Vietnam’s new Law on Cyber-Information Security (LCIS) was passed on November 19, 2015, and it will take effect this year on July 1. This is the first comprehensive law ever issued in Vietnam on the security of “cyber-information,” which is information exchanged in a telecommunications or computer network environment. Previous regulations on the subject had been scattered throughout different pieces of legislation, such as the Law on Information Technology; the Law on Telecommunications; the Law on E-Transactions; Decree 72 on the management, provision, and use of Internet services and online information; the Penal Code; and information security regulations for specific sectors such as banking and finance.
The key aspects of the LCIS include assurances for the safety and security of cyber-information; protection of personal information in the network environment; protection of information systems and infrastructure; production, trading, and use of civil ciphers; standards and technical regulations on information security; provision of information security services; prevention of spam, computer viruses, and harmful software; and emergency responses.
The LCIS retains the main principle of existing data privacy regulations in that the collection, processing, and use of personal information of an individual require the consent of that person. It also reemphasizes the importance of active prevention, detection, stopping, and handling of computer viruses and harmful software as well as the prevention and stopping of sabotage or use of information for the purpose of terrorism.
The new law requires intermediary service providers (e.g., enterprises providing email services or transmitting and storing information) to have malware-filtering systems in the course of sending, receiving, and storing information via their systems and to send reports to competent state agencies in accordance with the law. It also requires organizations and individuals, within their authority and responsibilities, to prevent the sabotage of information originating from their information infrastructure, to collaborate with one another in identifying sources, and to counter and remedy the consequences of cyber-attacks carried out via the information systems of domestic and foreign organizations and individuals.
The new law further aims to enhance capacity-building in cyber-information security and encourage organizations and individuals to invest in and enter into joint ventures and associations with other organizations in building higher-education institutions and vocational-training institutions with a view to training human resources for cyber-information security.
A current problem with the LCIS is that its scope of applicability is rather broadly defined. Accordingly, it seems to pose some new requirements and challenges which could apply to many business operators in Vietnam. On its face, the law includes a number of provisions that might apply to many organizations that own information and information systems, defined as a combination of hardware, software, and databases for creating, transmitting, and storing information, among other matters, in a network environment. Needless to say, many businesses could fall under this broad scope. These provisions include the following:
It is not clearly defined in the LCIS as to what suffices as compliance for many of the aspects set out above.
While the LCIS retains the existing requirements that the production, trading, or importation of civil cryptographic products requires a license, it poses a new requirement for the use of civil ciphers (i.e., cryptographic techniques and products used to keep secret or authenticate information that is not classified as state secrets). In particular, organizations and individuals that use civil cryptographic products provided by enterprises which are not licensed to do business in those products must declare such use to the Government Cipher Committee. Certain organizations, such as foreign consular offices, are exempt from making this declaration.
The LCIS sets out regulations for new types of products and services:
The provision of cyber-information security services and trading in cyber-information security products are subject to licensing. An importer might need to obtain a cyber-information security product import permit depending on its cyber-information security imports.
While the new law is a welcome step in codifying the regulations on the vital issue of cyber-information security, it still needs further detail and guidance in several areas. The expectation is that subordinate legislation will soon be issued to clarify the practical realities of the LCIS, and hopefully including a more narrow scope of applicability.