; and
(b) identify, to the best of his knowledge and belief, the last person who had custody of the document and to state, to the best of his knowledge and belief, where that
last-mentioned person may be found.(3) Any person directed to give or produce any information, particulars or documents or copies of any document under subsection (1), shall ensure that the information, particulars or documents or copies of the document given or produced are true, accurate and complete and such person shall provide an express aware of any other information, particulars or document which would make the information, particulars or document given or produced untrue or misleading.
(4) Where any person discloses any information or particulars or produces any document in response to a notice in writing under this section, such person, his agent or employee, or any other person acting on his behalf or under his directions, shall not, by reason only of such disclosure or production, be liable to prosecution for any offence under any written law, or to any proceedings or claim by any person under any law or under any contract, agreement or arrangement, or otherwise.
(5) Subsection (4) shall not bar, prevent or prohibit the institution of any prosecution for any offence as provided by this section or the disclosure or production of false information or document in relation to a notice in writing under this section furnished to the Chief Executive pursuant to this section.
(6) Any person who fails to comply with the directions of the Chief Executive under subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.
(7) Any person who contravenes subsection (2) or (3) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.
Under s. 14 of the CSB 2024, the CE has the power to direct any person to disclose documents or information that is relevant to the performance of the CE’s duties and powers with a threat of imprisonment of not exceeding 3 years and fine of RM200,000. Though the duties and powers of the CE is set out in section 10 of the CSB 2024, section 14 is still widely worded and this may be subject to abuse in the future. The CE should, like any other entities, go through a Court process to obtain information or documents.
Leave a Reply