Powers to investigate and prevent cybersecurity incidents, etc.
19.—(1)  Where information regarding a cybersecurity threat or incident has been received by the Commissioner, the Commissioner may exercise, or may authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to exercise, such of the powers mentioned in subsection (2) as are necessary to investigate the cybersecurity threat or incident, for the purpose of —
(a)assessing the impact or potential impact of the cybersecurity threat or incident;
(b)preventing any or further harm arising from the cybersecurity incident; or
(c)preventing a further cybersecurity incident from arising from that cybersecurity threat or incident.
(2)  The powers mentioned in subsection (1) are the following:
(a)require, by written notice, any person to attend at such reasonable time and at such place as may be specified by the incident response officer, to answer any question or to provide a signed written statement concerning the cybersecurity threat or incident;
(b)require, by written notice, any person to produce to the incident response officer any physical or electronic record, or document, or a copy of the record or document, that is in the possession of that person, or to provide the incident response officer with any information, which the incident response officer considers to be related to any matter relevant to the investigation;
(c)without giving any fee or reward, inspect, copy or take extracts from such record or document or copy of the record or document mentioned in paragraph (b);
(d)examine orally any person who appears to be acquainted with the facts and circumstances relating to the cybersecurity threat or incident, and reduce to writing any statement made by the person so examined.
(3)  The incident response officer must specify in the notice mentioned in subsection (2)(b) —
(a)the time and place at which any record, document or copy is to be produced or any information is to be provided; and
(b)the manner and form in which it is to be produced or provided.
(4)  A statement made by a person examined under this section must —
(a)be reduced to writing;
(b)be read over to the person;
(c)if the person does not understand English, be interpreted for the person in a language that he or she understands; and
(d)after correction (if necessary), be signed by that person.
(5)  If any person fails to comply with a written notice under subsection (2)(a), the incident response officer may report such failure to a Magistrate who may then issue an order for the person to attend before the Commissioner, at a time and place specified in the order, to answer any question or provide a signed written statement concerning the cybersecurity threat or incident.
(6)  Any person examined under this section or to whom a notice under subsection (2) or an order under subsection (5) is issued is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.
(7)  The person examined under this section or to whom a notice under subsection (2) or an order under subsection (5) is issued, is not treated as being in breach of any contractual obligation mentioned in subsection (6) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of answering any question asked during the examination or complying with the notice or order.
(8)  Any person who —
(a)wilfully misstates or without reasonable excuse refuses to give any information, provide any statement or produce any record, document or copy required of the person by an incident response officer under subsection (2); or
(b)without reasonable excuse, fails to comply with an order issued by a Magistrate under subsection (5),
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.
(9)  In this section and sections 20, 21 and 22, “incident response officer” means the Commissioner, the Deputy Commissioner or any Assistant Commissioner, cybersecurity officer or authorised officer exercising the powers under this section or section 20, as the case may be.