You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 3, 2016

New Law on Cyber Security in Vietnam

Subscribe to Updates
Informed Counsel

Vietnam’s new Law on Cyber-Information Security (LCIS) was passed on November 19, 2015, and it will take effect this year on July 1. This is the first comprehensive law ever issued in Vietnam on the security of “cyber-information,” which is information exchanged in a telecommunications or computer network environment. Previous regulations on the subject had been scattered throughout different pieces of legislation, such as the Law on Information Technology; the Law on Telecommunications; the Law on E-Transactions; Decree 72 on the management, provision, and use of Internet services and online information; the Penal Code; and information security regulations for specific sectors such as banking and finance.

The key aspects of the LCIS include assurances for the safety and security of cyber-information; protection of personal information in the network environment; protection of information systems and infrastructure; production, trading, and use of civil ciphers; standards and technical regulations on information security; provision of information security services; prevention of spam, computer viruses, and harmful software; and emergency responses.

The LCIS retains the main principle of existing data privacy regulations in that the collection, processing, and use of personal information of an individual require the consent of that person. It also reemphasizes the importance of active prevention, detection, stopping, and handling of computer viruses and harmful software as well as the prevention and stopping of sabotage or use of information for the purpose of terrorism.

The new law requires intermediary service providers (e.g., enterprises providing email services or transmitting and storing information) to have malware-filtering systems in the course of sending, receiving, and storing information via their systems and to send reports to competent state agencies in accordance with the law. It also requires organizations and individuals, within their authority and responsibilities, to prevent the sabotage of information originating from their information infrastructure, to collaborate with one another in identifying sources, and to counter and remedy the consequences of cyber-attacks carried out via the information systems of domestic and foreign organizations and individuals.

The new law further aims to enhance capacity-building in cyber-information security and encourage organizations and individuals to invest in and enter into joint ventures and associations with other organizations in building higher-education institutions and vocational-training institutions with a view to training human resources for cyber-information security.

A current problem with the LCIS is that its scope of applicability is rather broadly defined. Accordingly, it seems to pose some new requirements and challenges which could apply to many business operators in Vietnam. On its face, the law includes a number of provisions that might apply to many organizations that own information and information systems, defined as a combination of hardware, software, and databases for creating, transmitting, and storing information, among other matters, in a network environment. Needless to say, many businesses could fall under this broad scope. These provisions include the following:

  • Organizations which own information must classify information based on varying levels of secrecy in order to take appropriate protective measures.
  • Those collecting information are subject to inspections and examinations on an annual basis, and on an extraordinary basis when deemed necessary by the relevant state agencies.
  • Organizations which own information systems must classify their systems according to levels of security from 1 to 5 (with 5 as the highest level). These levels reflect the potential harm that a security breach could cause to other entities, social order, and national security, among other matters. These organizations must also formulate policies and rules to ensure cyber-information security when designing, developing, managing, operating, using, updating, or deactivating information systems.
  • Organizations which own information systems are also responsible for protecting their information systems, and must determine the security level of their information systems; assess and manage security risks to information systems; supervise, monitor, and check the protection of information systems; take measures to protect information systems; comply with the reporting regime; and conduct activities to disseminate information and raise awareness about cyber-information security.

It is not clearly defined in the LCIS as to what suffices as compliance for many of the aspects set out above.

While the LCIS retains the existing requirements that the production, trading, or importation of civil cryptographic products requires a license, it poses a new requirement for the use of civil ciphers (i.e., cryptographic techniques and products used to keep secret or authenticate information that is not classified as state secrets). In particular, organizations and individuals that use civil cryptographic products provided by enterprises which are not licensed to do business in those products must declare such use to the Government Cipher Committee. Certain organizations, such as foreign consular offices, are exempt from making this declaration.

The LCIS sets out regulations for new types of products and services:

  • Cyber-information security products, which include, among others: civil cryptographic products; cyber-information security testing and evaluation products; and products to counter cyber-attacks and hacking.
  • Cyber-information security services, which include, among others: cyber-information security testing and evaluation services; services relating to information confidentiality which do not use civil cryptography; civil cryptographic services; e-signature certification services; data recovery services; and cyber-attack prevention and countering services.

The provision of cyber-information security services and trading in cyber-information security products are subject to licensing. An importer might need to obtain a cyber-information security product import permit depending on its cyber-information security imports.

While the new law is a welcome step in codifying the regulations on the vital issue of cyber-information security, it still needs further detail and guidance in several areas. The expectation is that subordinate legislation will soon be issued to clarify the practical realities of the LCIS, and hopefully including a more narrow scope of applicability.

Download Full Article
Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice