The latest version of the cybersecurity bill set to pass the National Legislative Assembly (NLA) next week has been amended to add a requirement for court warrants in cases that the state authority wants to access computer systems to obtain users' personal information.
The cybersecurity bill will go into effect by June.
Paiboon Amonpinyokeat, an adviser to the subcommittee overseeing the bill, said the law covers only incidents affecting critical information infrastructure such as state utilities.
Under the law, the National Cybersecurity Commission (NCSC) will be set up, chaired by the prime minister.
The NCSC will encompass two subcommittees. The first will oversee a national cybersecurity agency (CSA), led by the Digital Economy and Society (DE) minister, and also promote national information technology by offering tax incentives to encourage strong cybersecurity standards and requirements. The latter will oversee national cybersecurity, led by the DE minister working with the supreme commander.
Also in the works is an industry-specific Information Sharing and Analysis Center (ISAC) for collaboration with international organisations.
The law covers critical information infrastructure in seven groups: finance, transport/logistics, energy, healthcare, telecommunications, government services and national security.
Mr Paiboon said the amended version curtails the powers previously granted to the CSA secretary-general. The NCSC will define the national cybersecurity policy, and the NSA will implement those policies. The NCSC will define the minimum cybersecurity standard requirements for agencies that handle critical information infrastructure.
Each critical information infrastructure agency will have its own cyber team to comply with the requirements and be audited by a third party.
In the event that the critical information infrastructure agencies are believed to have been attacked, the NSA needs to ask for a court order before accessing their systems. The law also allows for appeals to deny a search by the authorities.
Mr Paiboon said any person causing a data leak from critical information infrastructure can be sentenced to jail for 3-7 years.