You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 3, 2016

New Law on Cyber Security in Vietnam

Subscribe to Updates
Informed Counsel

Vietnam’s new Law on Cyber-Information Security (LCIS) was passed on November 19, 2015, and it will take effect this year on July 1. This is the first comprehensive law ever issued in Vietnam on the security of “cyber-information,” which is information exchanged in a telecommunications or computer network environment. Previous regulations on the subject had been scattered throughout different pieces of legislation, such as the Law on Information Technology; the Law on Telecommunications; the Law on E-Transactions; Decree 72 on the management, provision, and use of Internet services and online information; the Penal Code; and information security regulations for specific sectors such as banking and finance.

The key aspects of the LCIS include assurances for the safety and security of cyber-information; protection of personal information in the network environment; protection of information systems and infrastructure; production, trading, and use of civil ciphers; standards and technical regulations on information security; provision of information security services; prevention of spam, computer viruses, and harmful software; and emergency responses.

The LCIS retains the main principle of existing data privacy regulations in that the collection, processing, and use of personal information of an individual require the consent of that person. It also reemphasizes the importance of active prevention, detection, stopping, and handling of computer viruses and harmful software as well as the prevention and stopping of sabotage or use of information for the purpose of terrorism.

The new law requires intermediary service providers (e.g., enterprises providing email services or transmitting and storing information) to have malware-filtering systems in the course of sending, receiving, and storing information via their systems and to send reports to competent state agencies in accordance with the law. It also requires organizations and individuals, within their authority and responsibilities, to prevent the sabotage of information originating from their information infrastructure, to collaborate with one another in identifying sources, and to counter and remedy the consequences of cyber-attacks carried out via the information systems of domestic and foreign organizations and individuals.

The new law further aims to enhance capacity-building in cyber-information security and encourage organizations and individuals to invest in and enter into joint ventures and associations with other organizations in building higher-education institutions and vocational-training institutions with a view to training human resources for cyber-information security.

A current problem with the LCIS is that its scope of applicability is rather broadly defined. Accordingly, it seems to pose some new requirements and challenges which could apply to many business operators in Vietnam. On its face, the law includes a number of provisions that might apply to many organizations that own information and information systems, defined as a combination of hardware, software, and databases for creating, transmitting, and storing information, among other matters, in a network environment. Needless to say, many businesses could fall under this broad scope. These provisions include the following:

  • Organizations which own information must classify information based on varying levels of secrecy in order to take appropriate protective measures.
  • Those collecting information are subject to inspections and examinations on an annual basis, and on an extraordinary basis when deemed necessary by the relevant state agencies.
  • Organizations which own information systems must classify their systems according to levels of security from 1 to 5 (with 5 as the highest level). These levels reflect the potential harm that a security breach could cause to other entities, social order, and national security, among other matters. These organizations must also formulate policies and rules to ensure cyber-information security when designing, developing, managing, operating, using, updating, or deactivating information systems.
  • Organizations which own information systems are also responsible for protecting their information systems, and must determine the security level of their information systems; assess and manage security risks to information systems; supervise, monitor, and check the protection of information systems; take measures to protect information systems; comply with the reporting regime; and conduct activities to disseminate information and raise awareness about cyber-information security.

It is not clearly defined in the LCIS as to what suffices as compliance for many of the aspects set out above.

While the LCIS retains the existing requirements that the production, trading, or importation of civil cryptographic products requires a license, it poses a new requirement for the use of civil ciphers (i.e., cryptographic techniques and products used to keep secret or authenticate information that is not classified as state secrets). In particular, organizations and individuals that use civil cryptographic products provided by enterprises which are not licensed to do business in those products must declare such use to the Government Cipher Committee. Certain organizations, such as foreign consular offices, are exempt from making this declaration.

The LCIS sets out regulations for new types of products and services:

  • Cyber-information security products, which include, among others: civil cryptographic products; cyber-information security testing and evaluation products; and products to counter cyber-attacks and hacking.
  • Cyber-information security services, which include, among others: cyber-information security testing and evaluation services; services relating to information confidentiality which do not use civil cryptography; civil cryptographic services; e-signature certification services; data recovery services; and cyber-attack prevention and countering services.

The provision of cyber-information security services and trading in cyber-information security products are subject to licensing. An importer might need to obtain a cyber-information security product import permit depending on its cyber-information security imports.

While the new law is a welcome step in codifying the regulations on the vital issue of cyber-information security, it still needs further detail and guidance in several areas. The expectation is that subordinate legislation will soon be issued to clarify the practical realities of the LCIS, and hopefully including a more narrow scope of applicability.

Download Full Article
Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

November 17, 2023
On October 3, 2023, Thailand’s Board of Investment (BOI) issued a new regulation clarifying the eligibility criteria for investment promotion under the BOI category “5.10 Development of software, platforms for digital services, or digital content.” To be eligible for BOI promotion under the digital activity category, projects must meet criteria related to local development, minimum investment amount, machinery and equipment, and development processes. These criteria for category 5.10 activities, along with the latest clarifications from the BOI, are detailed in the table below. Tax Incentives The BOI also clarified the method for calculating corporate income tax (CIT) exemptions. The CIT cap amount is calculated on an annual basis from the prescribed expenses incurred after applying for BOI promotion and occurring during the year for which the CIT exemption is claimed. The allowances include 100% of expenses for salaries for newly hired Thai IT personnel, technology-related training, and obtaining quality standards (such as ISO 29110). The revenue of projects that qualify for CIT exemption must be from sales or services directly related to software, platforms for digital services, or digital content developed as promoted by the BOI, including licensing fees, subscription fees, pay-per-use expenses, in-app purchase fees, usage fees, revenue sharing, advertising fees, and so on. For more details on BOI promotion for digital activities, or on any aspect of investment promotion in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected] or +66 2056 5600, Napassorn Lertussavavivat at [email protected] or +66 2056 5662, or Thammapas Chanpanich at [email protected] or +66 2056 5561.
Read More
November 15, 2023
Four decisions from the Expert Committee under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) indicate that there will no longer be any relaxation of PDPA enforcement. The enforcement of Thailand’s seminal data protection law had been relaxed for more than a year when, on October 18, 2023, the Personal Data Protection Committee (PDPC) published the first decision made by the Expert Committee on the imposition of administrative measures against a company pursuant to authority granted to it under the Notification of the PDPC Re: Rules for the Consideration of the Imposition of Administrative Penalties by the Expert Committee B.E. 2565 (2022), which was one of the first subordinate regulations issued under the PDPA. Shortly thereafter, on October 19, October 25, and November 15, three additional Expert Committee decisions were published. These three decisions made by the Expert Committee are summarized below. October 18 Decision The complainant in this case lodged a complaint with the Expert Committee alleging that an insurance company contacted him to offer the company’s products without his consent. The complaint further claimed that when the complainant requested the company to disclose how his personal data had been acquired and asked the company to stop contacting him through any channel, the company did not take any action on the requests. The insurance company appeared to have obtained the personal data of the complainant from another source prior to the PDPA becoming fully effective (i.e., June 1, 2022). As the Expert Committee explained in its order, the company failed to comply with its obligations under the PDPA regarding the collection of personal data from another source, which requires consent as a legal basis; failed to comply with the grandfather provision by not publicizing opt-out procedures to enable the data subject to withdraw his consent easily; and
Read More
November 7, 2023
Under Thailand’s Royal Decree on Digital Platform Services, domestic and in-scope overseas digital platform operators that are required to notify the Electronic Transactions Development Agency (ETDA) of their operations must do so by November 18, 2023 (or by August 20, 2024, for small or low-impact platforms). This step is one of the essential requirements of the royal decree. Other key information on complying with the royal decree is as follows: The royal decree aims to regulate the operation of “digital platform services,” which refers to the provision of electronic intermediary services that create a connection between consumers, merchants or businesses, or other types of users in order to create an electronic transaction in whole or in part, regardless of whether a service fee is charged. The regulated digital platform services do not include digital platform services intended for offering the goods or services of a single digital platform service operator or an affiliated company that is an agent of the operator, irrespective of whether the goods or services are offered to third persons or to affiliated companies. The royal decree has extraterritorial effect, whereby overseas operators targeting the Thailand market are subject to the royal decree if their services are accessible in Thailand. Overseas operators are required to appoint a local coordinator in Thailand to coordinate with the ETDA. Compliance and Enforcement The ETDA released nine subordinate regulations under the royal decree; these took effect on August 21, 2023 (except for rules on platforms’ terms and conditions, which will take effect on January 3, 2024). Some important points on compliance and enforcement in the subordinate regulations, along with procedural guidance, are listed below. The ETDA has been emphasizing that both domestic and overseas digital platform operators need to notify the ETDA of their operations within the specified timeline (i.e.,
Read More
October 25, 2023
One significant development in the health sector in Indonesia is the use of information technology and communication in the implementation of health efforts—particularly digital health services such as telehealth and telemedicine integrated into the country’s National Health Information System. This development was addressed in a major new piece of legislation for the healthcare sector in Indonesia. Enacted in August 2023, Law No. 17 of 2023 concerning Health (the “Health Law”) provides the updates needed to support the development of healthcare services in Indonesia. Under the Health Law, health information system (HIS) providers must: Carry out processing of data and health information in the territory of Indonesia, except for certain limited and specific processing activities that may be conducted outside Indonesia when permitted by the relevant authorities and in compliance with relevant regulations. Ensure the reliability of its HIS, including availability, security, maintenance, and integration with Indonesia’s National Health Information System. Provide quality health data and information. Process data and health information, which includes planning, collection, storage, inspection, transfer, utilization, and destruction. Record its data- and information-processing history. Protect every person’s data and health information. Obtain approval from the relevant personal data subject or comply with relevant regulations if the processing of data and health information involves an individual’s health data. Inform the data owner if there is a failure to protect data and individual health information. The Health Law’s personal data protection requirements listed above appear to be aligned with the provisions in Law No. 27 of 2022 concerning Personal Data Protection (the “PDP Law”). Under this law, data and information relating to health are identified as “specific personal data,” the processing of which carries a high potential risk of impacting the relevant personal data subject. In the implementation of digital health services, patients’ personal data or medical records
Read More