The Thai National Cybersecurity Committee (NCSC), as required by the Cybersecurity Act, reported to the cabinet in mid-August on trends and developments regarding cyber incidents in Thailand. According to the NCSC, the top five most common cyber incidents involve website phishing, website defacement, data leakage, data security vulnerabilities, and ransomware.
Reported incidents of cyberattacks have increased in recent years. The report stated that affected organizations primarily responded to cyber incidents and attacks by notifying the NCSC about the incident and the remedial actions planned or taken, and conducting internal training to increase awareness of cyber threats. Only two organizations chose to conduct IT risk assessments and vulnerability tests as preventive measures against future cyber threats.
The NCSC report also showed that aside from telecom infrastructure, energy and utilities, and education operators falling victim to cyberattacks, healthcare, webhosting, and data center operators have also become “more common victims” of cyber incidents.
The NCSC recommended that all organizations prepare for inevitable future cyber incidents. This includes ensuring that businesses and organizations comply with international standards, which includes measures that are recognized and incorporated in Thailand’s Personal Data Protection Act (PDPA) and Cybersecurity Act.
Conducting internal training for employees as well as directors and officers is also recommended by the NCSC, as this can help prevent cyber incidents and ensure that businesses comply with the minimum required security standards issued by the Personal Data Protection Committee (PDPC) in their Notification Re: Security Measures of the Data Controller B.E. 2565 (2022), which came into effect on June 21, 2022. Industry-specific minimum required security standards (e.g., those regulated by the Bank of Thailand, Office of Insurance Commission, etc.) should also be considered in conjunction with those in this PDPC notification—particularly when sectoral requirements are more stringent than the PDPC’s recommended measures.
PDPA statutory penalties include civil liabilities with punitive damages, administrative fines, and criminal penalties targeting both businesses and their directors and officers. However, proving that these parties have complied with the applicable requirements and implemented the minimum required standards for data protection can greatly reduce the exposure, potential liabilities, and fines resulting from cyberattacks—especially incidents involving personal data and sensitive personal data.
Tilleke & Gibbins is experienced in helping companies set up protocols to protect themselves and their personnel from these liabilities. For more details, or for assistance understanding any aspect of cybersecurity or personal data protection laws in Thailand, please contact our data protection, privacy, and security team at [email protected], [email protected], or [email protected].