1. GOVERNING TEXTS

1.1. Legislation

There is no specific legislation (sectoral or general) that addresses cybersecurity. There is legislation that deals with privacy protection and computer crimes. For example, the Personal Data (Privacy) Ordinance 1996 as amended in 2021 ('PDPO') deals with personal data and privacy protection and Section 161 of the Crimes Ordinance (Cap.200) 1979 as amended in 2017 ('the Crimes Ordinance') deals with the criminal offence of obtaining access to a computer with a criminal or dishonest intent.

In July 2020, the law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region was promulgated (the 'HKNSL'). Article 22 of the HKNSL provides that it is an offence of subversion if a person organises, plans, commits or participates in attacking or damaging the premises and facilities used by the body of power of the HK Special Administrative Region to perform its duties, functions, rendering it incapable of performing its normal duties and functions. Hence if there was a cyberattack that would cause the HK Government or major governmental or statutory institutions incapable of performing its normal duties and functions, then there would be a breach of the HKNSL. Such cyberattacks and incidents could also be a terrorist activities offence under Article 24 of the HKNSL for, among other things, serious interruption or sabotage of electronic control systems for providing and managing public services such as water, electric power, gas, transport, telecommunications, and the internet. Under the HKNSL and the Implementation Rules, the Hong Kong Police has the power to remove electronic messages that endanger national security from electronic platform and seek assistance from network and platform service providers to assist with such removals.

1.2. Regulatory authority 

There is no one regulatory authority that deals with cybersecurity. Cybersecurity is dealt with by law enforcement agencies, regulators, government departments, and statutory bodies.

The relevant law enforcement agency is the Police and in particular, its Cyber Security and Technology Crime Bureau which deals with cybercrime matters, public education, and awareness of cybersecurity. For cybersecurity issues that relates to national security, the matter will be dealt with by the safeguarding national security department of the Police. Specific industry regulators take the monitoring initiative with respect to cybersecurity. For example, the Hong Kong Monetary Authority ('HKMA'), which is the regulator for the banking industry, launched the 'Cybersecurity Fortification Initiative' ('CFI') for the banking sector in 2016. On 3 November 2020, the HKMA launched CFI 2.0, which came into effect 1 January 2021.

The CFI provides a Cyber Resilience Assessment Framework for the banks to assess their own risk profiles, a Professional Development Programme to train and certify cybersecurity professionals, and a Cyber Intelligence Sharing Platform (‘CISP’) for sharing of cyber threat intelligence among banks. With CFI 2.0, the HKMA enhanced the CFI to reflect the latest trends in technology and incorporate recent developments in global cyber practices, and improve the user-friendliness of the CISP. For security brokers that offer internet trading and are regulated by the Securities and Futures Commission ('SFC'), the SFC has a supervisory role in terms of cybersecurity over, among other entities, securities brokers by the implementation of the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading ('the Cybersecurity Guidelines'). The SFC published a report on 23 September 2020 after a review of selected internet brokers which provide online trading services on desktop, mobile or designated website platforms with a focus on cybersecurity issues and vulnerabilities associated with mobile trading applications. The review highlighted deficiencies and instances of non-compliance in areas such as Two-factor authentication, data encryption, session timeout and monitoring and surveillance to identify suspicious unauthorised transactions.

For personal data privacy, the regulator is the Office of the Privacy Commissioner for Personal Data ('PCPD') which enforces the PDPO. On 8 October 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 ('Amendment Ordinance') came into effect to more effectively combat doxxing acts that are intrusive to personal data privacy. The PCPD was empowered under the Amendment Ordinance to, among other things, carry out criminal investigations and institute prosecutions.

The Hong Kong Computer Emergency Response Team Coordination Centre ('HKCERT') under the statutory body of the Hong Kong Productivity Council is the centre for the coordination of computer security incident responses for SMEs and internet users.

For Government departments, cybersecurity is dealt with by the Office of the Government Chief Information Officer ('OGCIO'), which is under the Innovation and Technology Bureau of the Hong Kong Government.

1.3. Regulatory authority guidance

The HKMA issued its Enhanced Competency Framework on Cybersecurity 2016, updated in 2019 ('ECF-C') as part of the CFI for banks. The ECF-C aims to develop a sustainable talent pool of cybersecurity practitioners for the workforce demand in the banking sector and to raise and maintain the professional competence of cybersecurity practitioners in the banking industry.

Under the Electronic Health Record Sharing System ('EHRSS'), electronic health records can be shared between public and private healthcare practitioners. The EHRSS is overseen by the Commissioner for the Electronic Health Record ('EHRC'). The EHRC issues policies, guidelines, and procedures that cover privacy and cybersecurity on the sharing of electronic healthcare data via the EHRSS.

The SFC issued the Cybersecurity Guidelines that require all licensed or registered persons engaged in internet trading to implement 20 baseline requirements to enhance their cybersecurity resilience and to reduce and mitigate hacking risks.

2. SCOPE OF APPLICATION

The PDPO applies to living individuals and the Crimes Ordinance applies to persons including individuals and corporations. The HKNSL applies to both individuals and corporations.

In the context of cybersecurity, the PDPO and the Crimes Ordinance applies in Hong Kong and do not have exterritorial application. The HKNSL has extraterritorial application-it shall apply to offences committed against HK from outside HK.

Under the Telecommunication Ordinance (Cap 106) ('the Telecommunication Ordinance'), Sections 24 to 28 impose different criminal offences that relate to the disruption or interference of messages with respect to telecommunications services.

3. DEFINITIONS

Information security program: There is no explicit definition for an information security program under the laws.

Database: There is no explicit definition for a database under the laws.

Cybersecurity incident: There is no explicit definition for a cybersecurity incident under the laws.

Cybersecurity / information security officer: There is no explicit definition for a cybersecurity / information security officer.

Under the Telecommunication Ordinance (Cap 106) ('the Telecommunication Ordinance'), Sections 24 to 28 impose different criminal offences that relate to the disruption or interference of messages with respect to telecommunications services.

Definitions under the Telecommunication Ordinance include:

• Telecommunications services: A service for the carrying of communication by means of guided or unguided electromagnetic energy or both.
• Telecommunication systems: Any telecommunications installation, or series of installations, for the carrying of communication by means of guided or unguided electromagnetic energy or both.
• Telecommunications: Any transmission, emission, or reception of communication by means of guided or unguided electromagnetic energy or both, other than any transmission or emission intended to be received or perceived directly by the human eye.

Section 27A of the Telecommunication Ordinance is aimed at 'hackers' and makes it a criminal offence for anyone to use a telecommunications system to knowingly cause a computer to perform any function to obtain unauthorised access to any program or data held in a computer.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

There is generally no obligation to have technical or organisational measures to manage risk in place. However, for regulated industries such as banking and licenced corporations such as securities brokers that offer internet trading, the regulators HKMA and SFC have issued guidelines that include the implementation of technical and organisational measures to manage and mitigate risks. Failure to comply with the guidelines or relevant codes of practice might result in disciplinary action and create an adverse impression of the regulated party that might affect the party's application or renewal of any licences that are issued by the regulators.

4.1.Cybersecurity training and awareness

Under the CFI of the HKMA, it provides for a professional development program (PDP), which is a localised certification scheme and training program for cybersecurity professionals developed by the HKMA in collaboration with the Hong Kong Institute of Bankers and the Hong Kong Applied Science and Technology Research Institute to train and nurture cybersecurity practitioners in the banking and information technology industries, and to enhance their cybersecurity awareness and technical capabilities of conducting cyber resilience assessments and simulation testing. Under CFI 2.0 that came into effect in January 2021, as regards PDP, the certification list has been expanded to include equivalent qualifications in major overseas jurisdictions.

4.2. Cybersecurity risk assessments

Please refer to section 1.2 above. Under the CFI, a Cyber Resilience Assessment Framework ('C-RAF') is set up for banks. The C-RAF is a risk-based framework for banks and other financial institutions regulated by the HKMA to assess their own risk profiles and benchmark the level of defence and resilience that would be required to accord appropriate protection against cyber attacks.

4.3. Vendor management

There are no specific requirements with respect to vendors cybersecurity.

4.4. Accountability/record keeping

There are no specific requirements for keeping records of processing activity. However, the Privacy Commissioner has issued Guidance on Personal Data Erasure and Anonymisation ('the Guidance') and recommended that an erasure record should be maintained as evidence that the erasure policy of the company regarding the erasure of collected personal data has been complied with. According to the Guidance, such record should document which set of personal data has been deleted or destroyed, when, by whom, and by what method. On 20 January 2020, the Government issued a discussion paper for the review of the PDPO ('LegCo Review'). In the paper, it was proposed that data processors should be directly regulated, or required to observe certain specific requirements (e.g. in relation to data retention, erasure and security). As of now, the review is ongoing.

There is no requirement for privacy by design and default but the Privacy Commissioner’s office advocates the adoption of this idea in matters such as the development of software and apps.

Under s.12 of the PDPO, the Privacy Commissioner may approve and issue codes of practice for the purpose of providing practical guidance in respect of any requirements under the PDPO imposed on data users. Regulators such as the SFC and HKMA may also issue codes of conduct that cover cybersecurity. Please refer to paragraphs 1.2 and 1.3 above.

5. DATA SECURITY

The SFC has issued guidelines for reducing and mitigating hacking risks associated with internet trading, which set out 20 baseline cybersecurity requirements for SFC registered or licensed entities engaging in internet trading (banks also need to refer to the guidelines if they offer internet trading services) that covers:

• two factor authentication;
• implementation of monitoring and surveillance mechanisms;
• prompt notification to clients;
• data encryption;
• protection of client login passwords;
• stringent password policies and session timeout controls;
• deploy a secure network infrastructure;
• user access management;
• security controls over remote connection;
• patch management;
• end-point protection;
• unauthorised installation of hardware and software;
• physical security;
• system and data backup;
• contingency planning for cybersecurity scenarios;
• third party service providers;
• cybersecurity management and supervision;
• cybersecurity incident reporting;
• cybersecurity awareness training for internal system users; and
• cybersecurity alert and reminder to clients.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

There is generally no obligation to notify the regulatory authority of a cybersecurity incident as there is no central cybersecurity authority for that purpose. However, for some regulated industries such as Insurance, the Insurance Authority issued a guideline on cybersecurity and requires insurance companies to inform the Insurance Authority of a cybersecurity incident with the related information as soon as practicable, and in any event no later than 72 hours from detection.

In addition, there is no mandatory requirement to report any cybersecurity incident but if the incident involves a personal data leakage, the PCPD advises the data users to report the matter to the regulator and also the affected victims within a reasonable time. In 2020, the HK Government and PCPD proposed to introduce a mandatory data breach notification mechanism.

For regulated industries, the regulators such as the HKMA and the SFC also set out in guidelines, codes, and practice manuals that companies should report the cybersecurity incident to the regulators and affected customers in a timely manner.

If the company is a publicly listed company and the cybersecurity incident amounts to something that might materially affect the price of the listed shares if such information is disclosed to the general investing public, then under the Listing Rules that are supervised by the Hong Kong Stock Exchange, the listed company might need to make a public announcement to disclose and notify the general investing public about the cybersecurity incident.

7. REGISTRATION WITH AUTHORITY

Not applicable.

8. APPOINTMENT OF A SECURITY OFFICER

Not applicable.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services

In November 2019, the SFC introduced its Position paper on the Regulation of virtual asset trading platforms, which outlines its regulatory approach in this area. Platforms that operate in Hong Kong and offer trading of at least one security token (virtual assets that fall within the definition of 'securities' under the Securities and Futures Ordinance) may apply to be licensed by the SFC.

Under the licensing regime, the SFC expects any virtual asset trading platform seeking a licence to both adopt an operational structure and use technology in order to ensure that it can offer client protection which is equivalent to traditional financial institutions in the securities sector. The SFC will require a platform operator to establish and implement written internal policies and governance procedures to ensure compliance with requirements concerning the custody of client virtual assets. The SFC recognises that virtual assets kept in a 'hot wallet' (the practice where the private keys to virtual assets are kept online) are vulnerable to external threats such as hacking and social engineering such as phishing, and will require a platform operator to ensure that it stores 98% of client virtual assets in cold wallets and limits its holdings of client virtual assets in hot wallets to not more than 2%.

A firm which operates a centralised virtual asset trading platform in Hong Kong and intends to offer trading of at least one security token on this platform may apply for a licence from the SFC for Types 1 and 7 regulated activities. A virtual asset trading platform operator, upon becoming licensed, will be placed in the SFC Regulatory Sandbox.

On 3 November 2020, the HK Government issued a public consultation paper proposing a new licensing regime (‘the Proposal’) for virtual asset services providers (‘VASP’) in Hong Kong. Under the Proposal, any person seeking to conduct a regulated business of virtual asset trading platforms in Hong Kong must apply for a licence from the SFC and satisfy the fit-and-proper test. Licensed VASPs will be subject to the anti-money laundering/counter terrorist financing requirements under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap.615)

Health

With the digital transformation of the healthcare industry, there is ever more personal data and health data collected and processed in relation to eHealth, Big Data enabled diagnosis, and the Internet of Medical Things ('IoMT') with data from connected wearables on users and patients.

An electronic health record ('EHR') refers to a record in electronic format containing health-related data of an individual (not confined to medical treatment for illness), stored and retrieved by different healthcare providers including doctors and other healthcare professionals for healthcare-related purposes. Its collection, processing, and sharing under the EHRSS is monitored by the EHRC (see paragraph 1.3 above). For regulating the collection and use of EHR, the Electronic Health Record Sharing System Ordinance (Cap.625) provides the legal basis for the collection, sharing, use, and safe keeping of patients' health data under the EHRSS. An EHR amounts to personal data and is protected under the PDPO.

The access of EHR by healthcare providers and professionals must be on a 'need-to-know' basis. Healthcare providers shall adopt all reasonably practicable steps to protect the personal data in the EHRSS. If there is data breach of the EHRSS, healthcare providers should notify the EHRC and the PCPD as soon as possible.

Telecommunications

Not applicable.

Employment

The PCPD has issued an information leaflet on Bring your own device ('BYOD') practices in relation to allowing employees to use their own mobile devices to access the employer company's information. The PCPD suggests that companies should establish administrative, physical, and technical measures to ensure that the company's data, including personal data that it holds, is protected and reinforce these measures through written policies, notifications, and training.

The OGCIO suggests that as a matter of IT security, proper security training and updates on IT security policy should be provided to all staff regularly, including users, developers, system administrators, and security administrators in order to strengthen their awareness on information security. Management should establish clear policies and supporting procedures regarding the use of information systems so as to set out clearly the allowed and disallowed actions on their information systems. Staff shall be formally notified of their authorisation to access an information system as well as their responsibilities and duties on these information systems, including their duties of confidentiality with respect to data during and after termination or change of employment.

Education

The Education Bureau ('EB') issued its Information Security in Schools - Recommended Practice (September 2019) in schools for protecting the schools' information and IT assets when implementing e-learning. The EB also arranges seminars in primary and secondary schools to enhance their awareness on cybersecurity, the importance of regular vulnerability assessment in schools, information security management, and incident handling issues. During the COVID-19 pandemic, the EB also instructed schools to refer to the security measures in using the virtual meeting software 'Zoom' issued by government departments and organisations such as the Police, PCPD and HKCERT.

Insurance

The Insurance Authority ('IA') issued a guideline on cybersecurity that took effect from 1 January 2020 setting out the minimum standard for cybersecurity that authorised insurers are expected to have in place and the general guiding principles which the IA uses in assessing the effectiveness of an insurer’s cybersecurity framework.

According to paragraph 8 of the guideline on response and recovery, insurers should develop a cybersecurity incident response plan. If there is a cybersecurity incident, insurers should assess the nature, scope and impact of the incident and take all immediate practicable steps to contain the incident and mitigate its impact. Upon the detection of a relevant incident, the insurer should report the incident with the related information to the IA as soon as practicable, and in any event no later than 72 hours from detection.

10. PENALTIES

For the offence of unauthorised access to a computer by telecommunications under Section 27A of the Telecommunication Ordinance, the maximum penalty is a fine of HKD 25,000 (approx. €2,900). For the offence of access to a computer with a criminal or dishonest intent under Section 161 of the Crimes Ordinance, the maximum penalty is imprisonment for five years. For a cybersecurity incident that involves the disclosure of personal data of a data subject without the data user's consent with an intent to obtain a gain in money or cause loss in money, that is a breach of Section 64 of the Ordinance and the maximum penalty is a fine of HKD 1,000,000 (approx. €116,050) and imprisonment for five years.

For a breach of Article 22 of the HKNSL, it is an offence and the maximum sentence is life imprisonment or fixed-term imprisonment of more than 10 years for those who are principal members or the crime was serious; for those who have participated actively it shall be an imprisonment for more than 3 years but not more than 10 years.

For a breach of Article 24 of the HKNSL, it is an offence and if the crime caused serious injury, death or serious losses to public or private property the maximum sentence is life imprisonment or more than 10 years of imprisonment; otherwise the sentence is not less than 3 years of imprisonment with a maximum of not more than 10 years.

Article 31 of the HKNSL provides that if a legal person or unincorporated organisation such as a company, group or the like commits an HKNSL offence, a fine shall be imposed on the organisation. The Court may also consider ordering the suspension of the operation of the entity or revoke the licence or business licence of the entity.

Article 32 of the HKNSL provides that the illegal gains obtained from the commission of HKNSL offences such as proceeds, remuneration, funds and tools used shall be recovered and confiscated. A person convicted of an HKNSL offence might also be disqualified from being public or elected officials.

11. OTHER AREAS OF INTEREST

In 2018 Cathay Pacific Airways Limited disclosed a cyber attack data breach incident that exposed the personal details of some 9.4 million customers globally. In Hong Kong, the PCPD completed an investigation on the data breach incident and found that Cathay Pacific had breached the Data Protection Principles ('DPPs') of the PDPO, and issued an enforcement notice for Cathay Pacific to remediate and implement improvement measures for personal data privacy protection. Under the HK law regime, a breach of the DPPs per se is not a criminal offence and the PCPD is not empowered to impose any fine under the PDPO.

The same incident involves the personal data of 111,578 UK customers. The UK Information Commissioner's Office investigated the matter and found that Cathay Pacific had breached the UK data protection law and imposed a maximum financial penalty of GBP 500,000 (approx. €603,120).

This shows that the same cybersecurity incident could be investigated by multiple regulators and a company could face multiple fines across the world.

In terms of doxxing (the unauthorised dissemination of personal data and private information collected from the internet with a malicious intention to hurt the data subject and the data subject’s family members), the Police and the PCPD have used the Ordinance and also civil claim interim injunction to prosecute the doxxing perpetrators and to stop the personal data leakage/dissemination.

Dominic Wai Partner
[email protected]
ONC Lawyers, Hong Kong