Author: publisher

by Lim Seng Siew, director OTP Law Corporation. Accredited Specialist in Data and Digital Economy Law by SAL.

In preparing for an article on OTP Law’s website (reproduced on this website) about material adverse change clauses, I made use of a generative AI engine (used on 28 Apr 2023) and asked it for “Cases on material adverse change clauses in Singapore courts.”. This was the answer it gave me:

Answer:

In Singapore, material adverse change (MAC) clauses are commonly used in commercial contracts to allow parties to terminate or renegotiate the terms of the contract if certain events occur that materially affect the value or viability of the transaction. However, the application and interpretation of MAC clauses in Singapore can be complex and fact-specific, and there have been a limited number of cases on the issue.

One notable case is China Machine New Energy Corp v Jaguar Energy Guatemala LLC [2013] SGHC 186, where the Singapore High Court considered a dispute arising from a power purchase agreement between the parties. The agreement contained a MAC clause that allowed the buyer to terminate the agreement if there was a material adverse change in the seller’s financial condition. The court held that the buyer had not established that there was a MAC and that the seller had not breached the agreement. The court also noted that the burden of proof was on the party seeking to rely on the MAC clause, and that the clause should be narrowly construed.

Another case is BNA v BNB [2015] SGHC 110, where the Singapore High Court considered a dispute arising from a share purchase agreement. The agreement contained a MAC clause that allowed the buyer to terminate the agreement if there was a material adverse effect on the target company’s business, operations, assets or financial condition. The court held that the buyer had not established that there was a MAC and that the seller had not breached the agreement. The court also noted that the MAC clause should be interpreted in the context of the entire agreement and the commercial objectives of the parties.

Overall, these cases suggest that Singapore courts will approach the interpretation and application of MAC clauses on a case-by-case basis and will require a high standard of proof before allowing a party to rely on such a clause to terminate a contract.

This sound great, easy to read and understand. What is there not to like about it? Except that the cases don’t exist! It is not that the case names or the citations don’t exist. They do but are wrong. The citation for China Machine New Energy Corp v Jaguar Energy Guatemala LLC is not [2013] SGHC 186. It’s another citation. And citation [2013] SGHC 186 is of another case. And, to make it worse, either is about material adverse change clauses. This was a similar situation with the second case cited, BNA v BNB [2015] SGHC 110.

So what is going on here? The short lay-persons answer is that the AI lied. But AIs don’t lie. All they do is trawl the internet for information (ie. the large language model) and then compile the information in a coherent manner that people understand. So how in that compilation process, the AI put together information that may not be related to one another together in a coherent readable form. To a reader, they appear as the truth. Data scientists don’t fully understand what is going on yet but called this phenomenon ‘hallucination’.

How do we avoid this? By asking the right question.

This reminds me of the sci-fi series, “The Hitchhiker’s Guide to the Galaxy.” The Ultimate Question was asked of the supercomputer “Deep Thought”: What is the answer to Life, the Universe, and Everything? After many years of computing, the answer was “42”. It was pointed out by Deep Thought that the question was wrong. Thus the non-sensical answer.

A ‘profession’ has now grown around generative IA to learn how to ask the right questions, ‘prompt engineering’. The combination of prompt engineering, domain knowledge (the human is still needed in the chain), high quality data, and AI models trained on research frameworks will birth a new scientific approach: Iterative Sciences.

As to using generative AI for legal work, thankfully as the preceding paragraph makes clear, the human is still need to provide the domain knowledge of law. The human with that domain knowledge needs to read what is generated by the AI for accuracy. Using the answer to my query above, of the four paragraphs generated by the AI, only two were useable (of sorts): the first and last paragraphs, ie. the two shortest paragraphs that contain well-written motherhood statements. Not sure how useful they are actually. In fact, my article on material adverse change clauses used nothing generated by the AI. So, I am happy to report that for the moment, we are safe.

by Lim Seng Siew, director OTP Law Corporation. Accredited Specialist in Data and Digital Economy Law by SAL.

Singapore, like many countries around the world, is on a trend to regulate online content to enhance the online safety of users. UK has its own Online Safety Bill as does Ireland’s Online Safety and Media Regulation Bill and the EU’s Digital Services Act.

Singapore’s Online Safety (Miscellaneous Amendments) Bill was passed in Parliament on 9 November 2022 and came into force on 1st February 2023.  The Bill primarily makes appropriate amendments to the Broadcasting Act 1994 with the introduction of a new Part 10A. A minor clarification amendment to the Electronic Transactions Act 2010 was also made.  There is no stand-alone Online Safety Act.  The Bill was tabled after consultations with stakeholders and the public.

In the second reading of the Bill in Parliament, the Minister of Communications and Information highlighted that most online platforms do not fall within the remit of the then-existing provisions of the Broadcasting Act. As such the Bill was intended to regulate social media platforms because of their high volume of harmful content.

The new Part 10A in the Broadcasting Act empowers the Infocomm Media Development Authority (IMDA) to regulate online communication services (whether from within Singapore or outside) accessible by Singapore end-users. The measures that IMDA can take are: (a) to issue codes of practice for providers of regulated online communication services; and (b) to issue blocking directions to online communication services providers and to internet access service providers to deal with egregious content.  A new Fourth Schedule to the Broadcasting Act lists the online communication services that are within Part 10A. At present, the Fourth Schedule is limited to “social media service”.

Codes of Practice

Along with the press release by the Ministry of Communications and Information on 31 Jan 2023, the IMDA also released its draft Code of Practice for Online Safety for further consultation. The Code is expected to be implemented in the second half of 2023. Online communication services that have significant reach or impact can be designated by IMDA as regulated online communication services (ROCS). ROCS providers will be required to comply with the Code.

The draft Code has provisions requiring ROCS providers to put in place systems and processes to mitigate the risks to Singapore users (in particular children of different age groups) from exposure to harmful content and to account to its users for such measures. Harmful content is much wider than egregious content that can give rise to blocking directions by IMDA. Harmful content covers sexual or violent content as opposed to sexually violent content (per egregious content). It also includes cyberbullying content and content facilitating vice and organised crime.

The draft Code has sections on: (a) User Safety;  (b) User Reporting; and  (c) Accountability. Its key provisions are:

(a) The ROCS provider must implement community guidelines, standards, and content moderation measures to minimise users’ exposure to harmful content.

(b) Users must have access to tools to help them manage their own safety and exposure to harmful content.

(c) Users must have easy access to information related to online safety, including Singapore-based safety information.

(d) The ROCS provider must have technologies and processes in place to pro-actively detect and remove child sexual exploitation and abuse material and terrorism content.

(e) The ROCS provider must have targeted measures to minimise children’s exposure to inappropriate content, including children appropriate community guidelines, standards, and content moderation measures.

(f) Children must not be sent targeted content that is detrimental to their physical or mental well-being.

(g) The children and their parents/guardians must have access to tools to enable them to manage the children’s safety and minimise their exposure to harmful or inappropriate content. The tools must limit, not such what content the child can see, but also limit who else can see the child’s information or interact with the child. Unless access by children is restricted, children must be provided with their own accounts where the default settings are robust and more restrictive appropriate to the age of the children.

(h) Users must be able to report concerning content or unwanted interactions. The mechanism must be easy to use and transparent.

(i) Such users’ reports must be assessed and appropriate action taken in a timely and diligent manner, depending on the severity of harm. Action taken can include taking down the content and warning or banning the account that posted the content.

(j) Where the report is not frivolous or vexatious, the reporting user must be informed of the decision and action taken. If action is taken against the user who posted the content, that user must also be informed of the decision and action taken. These must take place without undue delay. The users have the right to ask for a review of the decision and action taken.

(k) The ROCS provider must submit to IMDA annual reports on the measures that are put in place to combat harmful and inappropriate content. The report should include: (i) how much and types of harmful or inappropriate content they encountered ; (ii) what steps have been taken to mitigate Singapore users’ exposure to harmful or inappropriate content; and (iii) what action has been taken on user reports. The report will be published on IMDA’s website.

The draft Code is accompanied by Guidelines that provide non-exhaustive examples of harmful content for all users and inappropriate content for children.

Failure to comply with the codes of practice without a justifiable reason can result in a financial penalty not exceeding S$1 million or directions to remedy the failure.

Blocking Directions

If IMDA finds egregious content on online communication services, directions can be issued to the online communications provider and to internet service providers to disable access to such content by Singapore end-users. Egregious content includes content advocating or instructing self-harm or suicide; physical or sexual violence; terrorism; child sexual exploitation; public health risk in Singapore; or likely to cause racial or religious disharmony in Singapore.

There are 3 types of directions that IMDA can issue:

(a) A direction to an online communication service provider to disable access by Singapore end-users to the egregious content. As an example, to block a post on a social media site from being viewed by a Singapore user through a browser or mobile device.

(b) A direction to an online communication service provider to stop the delivery or communication of egregious content to Singapore end-users. As an example, to block an instant message containing egregious content or a link to egregious content from being sent to Singapore users.

(c) A direction to an internet access service provider to block access by Singapore end-users to an online communication service if the provider of that online communication service fails to comply with an IMDA direction. This can mean that the entire service is blocked and not just the post or message with the egregious content.

Failure to comply with a blocking direction to an online communication service provider can result in a fine not exceeding S$1 million and a further fine of not more than S$100,000 per day for a continuing offence.  Failure to comply by an internet access service provider can result in a fine not exceeding S$20,000 per day up to a maximum of S$500,000.

Conclusion

How effective the codes will be, only time will tell.

by Lim Seng Siew, Director OTP Law Corporation

In the first and second parts, we talked about what is a phishing attack and what to do if you are a victim. In the third part we talked about the simple steps to take to protect yourself against an attack. In this fourth and part of the series about Cyber-hygiene and Phishing, we will talk about other, more complicated, steps that you can take to reduce the chances of being a victim of a hack.

Steps With Assistance Basket

The suggestions in this basket are much more technical than just installing an anti-malware (one of the simple steps in the earlier article) onto your computers and may require your IT provider to help.

Configure Your Email Servers

Your email servers can be configured to ‘prevent’ your emails from being spoofed. I use ‘prevent’ in parentheses because, as I had said earlier, it is not possible to prevent hacking, just making it more difficult for a hacker.

What you tell your IT provider is “Please configure my email servers to enable SPF, DKIM and DMARC. I want to prevent our emails from being spoofed and so that our emails are not marked as spam by other email servers.”

To briefly explain what they mean and do.

SPF stands for “Standard Policy Framework”. What SPF does is to allow email servers receiving your email to verify that the email comes from your domain and is authentic, and not forged or spoofed.

DKIM stands for “Domain Keys Identified Mail”. What it does is to add a digital signature to every message sent from your organisation. Receiving email servers will read the signature and verify whether message actually came from you. DKIM also prevents message content from being changed when the message is transported between servers.

Finally, DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. DMARC tells the receiving email servers what to do with messages from your organisation when they don’t pass either SPF or DKIM. Failed messages can either (a) continue to be sent to the recipient, (b) quarantined or sent to the spam folder, or (c) rejected, ie not sent to the recipient. Usually as a start, you might want to choose the first option (continue to be sent) until you are certain that only false emails are tagged. Whichever option is chosen, DMARC also sends reports that tell you which messages pass or fail SPF and DKIM. These reports can help you identify possible email attacks and other vulnerabilities with your email servers.

Like the password checker, CSA has its Internet Hygiene Portal (at https://ihp.csa.gov.sg/home where you can check if your website and email are secure.

Back-Ups Including Off-Site Back-Ups

In our everyday life, we have ‘back-ups’ for many things: the spare key to our front door or keeping a properly inflated spare tyre in our car.

The same should apply to your business data. You cannot assume that the information that you store will always be safe and accessible. Even if you are not a victim of a hack, negligence of a staff or a system corruption (physical storage devices do breakdown sooner or later) can result in lost data. Regular and systematic back-ups will ensure that if the information is lost, it can be restored from the back-ups.

Experts advise making several back-up copies of valuable files and safekeeping them in different places. This is to plan for the contingency that your first back-up option becomes corrupted.

Some planning and discussion with your IT provider will be necessary. Questions such as the following need to be asked and answered: Do I need to do daily incremental back-ups? Do I need to do weekly or monthly complete back-ups? Do I need real-time back-ups? Do I do the back-ups on removable devices? On external hard drives? On dedicated back-up devices? On the cloud?

Another key question is “Where is the data that I want backed-up stored?” If your staff stores the files in multiple devices and locations, must all these devices and locations be backed-up? Or should your staff be educated and trained to store all the files in one place (say a dedicated folder on your file servers) so that only that place needs to be backed-up?

At least one back-up copy should be kept off-site or in a reliable cloud service. If your on-site files, including your on-site back-ups, fall victim to ransomware or is destroyed by fire, you will have that off-site copy or cloud copy from which to restore and reconstruct your files.  However, bear in mind that restoring from off-site back-ups is not as easy as copying files back into your system after it has been restored or cleaned of any malware. Further, you have to ensure that the off-site or cloud back-up copies are immutable copies of your data, ie that they cannot be encrypted or corrupted by ransomware. So regular testing of your back-up and restoration process should be carried out.

Encryption

Encryption is a cybersecurity measure that protects your data even if the data is stolen. A hacker will have to ‘crack’ the decryption key before he can get his hands on the data. With strong encryption, decrypting files can take years of computing power.

Both data stored or backed-up on your devices or the cloud (termed ‘data at rest’) and data that is moving across the internet or a private network (termed ‘data in transit’) should be encrypted.

Data in transit is usually encrypted by the application used to transfer that data. As an example, many instant messaging apps encrypt all messages sent and received between their users. Websites that have “https” as part of its web address also encrypt all traffic between its web server and the web browsers of its visitors.

Similarly, many cloud storage providers encrypt both data in transit (ie data that is moving between the user and the cloud storage) and data at rest (ie data that is stored in the cloud storage).

It probably would not make sense to encrypt ALL files generated by a business. So, you will need to discuss with your staff and your IT provider to see what types of data would benefit from encryption and what would not. In short, a risk-based assessment will have to be undertaken.

Files that are copied or backed-up onto removable storage devices should be encrypted, especially if these devices are going to be physically moving around. Thus, if the storage device is lost or stolen, the data remains safely out of the hands of the thief or hacker.

Do not overlook the data encryption tools that are already incorporated in some of the common operating systems like the Encrypted Files System (EFS) in Microsoft’s Windows and Android Encryption in Google’s Android. By default, no file is encrypted for both systems. EFS can be enabled by users (or through Group Policies) on a per-file, per-directory, or a per-drive basis. Encryption in Google’ s Android is generally either a full-disk encryption (FDE) or a file-based encryption (FBE). Confusing? Yes, it can be. That is why help from your IT provider will be useful.

A useful point to note. Whether encryption has been used is factor taken into consideration by the PDPC to determine if an organisation has or has not taken reasonable steps to secure the personal data it collects.

Monitor

“Don’t know, don’t ask” is definitely not one of the mantras to be adopted where cyber-hygiene is concerned. The fact that you had been hacked or that hacking is on-going but you know nothing about it is not only embarrassing when it is subsequently discovered, but can potentially mean that prima facie, you did not take reasonable steps to secure your data.

Proactive monitoring can give you early warning signs of an impending attack, whether they are specifically directly at your organisation or as part of a global tidal wave. Servers, routers, applications and systems that are used by your organisation should be configured (again, with the help of your IT provider) to either generate periodic (say weekly) reports or have real-time monitors to spot any suspicious activities. However, do not overreact when you see such reports for the first time. There will be many suspicious activities. Hackers routinely use bots to scan multiple systems, including yours, for vulnerabilities such as vulnerable codes that have not been patched. In today’s day and age, these activities are part of the ‘background noise’. What you should be looking out for are changes to the ‘background noise’ that might indicate either that you are being targeted or that some vulnerability has been detected.

Steps With Consultation Basket

This third and final basket of suggestions is one that will require consultation between various stakeholders, including senior management, staff, and the IT provider as they involve longer term planning, top management decision, and operational changes. You don’t have to implement all the suggestions but only adopt what suits you and your practice.

Consider Implementing Zero Trust Policy

Zero trust policy is basically a philosophy that states no one, whether inside or outside the network, should be trusted unless their identification has been thoroughly checked. Zero trust assumes that every attempt to access the network or an application is a threat. Traditional security models are based on the ‘moat and castle’ or ‘perimeter defence’ model, that is a moat surrounding the castle and anyone inside the castle is assumed to be a friend. A zero trust model doesn’t make that assumption. It in fact goes a few steps further in that the user or device, even after verification, is granted only the minimum of permissions necessary to perform an authorised task and for only a limited period of time.

The weakness of the perimeter defence model is that the perimeter has all but disappeared with the proliferation of devices that ‘connect’ to your system. This is the result of employees working from home (WFH) in the wake of the global pandemic. Such devices include desktops, laptops, smartphones, tablets, smart TVs and other internet of things (IoT) devices. As a result, hackers have many more points to breach security controls.

Implementing Zero Trust Policy is not easy. Some of the considerations include:

• Verifying the identity of authorised users, often using 2FA. In newer implementations, the authentication is via an authenticator app.
• After the user is verified, the device from which the user seeks authentication also needs to be verified. This usually requires some sort of device management system.
• After the user and device used have been verified, then permissible access of the user and device needs to be verified. As an example, if a user logs in using a laptop with VPN, then the user can have access to certain pre-defined segments of your network or to certain pre-defined folders of your server. If the user logs in using an IoT device (which is generally views as having a higher risk), then the user is only allowed to access an even more restrictive segment of the network or server.
• Some zero trust implementations also verify the types of services that a user or device is permitted to have access to. As an example, a user using an IoT device may only have ‘read only’ access to certain services while a user using a laptop will have full access to the same services.

As the considerations are varied with numerous factors to be taken into account, you will need to work with your key staff and with an experienced IP provider to implement any zero trust policy. Further, it is likely that as you gain more experience, the policies will have to be modified to suit the working requirements of your organisation.

Reduce Your Attack Surface

One of the aims of any cybersecurity plan is to reduce the attack surface. The smaller the attack surface, the easier and cheaper it is to protect. Unnecessary complexity can result in poor management and higher chances of mistakes that allow greater opportunities for hackers to gain unauthorised access to your systems.

The simpler step is to disable all unnecessary or unused: (a) software or applications; (b) computers or devices; and (c) user and admin accounts. However, this is not as easy as it sounds. Many of us allow staff to use their own laptops, tablets and mobile-phones (the Bring Your Own Devices or BYOD ‘culture’), for them to work from home (or for that matter, anywhere), and to use thumb-drives as a means of transferring or transporting files. Just these three steps have increased the attack surface multi-fold and made things more complicated. It makes scanning for vulnerabilities more difficult but makes implementing the zero trust policy more important.

This cannot be done over-night because you do not want to disrupt your existing work processes that has been in place for a while. The cost for doing so also needs to be weighed against the savings. As an example, you should consider buying laptops for your entire office. That way, you can set the configurations for the laptops and only allow these laptops to access your office system. Any access from mobile devices (even your staffs’ own devices) can then be restricted to read-only access to limit any potential harm caused by such devices.

Consider Cloud Services

I will not be dealing with the decision whether to or not to migrate to the cloud. Rather I am just going to weigh cloud versus on-premise solutions from a cybersecurity standpoint. Hybrid WFH makes cloud services an important alternative to on-premise or hosted solutions although both of them have their own security issues.

An important point to keep in mind, the cloud is not the solution to any hacking problem. A careless employee who gives out login credentials in reply to a phishing email will compromise the cloud service. So, training and all the previously discussed suggestions are still important.

Further, the larger and established cloud service providers would have, either as a default or as an option, some of the cybersecurity solutions that I have suggested for a user to choose from. Discuss the options with your IT provider and the cloud service provider you are considering.

I have listed some factors to be considered when deciding between cloud or on-premise solutions.

The Summary

In summary and to recap all four parts:

• Have a Written Breach Management Plan – Include C.A.R.E. (Contain, Assess, Report, Evaluate)
• Prevention is Better Than Cure – Practice Cyber-hygiene
  1. Simple Steps
     1. Have Anti-Malware / Update Software
     2. Practice Password Hygiene:

Strong password / Different Accounts, Different Passwords / 2FA / Don’t share passwords / Don’t login over unsecured wi-fi / Change passwords regularly / Use password manager

• Learn to Spot Phishing Messages:

Mismatched or Misleading Information / Beware of Homograph attacks / Use of Urgent or Threatening Language / Promise of Attractive Rewards / Request for Confidential Information / Unexpected Emails & Suspicious Attachments

1. Training & Keeping up to Date
2. Steps With Assistance
   1. Configure Email Servers – SPF /DKIM / DMARC
   2. Back-Ups – Multiple Copies & Off-site Copies

• Encryption

1. Monitor Your Systems
2. Steps With Consultation
   1. Zero Trust Policy
   2. Reduce Attack Surface

• Consider Cloud Services
• Key Resources
  1. CSA’s Password Checker (https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker)
  2. CSA’s Internet Hygiene Portal (https://ihp.csa.gov.sg/home)
  3. Talk to us at OTP Law Corporation. Our website site is otp.sg