Cyber risk encompasses all risks that would arise from using technology and its related data. In the last few years, cyber threats and attacks have been on the rise in Thailand. In fact, the Kingdom reportedly experienced 20 million cyber-attacks in the past year alone. According to TrendMicro, the five categories most vulnerable to hackers in Thailand are Financial information; Business Communication; Consumer Data; Employee Files; and Research and Development information.
On a global scale, countries understand the impact of cyber security breaches on countries and on businesses. Legislation is being enacted, which provides for fines on companies that mismanage data or lack sufficient security policies. The General Data Protection Regulation (“GDPR”) is a prime example of this move to hold organizations to higher standards, when it comes to their management of users’ data.
The extent to which directors could be held liable for these breaches was, until recently, unclear. Some jurisdictions have started to clarify their legal positions. In the UK, Canada, US and Australia, the directors of a company could be held personally liable for ‘lack of care and diligence’ in relation to cyber risk, with varying standards and conceptual degrees.[1] Similarly in Germany, directors could be held responsible if they fail to incorporate the required technical and organizational measures set out in the Federal Data Protection Act [2] and the Federal Office for Information Security Act.[3]
Under Thai law, various acts prescribe specific duties of directors in the case of cyber-attacks. Private, limited liability companies are governed by the Civil and Commercial Code (‘CCC’). Directors of a private limited liability company must conduct their business with the diligence of a careful businessperson.[4] They also shoulder a fiduciary duty and must act in good faith to maintain the interests of the company, as well as a general burden of care, to act with responsibility and due caution. Public, limited liability companies’ directors, under the Public Limited Companies Act B.E. 2535 (the ‘PLCA’), are liable for breaches of their fiduciary duties. Finally, under the Securities and Exchange Commission Act B.E. 2535 as amended (the ‘SEC’ Act), directors must perform their duties with responsibility, due care and loyalty.[5]
While executing these duties, directors must ensure a strong security policy. This includes prompt notification of breaches, efficient management of data, strong infrastructure, and the training of staff. As a preliminary component of Thailand 4.0, an economic plan focused on digital infrastructure, the Government has enacted legislation to adapt to these attacks and changes in the digital world. In May 2019, the Personal Data Protection Act (2019) (“PDPA”) became law and provides individual users with some control over the processing of their personal data. The enforcement of the PDPA was however postponed another year due to Covid-19.
In Thailand, under the PDPA, the data controller is “a person or juristic person who determines the purposes for which and the manner in which any personal data are, or are to be, processed.” The data controller has a direct liability for data security under the PDPA. However, the PDPA also provides for the liability of a director, when an offense is committed by a juristic person, as a result of instructions given by the director, or of failure for said director to issue appropriate instructions.[6]
The PDPA also has an extraterritorial reach. In consideration of the Thai Government’s goal of implementing a strong digital government policy, directors must be aware of their responsibilities and liabilities in regard to cyber risks and security.
Thailand aims to develop and implement Thailand 4.0, promoting digital innovation and automation. This goal will require strong data canters. As part of the digital infrastructure development under that plan, cyber security will be one the most important elements for all businesses involved in that plan. Directors should be aware of their evolving responsibilities and liabilities regarding cyber threats and the security of the data they collect.
[1] Statutory duties, UK, Companies Act (2006), Canada, Canada Business Corporation Act RSC 1985 (CBCA) – s 239(1), US, Delaware General Corporation Law – s 141(a), Australia, Corporations Act 2001 (Cth) – s 180, in addition to fiduciary duties.
[2] FDPA, (Bundesdatenschutzgesetz), example, s 62 measures required for the controllers and processors
[3] FOISA, (Bundessicherheits- und Informationstechnikgesetz), s 8a.
[4] CCC, s 1168
[5] SEC Act, s 89/7, 89/8, 89/9.
[6] PDPA, section 81.