Concurrently with the rest of the World, online transactions over the internet have become commonplace in Vietnam and continue to expand its reach to all aspects of business. The banking and retail sectors are just two of the major industries that currently rely, at least in part, on remote transactions. This evolution also has a dark side with the development of cybercrime where a victim is fraudulently induced to provide personal or private information that the cybercriminal utilizes to appropriate assets.
In this Insight, Le & Tran explores the recent developments and progression of cybersecurity law and data retention in Vietnam. Further, the regulations are applied to the real world and useful advice is provided to assist you in following the law and protecting the information of your business and your clients/customers.
Existing cyber fraud situation in Vietnam
Along with the development of communication networks and information technology (IT) applications, fraud conducted through the internet has grown substantially, both in quantity and sophistication. Although the authorities and media have repeatedly warned people about these fraudulent actions, the continuous evolution of methods and modus operandi of cybercriminals, combined with intimate knowledge of their victims’ hopes and desires, enables them to scam large sums of money nationwide.
Cyber fraud in the past mainly consisted of scams that would target those connecting online, persons establishing friendships, or would request money transfers from victims in order to receive gifts at customs. In addition, it was common to hack social media accounts or impersonate relatives or acquaintances to ask for money or mobile scratch cards. The fraud that exists nowadays has become much more sophisticated with streamlined and tested “scripts”.
Recently, there has been a significant increase in fraudulent acts through online banking. Online banking has seen a widespread increase in consumer use because of its convenience and speed. However, besides the benefits, online banking is also potentially risky. Some perpetrators committing crimes use various methods to take advantage of loopholes and unsuspecting casual users to perform fraudulent acts which result in the appropriation of the victim’s assets. One of the typical tricks they implement is to steal the one-time password (OTP) used in online banking to obtain the money in the victim’s account.
Fraudsters use online accounts to find online stores or individuals selling goods online. After exchanging information and making an agreement as to price, the subject requests the victims to provide a bank account number in order to transfer the deposit to purchase goods.
Immediately afterwards, the subject notifies the victim that the deposit was transferred to the account provided by the victim and asks the victim to access the sent link. When the victim accesses the link and enters his/her login information, password and OTP, the subject instantly collects all the information of the victim and uses the OTP to transfer money from the victim’s account to another account.
Furthermore, fraudsters have also been known to impersonate bank employees, or employees of banking-related service providers (especially e-wallet services) to request that customers authenticate information to upgrade services or provide information to get promotions. Then, when bank account or e-wallets data is provided, they steal the customer’s account information.
Difficulties in tracking the cyberfraudster
Fraudsters usually utilize false information to create accounts and exchange goods, which makes it extremely difficult to track down the perpetrator as there are too few traces and evidence remaining to track. In addition, cyber fraud is often carried out by a criminal organization or group, who can be anywhere, even abroad. It is practically impossible to trace subjects outside Vietnam’s national borders.
The Cybersecurity Law creates a legal basis for tracing cyber fraud
Before the Cybersecurity Law 1 was promulgated, enterprises providing online services could store data however they wanted to. In addition, the laws of Vietnam were not applicable to foreign enterprises. However, the Cybersecurity Law has now introduced regulations on the storage of information in cyberspace for all enterprises to resolve the difficulties in tracing criminals, especially criminals who fraudulently appropriate assets through the internet.
Under Article 26.3 of the Cybersecurity Law, any domestic or foreign enterprise providing services on telecom networks or the Internet (and other value-added services in Vietnam’s cyberspace that collect, use, analyze or process personal information or service user relationship data, as well as data generated by service users in Vietnam), must store this data in Vietnam for a period of time prescribed by the Government. The law also requires offshore service providers to open branches or representative offices in Vietnam. Accordingly, the regulations on the storage of data and the establishment of branches or representative offices of foreign enterprises in Vietnam are applied to enterprises performing the activities of collecting, using, analyzing and processing personal information, data concerning service user relationships, and data provided by service users in Vietnam.
The Cybersecurity Law specifies 03 types of data the must be stored in Vietnam:
(i) the personal information of service users; (ii) service user relationship data; and (iii) the data generated by service users in Vietnam.
The requirements of data storage and setting up branches or representative offices in Vietnam has had a great impact on tracking down traces and collecting evidence of online fraudulent appropriation of assets. This is because the personal information of online account users is required to be stored in Vietnam, and Vietnamese governmental authorities can request branches and representative offices of foreign enterprises to provide information as specified by law. Those branches and representative offices cannot refer to the law of enterprise origin to refuse to provide data. The information of the user’s account is open to the Investigative agency to track the perpetrators and to obtain the necessary evidence to prosecute the criminal liability of fraudsters.
Additionally, this regulation also benefits businesses themselves since they will be better protected against violations of the law which are conducted in cyberspace. These include the spread of false information about products, services and business reputation; unfair competition; infringement on intellectual property rights and business secrets, and appropriation of property.
Currently, as there is no guidance on the implementation of the Cybersecurity Law, there is also no legal basis for determining what is a “domestic or foreign enterprise providing services on telecom networks and on the Internet and other value-added services in Vietnam’s cyberspace”. Also, it is unclear what are the types of data that are required to be stored as well as the length of the data storage period. There are also no regulations on sanctions against enterprises violating Article 26.3 mentioned above. Therefore, foreign businesses operating on telecommunications networks and the internet in Vietnam are still confused and do not know how to implement Article 26 of the Law on Cybersecurity.
Article 9 of the Cybersecurity Law stipulates that “Those who violate any provisions of this Law will be liable to disciplinary penalties, administrative penalties or criminal prosecution depending on the nature and severity of the violation and shall pay compensation for any damage caused”. However, as mentioned, the Government has not promulgated any guidance on the implementation of the Cybersecurity Law and the issue of ensuring the security of information in cyberspace as stipulated in Article 26 of Cybersecurity Law. As a result, there are still no administrative penalties imposed on enterprises that violate this regulation.
In order to prevent potential legal risks, all foreign enterprises wishing to provide services on telecom networks and on the Internet and other value-added services in Vietnam’s cyberspace need to set up branches or representative offices in Vietnam. The establishment of a branch or representative office in Vietnam is carried out in accordance with the Commercial Law, Decree 07/2016/ND-CP dated 25/01/2016 of the Government which details the Commercial Law’s regulations on the establishment of representative offices, branches of foreign traders in Vietnam and other relevant regulations.
During its operations, enterprises having business in this sector need to store following information in Vietnam: (i) personal information of service users; (ii) service user relationship data; and (iii) data generated by service users in Vietnam. Enterprises can refer to the Draft Decree guiding the Cybersecurity Law to determine specifically which data is required to be stored in Vietnam, including:
- Data on the personal information of service users in Vietnam, which consists of full name, date of birth, birthplace, nationality, occupation, title, residence, contact address, email address, telephone number, id number, personal identification number, citizen ID number, passport number, social insurance card number, credit card number, health status, medical records, and biometrics.
- Data generated by service users in Vietnam, including friends and groups that users connect with or interact with.
- Data on service user relationships in Vietnam, including information uploaded, synchronized, or imported from devices.
Although the Cybersecurity Law helps track down the several crimes of cyber fraud more effectively, when a crime occurs there will still likely be consequences. Even when the fraudsters are tracked down, it does not mean that the entire amount of the appropriated money and damages will be reimbursed. Therefore, to actively prevent cybercrime, individuals or businesses using services on telecom networks and the Internet must raise their vigilance, especially when being asked to provide, exchange or share personal information. It is prudent to keep personal information confidential as well as prevent disclosure of personal information, phone numbers, housing addresses, information about bank accounts, OTP or accounts of services on the Internet to any person.
Do not transfer money to anyone or comply with any requests that have not been verified or without specific clearly written basis from the competent authority. In any case, it is important not to lend or rent personal documents such as: ID cards, household books or bank cards. Further, do not sell, lend or lease bank accounts or accept bank transfers or receive money by bank transfer from unknown persons.
Regularly check and update security and privacy features on social networking accounts, email, bank accounts and authenticate information about beneficiary account changes to partners or acquaintances and relatives. Regularly change and ensure password security (combining capital letters, lowercase letters, numbers, and special characters). Be cautious when receiving e-mail. Do not access links or open attachments in an e-mail where the source is uncertain. Open only e-mail messages or download software and/or apps from trusted sources. Take measures to protect connected personal devices, and only access services in cyberspace with powerful security tools and antivirus software. In the event there is a suspicion of fraudulent appropriation of assets, remain calm and promptly notify the nearest police office for guidance.