The latest version of the cybersecurity bill that passed a cabinet hearing on Tuesday was amended to add a requirement for court warrants in cases where the state authority wants to access computer systems to obtain users' personal information.
The bill is expected to pass a National Legislation Assembly reading in February 2019.
Paiboon Amonpinyokeat, a member of the committee that amended the bill, said the law covers only cyber-incidents affecting critical information infrastructure, such as utilities.
Under the law, a National Cybersecurity Commission (NCSC) will be set up, chaired by the prime minister.
The NCSC encompasses three specific subcommittees. The first oversees a national cybersecurity agency (CSA), led by the digital economy and society (DE) minister.
The second oversees national cybersecurity, led by the deputy prime minister for defence.
The third subcommittee, also led by the DE minister, promotes national information technology by offering tax incentives to encourage strong cybersecurity standards and requirements.
It is also expected to establish an industry-specific Information Sharing and Analysis Center (ISAC) for collaboration with international organisations.
The law covers critical information infrastructure in seven groups: finance, transport logistics, energy, healthcare, telecommunications, government services and national security.
Mr Paiboon said the amended version curtails the powers previously granted to the CSA secretary-general. The NCSC will define the national cybersecurity policy, and the NSA will implement those policies.
The NCSC will define the minimum cybersecurity standard requirements for agencies that handle critical information infrastructure.
Each critical information infrastructure agency will have its own cyberteams needed to comply with the requirements and be audited by a third party.
In the event that the critical information infrastructure agencies are believed to have been attacked, the NSA will have to ask for a court order before accessing their systems. The law also allows for appeals to deny a search by the authorities.
Mr Paiboon said any person causing a data leak from critical information infrastructure, whether intentionally or not, must be sentenced to jail for 3-7 years.
The draft bill clearly defines five levels of priority for cyber-incidents (emulating standards used in the US), ranging from highest to lowest: emergency, severe, high, medium and low.
