1. GOVERNING TEXTS

1.1. Legislation

Thailand has rapidly grown its digital economy and made a concerted push towards technological innovation. As technology has evolved within the country, however, so has the threat to cybersecurity.In order to tackle this looming threat, the Government of Thailand ('Government') released the Cybersecurity Act 2019 ('the Cybersecurity Act'), which was published in the Government Gazette on 27 May 2019 and is now in effect. The Cybersecurity Act endeavours to enforce legal safeguards to ensure the security of cyberspace, and in particular, sets out a cybersecurity risk assessment plan to prevent and mitigate against cybersecurity threats that may affect the stability of national security and the public interest, including interests related to the economy, healthcare, international relations, and other governmental functions, among other areas.

The Cybersecurity Act applies to both public and private sector entities that:

• own information and communication infrastructure which is integral to the maintenance of vital societal functions, otherwise known as Critical Information Infrastructure ('CII'); and
• are engaged in the following services:
  • national security;
  • material public service;
  • banking and finance;
  • information technology and telecommunications;
  • transportation and logistics;
  • energy and public utilities;
  • public health; or
  • other areas that may be further prescribed by the relevant cybersecurity authority.

Under the Cybersecurity Act, these companies must put in place internal guidelines for managing cybersecurity issues, and these guidelines must be in accordance with the national cybersecurity strategy.

In addition to the Cybersecurity Act, cybersecurity matters are addressed in the Computer Crimes Act 2007 ('CCA') which stipulates that any import, dissemination, or forwarding of data through a computer system that may cause damage to the public (i.e. public security, the national economy, public infrastructure etc.) is considered an offence under the CCA.

1.2. Regulatory authority 

There are two main cybersecurity regulatory authorities – the National Cyber Security Committee ('NCSC') and the Cyber Security Regulatory Committee ('CSRC').

The NSCS is comprised of the Prime Minister of Thailand as chairman, and directors from the Government and the private sector that hail from areas that are of benefit to cybersecurity such as engineering, law, and information technology. The NCSC sets out general cybersecurity policies and action plans as well as minimum standards for computer systems used in both government agencies and CII entities, in accordance with the national cybersecurity strategy.

The NCSC also has the authority to determine the levels of cybersecurity threats under the Cybersecurity Act (i.e. non-critical, critical, and crisis) as well as the preventive and mitigative measures that should be in place for each of these levels. In this regard, the NCSC is empowered to request information and documents from and access the facilities of private entities, subject to the owner's consent to analyse and evaluate the impact of critical cyber threat in order to determine cybersecurity threat levels and appropriate preventive and mitigative measures.

The CSRC consists of the Minister of Digital Economy and Society as chairman, and similar to the NCSC, has directors from the Government and the private sector from areas that benefit cybersecurity. The role of the CSRC is to set out codes of practice and minimum standards for cybersecurity in the public and private sectors relating to CII, including risk assessment and mitigation plans against cyber threats. In addition, the CSRC may order public and private sector entities to prevent, mitigate, and/or re-evaluate cyber threats, to be in line with prescribed cybersecurity minimum standards.

If a critical level threat is discovered, the CSRC is empowered to perform any action to prevent or mitigate such threat. For example, the CSRC may order an owner or user of a computer that is the subject of a cyber threat to fix defects or eliminate undesirable computer programs. Furthermore, if judicial permission is granted, the CSRC may access information and/or seize computer systems, data, and related equipment for a maximum of 30 days to prevent and mitigate cyber threats.

In the case of a crisis-level threat, the National Security Council ('NSC') shall be in charge to carry out its duties. For any crisis-level threat which requires an immediate response, however, the CSCR is authorised to perform any act warranted as necessary without judicial permission.

In addition to the above two regulatory authorities, there are two other relevant authorities, including:

• the Computer Security Coordination Centre; and
• competent regulators responsible for monitoring and taking action against cyber threats as well as regulating cybersecurity minimum requirements for CII entities under their supervision.

1.3. Regulatory authority guidance

Guidance on cybersecurity from the Cybersecurity Act relates to the development of security mechanisms to safeguard CII and enhance the prevention and mitigation of national cyber threats. The guidance also emphasises the importance of cooperation between public and private sectors as well as international organisations in order to cope with cyber threats. Development of cybersecurity research and local expertise, including effective cybersecurity related laws and regulations are also considered key factors in enforcing cybersecurity. The NCSC's policies and plans on cybersecurity measures must be formulated in line with this general guidance.

2. SCOPE OF APPLICATION

The Cybersecurity Act intended to protect Thailand's national security systems from cyber-related threats and crime. The Cybersecurity Act broadly defines 'cyber' as any information or communication from a computer network, a telecommunications network, or the internet. It focuses on the safety of government computer systems and provides the authority for government entities and officers to carry out the provisions of the Cybersecurity Act.

As we mentioned in 1.1 above, the Cybersecurity Act applies to both public and private sector entities that:

• own information and communication infrastructure, which is integral to the maintenance of vital societal functions, otherwise known as Critical Information Infrastructure ('CII'); and
• are engaged in the following services:
  • national security;
  • material public service;
  • banking and finance;
  • information technology and telecommunications;
  • transportation and logistics;
  • energy and public utilities;
  • public health; or
  • other areas that may be further prescribed by the relevant cybersecurity authority.

As supplemental regulations regarding the Cybersecurity Act have not been issued, there is no official guideline for complying with this Act (e.g. cybersecurity risk assessment guideline, official practice guideline, etc.)

3. DEFINITIONS

Information security program: There is no specific definition of information security program prescribed in the Cybersecurity Act. However, information security program can be defined as a program established for preventing, handling, and reducing risks of internal and external cyber threat affecting national security, economic security, military security, and internal peace as well as order.

Database: There is no specific definition of database prescribed in the Cybersecurity Act. However, database can be defined as an organised collection of structured information, or data, typically stored electronically in computer system.

Cybersecurity incident: Means an incident resulting from any unlawful action or operation performed via a computer or a computer system and it is likely to cause damage to or affect the cyber security maintenance or the cyber security of a computer, computer data, a computer system or other data relating to a computer system.

Cybersecurity / information security officer: There is no specific definition of cybersecurity / information security officer prescribed in the Cybersecurity Act. However, cybersecurity / information security officer can be defined as a person appointed by the Minister for performing any action under this Cybersecurity Act.

Cyber: Means any information or communication from a computer network, a telecommunications network, or the internet.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1.Cybersecurity training and awareness

Not applicable.

4.2. Cybersecurity risk assessments

Not applicable.

4.3. Vendor management

Not applicable.

4.4. Accountability/record keeping

Not applicable.

5. DATA SECURITY

Pursuant to Sections 44 and 56 of the Cybersecurity Act, each government entity, competent regulator, and CII entity must have in place a code of practice, organisational measures, and a cybersecurity framework that complies with prescribed cybersecurity minimum standards. The code of practice must cover at least:

• cybersecurity risk identification and assessment performed by either an internal or external independent auditor at least once a year (which must be reported to the NCSC office within 30 days); and
• a cyber threat response plan.

CII entities must further provide monitoring mechanisms for cyber threats and cybersecurity incidents that threaten their CII according to standards as prescribed by the NCSC or CSRC. CII entities must also participate in cybersecurity testing organised by the NCSC in order to assess and ensure their readiness in responding to cyber threats.

The term 'cyber threat' is a key definition in the implementation of the Cybersecurity Act, and refers to any illegal actions that use computers, network systems, or malware to cause or are likely to cause an adverse impact on a computer, a computer network, or data security/integrity.

The Cybersecurity Act further elaborates on 'cyber threat' by categorising it into the following three levels:

• non-critical: any threat that may negatively impact on the performance of a CII operator's computer system or on services provided by government entities.
• critical: any threat to a computer system or to computer data that is significantly increased with the intention to attack CII relating to national infrastructure, national security, the economy, healthcare, international relations, governmental functions, etc., and where such an attack would impair the provision of CII-related services.
• crisis – any threat greater than a critical-level event, which may have a widespread impact such as causing the Government to lose control of a computer system, or any threat that may lead to mass destruction, terrorism, or an overthrow of the Government.

Details of cyber threats as well as the preventative and mitigative measures employed for each level of cyber threat have been prescribed in the Announcement of the National Cybersecurity Committee on Characteristics of Cyber Threats Measures for prevention, handling, assessment, suppression and suppression of cyber threats at each level, 2021 (only available in Thai here).

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

There is an obligation to notify the competent regulatory authority in the event of a cybersecurity incident (Section 57 and 58 of the Cybersecurity Act).

In the event of a cybersecurity incident involving the CII of either public or private entities, these entities must:

• investigate all of their information, computer data, and computer systems, including any circumstances related to the incident to evaluate the cyber threat, with measures under the code of practice and cybersecurity standards followed in responding to and mitigating the cyber threat; and
• notify the NSCS office and competent regulator of each entity of the cybersecurity incident.

A specific timeline for the notification is not addressed under the Cybersecurity Act, however a timeline for the notification may be prescribed by the CSRC in the future.

7. REGISTRATION WITH AUTHORITY

There is no requirement to register with a regulatory authority. Under the Cybersecurity Act, the NCSC shall be responsible for designating entities which have services relating to CII, to be deemed as CII operators, which shall be subject to obligations under the Cybersecurity Act. The criteria for making such designations shall be published in the Royal Gazette, which may be periodically revised as deemed necessary.

8. APPOINTMENT OF A SECURITY OFFICER

There is an obligation to appoint a security officer as prescribed under Section 46 of the Cybersecurity Act. Each government entity, competent regulator, and CII entity must notify the names of its personnel at both management level and practitioner level to the NCSC office to coordinate cybersecurity matters. If there is a change of responsible personnel, this change must be notified to the NCSC office. However, no specific timeline for the notification is stipulated in the Cybersecurity Act.

9. SECTOR-SPECIFIC REQUIREMENTS

At present, Thailand does not have any cybersecurity requirements that are specific to certain business sectors. In addition, organic laws have not been issued to further expand the scope and requirements of the cybersecurity law at this time. Although the cybersecurity law has not yet prescribed specific requirements for certain business sectors, the Personal Data Protection Act 2019 ('PDPA') is another applicable law that does require business operators in specific sectors (e.g. the health sector, financial sector, employment, educational sector) to strictly follow provisions and requirements under the PDPA. Under the PDPA, business operators may be regarded as data controllers and/or data processors which have obligations under the PDPA relating to collection, use, and/or disclosure of personal data. For example, when business operators need to collect, use, or disclose personal data, consent from the data subject is required. In addition, the data subject has the right to request the data controller or processor to respond to their request for the right to erasure, right to access, and right to data portability.

Please note that the Cabinet of Parliament of the Kingdom of Thailand ('the Parliament') approved the Royal Decree on the Organisations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act (2019) (2020) (only available in Thai here) ('the Royal Decree'). The Royal Decree initially postponed the effective date of the enforcement of the PDPA on exempted organisations in Chapters 2, 3, 5, 6, and 7, and Section 95, until 31 May 2021.

Following a second deliberation, the Parliament approved a further one-year postponement of the effective date of the enforcement of the PDPA, under the Royal Decree on the Organisations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act (2019) (2021) (only available in Thai here), making the effective date of the PDPA, the 1 June 2022.

Financial Services 

There are no applicable financial sector specific cybersecurity requirements under Thai law. The above detailed general requirements are therefore applicable.

Health 

There are no applicable health sector specific cybersecurity requirements under Thai law. The above detailed general requirements are therefore applicable.

Telecommunications 

 Not applicable.

Employment 

There are no applicable employment-specific cybersecurity requirements under Thai law. The above detailed general requirements are therefore applicable.

Education 

There are no applicable education specific cybersecurity requirements under Thai law. The above detailed general requirements are therefore applicable. 

Insurance 

Not applicable.

10. PENALTIES

CII operators that fail to report cybersecurity incidents to the NSCS and their competent regulator without reasonable cause shall be subject to a maximum fine of THB 200,000 (approx. €5,580).

Any person who refuses to provide information and documents required for the assessment of a cyber threat and its impacts without reasonable cause shall be subject to a maximum fine of THB 100,000 (approx. €2,790).

During a critical-level threat, any owner, possessor, user, or administrator of a computer or computer system who fails to monitor and/or verify the computer or computer system to search for defects or assess impacts from cyber threats, as ordered by a competent officer shall be subject to a maximum fine of THB 300,000 (approx. €8,375), and an additional daily fine of up to THB 10,000 until the order is complied with.

In addition, a failure to fix defects and/or eliminate undesirable programs, retain any computer equipment or system for forensic purposes, or access any computer or computer system to prevent a cyber threat, as ordered by a competent officer, shall be subject to imprisonment of up to one year and/or a maximum fine of THB 20,000.

During a critical-level threat, any person who, without reasonable cause, obstructs or refuses competent official access to information or premises and/or the seizure of computer systems, data, and related equipment endeavouring to prevent and mitigate a cyber threat, shall be subject to imprisonment of up to three years and/or a maximum fine of THB 60,000.

If an offender is a legal person/entity, an authorised person of the legal person who is involved in an offence, either by performing unlawful actions or failing to perform certain actions that cause the legal person to commit an offence, will be subject to the above penalties.

11. OTHER AREAS OF INTEREST

Under Section 52 of the Cybersecurity Act, for coordination purposes, CII operators are required to notify the names and contact details of owners, possessors, and administrators of their computers and computer systems that have management-level control over the entity to the NSCS office, the competent regulator, and the Thailand Computer Emergency Response Team ('ThaiCERT') (formerly known as the Computer Security Coordination Center) within 30 days from the date the NCSC publishes criteria designating entities which have services relating to CII in the Royal Gazette. In the event of a change of owner, possessor, or administrator, the notice must be sent to each responsible authority at least seven days prior to the change.

Network and Information Systems

'Network and information systems' may be similar to CII under the Cybersecurity Act, which again refers to information and communication infrastructure such as a computer system of either public or private entities that is essential for the maintenance of core societal functions including national security, public safety, or public utility infrastructure.

A computer system in this context is considered to be a network and have information that is critical to national security and the public interest, and thus must be protected from cyber threats by implementing cybersecurity standards issued by regulatory authorities.

Critical Information Infrastructure Operators

Under Section 3 of the Cybersecurity Act, 'CII operators' refers to any public or private entity responsible for information which is critical to national security and the public interest such as banking, information technology, telecommunications, and transportation. CII operators are required to have cybersecurity measures that comply with standards specified by their local regulators, code of practice, and other relevant authorities such as the NCSC and CSRC.

Operator of Essential Services

An 'operator of essential services' is similar to a CII operator. Any public or private entity that provides a service that is essential for the maintenance of vital societal functions must have standard cybersecurity measures in place in order to cope with cybersecurity incidents.

Cloud Computing Services

'Cloud computing services' are not specifically defined in the Cybersecurity Act. These services, however, can be subject to the Cybersecurity Act as they can be categorised as information technology and telecommunications services, which are services relating to CII and, therefore, services which are subject to the Cybersecurity Act.

Digital Service Providers

'Digital service providers' are not specifically defined in the Cybersecurity Act. However, as with cloud computing services, these providers can be considered CII operators as digital services fall within the classification of CII. Such providers would therefore be subject to the Cybersecurity Act.

COVID

Due to the COVID-19 pandemic, Thailand has been focusing on preventive measures and laws to prevent the spread of COVID-19 in the country. A state of emergency was declared in March 2020 and has been extended until the end of September 2020. The Government has decided to postpone the enforcement date of the PDPA, in particular the obligations of data controllers and data processors, to May 2021 and it has not mentioned any additional laws or changes to the Cybersecurity Act.

John Formichella Partner
[email protected]
Naytiwut Jamallsawat Partner
[email protected]
Onnicha Khongthon Associate
[email protected]
Formichella & Sritawat Attorneys at Law Co., Ltd., Bangkok