(5) If any person fails to comply with a written notice under subsection (2)(a), the incident response officer may report such failure to a Magistrate who may then issue an order for the person to attend before the Commissioner, at a time and place specified in the order, to answer any question or provide a signed statement in writing concerning the cybersecurity threat or incident.
(6) Any person examined under this section or to whom a notice under subsection (2) or an order under subsection (5) is issued is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.
(7) The person examined under this section or to whom a notice under subsection (2) or an order under subsection (5) is issued, is not treated as being in breach of any contractual obligation mentioned in subsection (6) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of answering any question asked during the examination or complying with the notice or order.
(8) Any person who—
- (a) wilfully misstates or without reasonable excuse refuses to give any information, provide any statement or produce any record, document or copy required of the person by an incident response officer under subsection (2); or
- (b) fails, without reasonable excuse, to comply with an order issued by a Magistrate under subsection (5),
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.
(9) In this section and sections 20, 21 and 22, “incident response officer” means the Commissioner, the Deputy Commissioner or any Assistant Commissioner, cybersecurity officer or authorised officer
