1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
Hong Kong has yet to enact legislation on cybercrime or cybersecurity, and there are no plans to do so in the near future. However, the Personal Data (Privacy) Ordinance (PDPO) (Chapter 486 of the Laws of Hong Kong) was enacted in 1996. As one of the first data protection laws in Asia, the PDPO aims to regulate the collection, use, storage and handling of information capable of identifying living individuals. While the PDPO is sometimes viewed as Hong Kong's cybersecurity law, it is in fact technology neutral and covers personal data presented in any format and form, not just digital content. In particular, the PDPO does not target other data-related cybercrimes, such as data theft and the theft of confidential information or trade secrets.
Against this background, the terms ‘cybersecurity', ‘cybercrime' and ‘data protection' are thus not expressly defined in statutes. Under common law principles, these terms will be subject to the court's interpretation or construction. Thus far, the Hong Kong courts have not yet properly defined such terms in decided cases.
In the context of the PDPO, the term ‘data protection' generally refers to six key data protection principles which data users must observe under the legislation in relation to the collection, use, storage and handling of personal data in Hong Kong.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
Although Hong Kong has no standalone cybersecurity legislation, cybercrimes are addressed in different laws, including the PDPO (in respect of personal data). For reasons of convenience, the Department of Justice has expanded the scope and application of existing laws to prosecute cybercrimes. The provisions are scattered among different statutes and apply to common computer-related and internet-related criminal acts. Examples include the following.
Unauthorised access to computer by telecommunications: Section 27A of the Telecommunications Ordinance (Chapter 106 of the Laws of Hong Kong) prohibits anyone from deliberately using telecommunications to cause a computer to perform any function or to obtain authorised access to any program or data held on a computer. This provision is usually used to prosecute hacking where telecommunications are used.
Access to computer with criminal or dishonest intent: Section 161 of the Crimes Ordinance (Chapter 200 of the Laws of Hong Kong) prohibits anyone from obtaining access to a computer:
- with the intent to commit an offence;
- with a dishonest intent to deceive;
- with a view to making a dishonest gain, either directly or for another; or
- with a dishonest intent to cause loss to another, whether at the time of obtaining such access or in the future.
The term ‘computer' is not defined in the Crimes Ordinance. Case law suggests that the term covers smartphones as devices for electronic data storage, processing and retrieval. Alternatively, a ‘computer' is defined under Section 22A of the Evidence Ordinance as "any device for storing, processing or retrieving information, and any reference to information being derived from other information is a reference to its being derived therefrom by calculation, comparison or any other process"; this may be used as a reference. Since its introduction in the early 1990s, Section 161 has been used as a ‘catch-all' computer offence, and has often been relied on by prosecutors both for offenders who hacked into computers (whether through a telecommunications system, the Internet or otherwise) and for those who took indecent ‘upskirt' photos or videos with their smartphones.
However, in April 2019 the Hong Kong Court of Final Appeal ruled that Section 161 should not apply to the use of the offender's own computer or electronic device, unless that use involves accessing a third party's device.
Criminal damage: Section 60 of the Crimes Ordinance stipulates that anyone who, without justification, intentionally or recklessly destroys or damages the property of others will be guilty of an offence. The term ‘property' includes any program or data held on a computer or on a computer storage medium, regardless of whether it is property of a tangible nature. The phrase ‘destroy or damage any property' covers any misuse of a computer, such as:
- tampering with a computer;
- altering or erasing a program or data; and
- adding a program or data to the content of a computer or to a computer storage medium.
Burglary: Section 11 of the Theft Ordinance (Chapter 210 of the Laws of Hong Kong concerns the offence of burglary and applies to cybercrimes only where an element of misuse of a computer is found. A person will be found guilty of burglary if he or she:
- enters a building or part of a building as a trespasser with intent; or
- having entered a building, steals from the building, inflicts grievous bodily harm on or rapes any person in the building, or does unlawful damage to the building or anything therein.
The term ‘does unlawful damage' to anything in the building includes:
- unlawfully causing a computer in the building to function other than as it has been established; or
- unlawfully altering or erasing a program from, or unlawfully adding a program to, a computer or storage medium in the building.
Fraud: Section 16A of the Theft Ordinance sets out the elements of the offence of committing fraud. In particular, where a person who, by deceit and with intent to defraud, induces a person to commit an act (or not commit an act) which results in a benefit for anyone else or in prejudice or a substantial risk of prejudice to another person, this will amount to fraud. Theoretically, someone who uses internet services or software to defraud victims or take advantage of them may be charged with this offence.
Theft: Section 2 of the Theft Ordinance states that a person commits theft if he or she dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and Section 9 makes theft a criminal offence. As the definition of ‘property' includes money and real, personal and intangible property, a person may be found guilty of this offence by stealing intangible property such as digital data or electronic files which belong to others.
Blackmail: Section 23 of the Theft Ordinance stipulates that a person commits blackmail if, with a view to gaining directly or for another (or with intent to cause loss to another), he or she makes any unwarranted demand with menaces. Accordingly, this offence includes the use of ransomware. However, prosecution will be difficult, given that more often than not, the wrongdoer will conceal his or her identity by hiding his or her IP address.
Disclosure of personal data without consent: In relation to personal data, Section 64 of the PDPO makes it an offence to disclose a data subject's personal data without consent with the intent to make a gain or to cause loss to the data subject, or to cause psychological harm to the data subject.
Failure to take all practical steps to erase personal data: Section 26 of the PDPO criminalises a data user's failure to take all practical steps to erase personal data held where that data is no longer required for the purpose for which it was used.
Publication of obscene articles online: Apart from the typical cybercrimes listed above, it is also an offence to publish obscene articles to the public or a section of thereof over the Internet, under Section 21 of the Control of Obscene and Indecent Articles Ordinance (Chapter 390 of the Laws of Hong Kong).
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Given that there are no cyber statutes, the answer is no. However, the PDPO applies to all sectors, whether private or public.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data: The PDPO was enacted specifically for the protection of personal data. It sets out six key data protection principles, which cover how data should be collected, used, stored and protected by the data user. However, contravention of any principle is not an offence per se. Upon receiving a complaint or voluntary notification of a breach, the privacy commissioner for personal data may investigate the matter and, where appropriate, serve an enforcement notice on the data user. Failure to comply with the requirements or proposed remedial actions specified in such notice will constitute a criminal offence under Section 50A of the PDPO.
Health data: In relation to health information, the Electronic Health Record Sharing System Ordinance (Chapter 625 of the Laws of Hong Kong), which came into effect on 2 December 2015, may be relevant. The legislation mainly sets out the framework for the operation of the Electronic Health Record Sharing system (known as ‘E-Health') in Hong Kong. E-Health is a platform that allows healthcare providers across different sectors to access and share patients' health records solely for health-related purposes, subject to prior authorisation by the patient. The ordinance sets out the legal requirements for the protection of the system, data and information.
The offences in relation to the misuse of E-Health under the ordinance include:
- knowingly obtaining unauthorised access to, damaging or modifying data or information contained in E-Health;
- evading a data access request or data correction request by altering, falsifying or destroying the data or information contained therein; and
- using another person's data or information contained therein, or a copy thereof, for direct marketing purposes.
The ordinance only regulates the use, storage and handling of the health data contained in E-Health. Other health-related data (if it falls under the definition of ‘personal data' in the PDPO) will be subject to the PDPO, which is also applicable to other personal data contained in E-Health.
Financial data: While Hong Kong has no statutory laws governing the use and protection of financial data, the Code of Banking Practice – which is a non-statutory code issued by the Hong Kong Association of Banks – highlights the importance for banks of having appropriate control and protection mechanism to protect customers' financial and personal information. Banks are also advised of the importance of adhering to the PDPO in relation to the collection, use, storage and erasure of any customer information.
Moreover, other financial regulators – including the Securities and Futures Commission and the Hong Kong Monetary Authority – have issued various specific guidelines that set out cybersecurity requirements to be adopted by licensees and financial institutions.
The Insurance Authority (IA) has also published its very first guideline on cybersecurity, called GL20. This sets out the minimum cybersecurity requirements that authorised insurers are expected to have in place and general principles that the IA uses to assess the effectiveness of an insurer's cybersecurity framework.
Classified information: The government of Hong Kong has issued a set of Government IT Security Policy and Guidelines to provide references and guidance to government bureaux and departments with regard to the protection of government information systems and data assets, including classified information. The guidelines are for general reference only and are not legally binding. The guidelines can be accessed at www.infosec.gov.hk/english/technical/standards.html.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
No Hong Kong ordinances covering cybersecurity and cybercrimes have extraterritorial reach. They are applicable to foreign individuals or companies to the extent that they have a presence in Hong Kong or have committed the acts under complaint within Hong Kong.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Hong Kong is not a party to any bilateral or multilateral instruments relating to cyber matters.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
Violation of the following laws may result in the relevant penalties upon conviction, examples of which are set out as follows.
|Section 27A of the Telecommunications Ordinance (unauthorised access to computer by telecommunications)||Maximum fine of HK$25,000 (approximately US$3,200)|
|Section 161 of the Crimes Ordinance (unauthorised access to computer with criminal or dishonest intent)||Maximum five years' imprisonment|
|Section 60 of the Crimes Ordinance (criminal damage)||Maximum 10 years' imprisonment|
|Section 64 of the PDPO (unauthorised disclosure of personal data with an intent to gain)||Maximum fine of HK$1 million (approximately US$129,000) and five years' imprisonment.|
|Section 26 of the PDPO (failure to erase personal data which is kept longer than necessary)||Maximum fine of HK$10,000 (approximately US$1,290)|
|Section 9 of the Theft Ordinance (theft)||Maximum 10 years' imprisonment.|
|Section 11 of the Theft Ordinance (burglary)||Maximum 14 years' imprisonment.|
|Section 23 of the Theft Ordinance (blackmail)||Maximum 14 years' imprisonment.|
|Section 16A of the Theft Ordinance (fraud)||Maximum 14 years' imprisonment.|
As discussed, contravention of the data protection principles set out in the PDPO is not an offence in itself. However, if the privacy commissioner issues an enforcement notice to the data user and the data user contravenes such a notice, the data user may be liable to a maximum fine of HK$50,000 (approximately US$6,450) and imprisonment for two years, with a daily penalty of HK$1,000 (approximately US$130). Subsequent convictions can result in a maximum fine of HK$100,000 (approximately US$12,900) and imprisonment for two years, with a daily penalty of HK$2,000 (approximately US$260) under Section 50 of PDPO.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
The Hong Kong Police Force (HKPF) is the key enforcement authority against cyber-related crimes. In 2015 the Cyber Security and Technology Crime Bureau was formally established (upgraded from the former Technology Crime Division) under the HKPF to prevent and combat technology crimes and tackle cybersecurity incidents. The types of cybercrimes handled by the HKPF include online business fraud, social media deception, unauthorised access to computers, naked chat-related blackmail and many others.
The Office of Government Chief Information Officer and the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) also provide advice to the general public in relation to cybersecurity. Both offices actively disseminate useful and practical information to increase public awareness of cybersecurity risks and educate the public about security measures.
The HKPF's powers in enforcing the laws include the power to:
- search a reasonably suspicious person;
- enter and search private premises, and seize items inside;
- arrest and detain suspects; and
- take statements.
The HKPF also maintains a close relationship with INTERPOL in terms of tackling cybercrime in Asia. It frequently seeks assistance from INTERPOL and provides information to it with a view to combating cybercrimes involving perpetrators located outside Hong Kong.
The privacy commissioner is the dedicated data privacy regulator under the Personal Data (Privacy) Ordinance (PDPO). The privacy commissioner's powers to carry out investigations (Part 8 of the PDPO) include the power to:
- request any information, document or evidence;
- summon any person for examination; and
- conduct hearings.
The privacy commissioner also has the power to inspect the personal data system of a data user or a class of data users for the purpose of making recommendations on how they might improve compliance with the requirements under the PDPO. However, the privacy commissioner may enter a data user's premises without prior written notice only if a warrant has been issued by a magistrate. As mentioned above, the privacy commissioner may investigate complaints or notification made to him in relation to any suspected breach of the six key data protection principles, and may issue enforcement notices to data users if he sees fit. The privacy commissioner is also empowered under the PDPO to issue any codes of practice to advise data users on compliance with the PDPO.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
In practice, most cybercrimes will also give rise to cause(s) of action for civil claims, including breach of contract, breach of confidence, breach of confidentiality, breach of fiduciary duty, deception, misrepresentation, derivative actions and other economic torts.
A limited liability company is considered to be a separate legal entity under Hong Kong law; hence, in most cases the directors and shareholders of a company will not be liable for wrongdoings of the company. However, there are exceptions to this general rule. In particular, in a tortious claim, the directors of a company cannot use the company as a shield if there are grounds to show that the directors are acting as joint tortfeasors or have otherwise conspired to commit the wrongdoings. Depending on the facts of the case, it may be possible to sue not only the company, but also the directors in a civil action.
Common remedies available in civil actions include:
- disclosure of further information about the wrongdoings and parties involved therein;
- specific performance;
- orders for damages or account of profits; and/or
- recovery of legal costs.
2.3 What defences are available to companies in response to governmental or private enforcement?
In terms of personal data protection, the PDPO sets out a number of exemptions from compliance with its requirements. These aim to strike a balance between the protection of personal data and the public interest. The exemptions may exempt data users from complying with all or some of the six data protection principles (DPPs) under the PDPO. For example, data users are exempt from all six DPPs in order to fulfil judicial functions, (Section 51A of the PDPO); whereas DPPs 3 (use of data for the original purpose for which it was collected) and 6 (rights to access and correct personal data) do not apply to personal data relating to the data subject's physical or mental health, identity or location.
Moreover, a company or a person charged with an offence under Section 64 of the PDPO may rely on the following defence:
- The alleged offender reasonably believed that the disclosure was necessary for prevention or detection of crime;
- The alleged disclosure was made pursuant to an order of a court or the application of law;
- The alleged offender reasonably believed that the data subject has consented to the disclosure; or
- The alleged offender's disclosure relates to a news activity or directly related activity and the alleged offender had reasonable grounds to believe that disclosure was in the interest of the public.
Defences against other statutory offences and civil actions will depend on the facts of the relevant case. However, for most crimes, lack of intent will usually be the key defence adopted by the accused. Moreover, due to the absence of precise definitions of most cybercrime-related terms, it is not uncommon to argue over the interpretation of the wordings of the relevant statues. For example, in one case the Court of Final Appeal agreed with the defence and held, in the context of Section 161 of the Crimes Ordinance, that the term ‘computer' in the original charge would have meant a device not owned by the perpetrator; hence, the charge of "obtaining access to a computer for criminal or dishonest gain" should not apply to a person's own phone or computer, and the accused – who had used their own computers for dishonest purposes – should be acquitted. The presiding judge said, "as a matter of language, one always ‘obtains' access to something which one did not have access to before".
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
Section 161 of the Crimes Ordinance has been relied upon in prosecuting various computer-related crimes, including:
- the taking of indecent ‘upskirt' photos using a smartphone;
- retrieval and dissemination of confidential information stored on a work computer;
- theft of customer information; and
- online fraud.
Section 161 was generally perceived as a ‘catch-all' provision that criminalises different types of computer-related wrongdoings. However, this perception has changed since April 2019, when the Court of Final Appeal handed down a landmark decision.
The Court of Final Appeal ruled that Section 161 of the Crimes Ordinance does not apply to the use of a person's own computer (including a smartphone). Secretary for Justice v Cheng Ka Yee  HKCFA 9, concerned four primary school teachers who had used their own smartphones to take photographs of the school's admission interview questions and disseminated this information to third parties. Having examined the legislative history, the court held that the legislative intent of this section was to tackle unauthorised access to a third party's computer; by using their own smartphones, the teachers had not ‘obtained access to a computer' under Section 161.
Given that the Court of Final Appeal has adopted such a narrow construction of Section 161, it remains unclear whether this provision can still be effectively used to prosecute offences related to one's own computer or electronic device(s). As a result, all prosecutions related to this offence have been suspended by the Department of Justice since April 2019.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Data breaches happen from time to time in various industries. In October 2018 Cathay Pacific Airways announced that a data breach involving unauthorised access to the personal data of approximately 9.4 million customers had occurred. The announcement was a belated one, given that the breach had taken place in March 2018. Cathay voluntarily reported the incident to the privacy commissioner by filing a data breach notification. Upon investigating the incident, Cathay was found to have contravened the data protection principles under the PDPO in relation to data security and retention. An enforcement notice was subsequently issued to Cathay, which was ordered to take the following measures:
- Engage an independent data security expert to overhaul its systems containing personal data;
- Implement effective multi-factor authentication to all remote users for accessing its systems containing personal data and regularly review remote access privileges;
- Conduct effective vulnerability scans at server and application levels;
- Engage an independent data security expert to test the security of its network;
- Devise a clear data retention policy to specify the retention period(s) of passenger data, which must be no longer than necessary for the fulfilment of the purpose, and implement effective measures to ensure effective execution; and
- Completely delete all unnecessary Hong Kong identification card numbers collected through its Asia Miles membership programme from all systems.
Cathay's reputation was seriously compromised by the data breach and Cathay was obliged to incur extra costs to remedy the breach in accordance with the enforcement notice. Trust is hard won, but easily lost, and no one should underestimate the impact of data breach and/or cyber incidents.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
The Insurance Authority has published guidelines on cybersecurity for the insurance industry, known as GL20. GL20 came into force on 1 January 2020 and applies to all authorised insurers that carry out business in and from Hong Kong. It provides an overview of cybersecurity strategy frameworks and sets out the minimum standards for cybersecurity that authorised insurers are expected to put in place, as well as some guiding principles which the Insurance Authority will use in evaluating insurers' cybersecurity frameworks.
Separately, the Hong Kong Monetary Authority (HKMA) and Securities and Futures Commission (SFC) also issue specific guidelines on cybersecurity for authorised institutions, including banks and licensed persons.
The HKMA implemented the Cybersecurity Fortification Initiative (CFI) to enhance the cyber-resilience of the Hong Kong banking system in 2016. The CFI comprises three main areas: the Cyber-resilience Assessment Framework, the Professional Development Programme and the Cyber Intelligence Sharing Platform. The CFI aims to:
- establish a common risk assessment framework for banks to follow;
- offer training and certifications in cybersecurity; and
- facilitate the sharing of cyber threat intelligence.
In parallel with the CFI's Professional Development Programme, the HKMA has developed a module on cybersecurity under the Enhanced Competency Framework for banking practitioners. The goal is to introduce an industry-wide competency framework for the banking sector that promotes talent development and enhances the professional competencies and capabilities of those working in cybersecurity.
Similarly, the SFC has issued a circular to all licensed corporations that provide internet trading for customers and a set of Guidelines for Reducing and Mitigating Risks associated with Internet Trading, which sets out the minimum standards expected from licensed corporations.
The privacy commissioner has also issued industry-specific guidelines concerning the collection, use and handling of personal data. To date, the privacy commissioner has published guidelines for the banking and finance industry, the beauty industry, the hotel industry, medical practitioners and others. Although these guidelines are not legally binding, they are more or less developed based on the Personal Data (Privacy) Ordinance (PDPO), and compliance will effectively mean compliance with the statutory requirements on the handling of personal data. The guidelines and guidance notes are often the first point of call for clarifications on the PDPO, as they provide interpretations and applications of some of its key provisions.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
From time to time, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) issues to the general public security guidelines that offer practical recommendations and technical steps and advice on improving the security of various devices, networks and systems. HKCERT also publishes the Hong Kong Security Watch Report on a quarterly basis, to educate the public on compromised computers that have suffered from various kind of cyberattacks, including web defacement, phishing, malware hosting, botnet command and control centres or bots. In each report HKCERT provides recommendations to take to prevent or minimise the risk of cyberattacks. HKCERT's website can be accessed at www.hkcert.org/.
The general public may also utilise the Cyber Security Information Portal, which provides practical, easy-to-understand advice and step-by-step guidelines for general users, small and medium-sized enterprises and schools to conduct health checks on computers, mobile devices and websites, as well as tips and techniques to guard against cyberattacks. The government has also established the Information Security (InfoSec) website to serve as a one-stop portal for the general public to access information and resources on information security, along with measures and best practices for the prevention of cybercrime. The InfoSec website can be accessed at www.infosec.gov.hk/english/main.html.
The privacy commissioner also issues guidelines and guidance notes which assist the general public, business owners and other professionals in understanding the legal requirements on the collection, use, storage and handling of personal data.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
Hong Kong law imposes no specific cyber-related duties on corporate officers and directors. However, directors are expected to follow the following general principles in executing their duties:
- act in good faith for the benefit of the company as a whole;
- exercise their powers for proper purposes for the benefit of shareholders;
- not delegate their powers except with proper authorisation and exercise independent judgement;
- exercise care, skill and diligence;
- avoid conflicts of interest;
- not gain advantage from their position as directors;
- not make unauthorised use of company's property or information; and
- not accept personal benefits from third parties because of their position as directors.
Many of the principles above will in practice encourage directors to deploy suitable measures and plans to ensure that the company is cyber compliant.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
There are no special rules, regulations or guidance on proactive cyber compliance that apply to listed entities. That said, the Guidance for Board and Directors issued by the Stock Exchange of Hong Kong Limited (HKEX) specifically states that corporate governance involves risk identification, and suggests that the board and directors of any listed company should identify potential internal and external risks that may arise in relation to the company's business, including the risk of cybersecurity. Given the HKEX's view that risk identification and control are the board's responsibility, it appears that the board should have a risk management policy and procedures in place concerning cybersecurity. If the directors fail to discharge their duties and responsibilities, they may be disciplined by the HKEX and may attract civil and/or criminal liabilities under Hong Kong law or the laws of other jurisdictions.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
There is no legislation specifically addressing this. All disclosures shall be made on a voluntary basis.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Before reporting any cyber incidents, one should consider whether the incident constitutes a crime and whether intervention by the Hong Kong Police Force (HKPF) is required. For cybersecurity incidents that do not involve criminal elements, the victim may report the incident on a voluntary basis. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) accepts reports on incidents such as malware, web defacement, phishing, scams, denial of service attack and other information security attacks.
For other cyber incidents that potentially involve a violation of local law, victims should immediately report such incidents to the HKPF. This can be done electronically through the e-report room managed by the HKPF, accessible at www.erc.police.gov.hk/cmiserc/CCC/PolicePublicPage?language=en. Alternatively, it is also possible to engage a local lawyer to report the incident to the HKPF if the victim resides overseas. The Cyber Security and Technology Crime Bureau of the HKPF is responsible for handling cybersecurity issues and investigating technology crimes, conducting computer forensic examinations and preventing technology crime. If the victim resides outside of Hong Kong, it should report to its local police first and obtain a written record of such report to present to the HKPF. Based on our experience, if the victim can demonstrate some evidence of cyber fraud, the HKPF will usually act quickly to freeze the fraudsters' bank accounts in Hong Kong while conducting criminal investigations in the meantime. The victim can then commence follow-up civil actions to recover its monetary loss.
If the cyber incident involves the breach of personal data, the data user is advised to submit a data breach notification to the privacy commissioner. The privacy commissioner may exercise his investigative powers and conduct necessary investigations and/or inspections. If, in the privacy commissioner's opinion, it is in the public interest to disclose the investigation report, the privacy commissioner will publish this on its official website. The privacy commissioner may issue an enforcement notice and provide recommendations to the data user. The data user should take the recommended actions accordingly to avoid contravening such notice, which constitutes a criminal offence.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
There are no specific requirements for reporting cyber incidents, except that each responsible department may have its own reporting or notification forms. Examples of reporting forms include the following:
- Notification of a data breach: www.pcpd.org.hk/english/enforcement/data_breach_notification/files/DBN_e.pdf.
- Reporting a cybercrime to the HKPF: www1.erc.police.gov.hk/cmiserc/EGIS-HK-Web_NEW_UI/ereport_details?report=CBR_CRIME&fontSize=100.
- Reporting information security incidents to HKCERT: www.hkcert.org/incident-reporting.
5.3 What steps are companies legally required to take in response to cyber incidents?
Legally speaking, companies are not required to take any specific actions in relation to cyber incidents, unless the cyber incident involves personal data and the privacy commissioner has issued an enforcement notice, which the company must act upon immediately (failure to do so constitutes a crime under the PDPO). Apart from the foregoing, from a practical point of view, most companies should at least carry out the following in response to any cyber incidents.
- Identification: Identify which part of the company's systems is compromised – it may be a remote server storing company information or specific personnel who have failed to follow predefined protocols or procedures. Sometimes, simply disconnecting the company's network and blocking remote access will limit the scale of a data breach or cyberattack. Also, identify who has been affected – for example, business partners, customers or the company itself.
- Assessment: Assess which parts of the company's services or data have been affected. It may be useful to engage professional cybersecurity experts or technical forensic investigators to identify the scope and extent of the incident and contain affected systems, and other relevant experts to review the company's security systems and measures to determine the types of remedial actions required.
- Notification: Notify stakeholders immediately, including the persons affected by the incident, law enforcement authorities (eg, the HKPF, the privacy commissioner or relevant governmental bodies), employees, outsourced IT service providers, insurers and so on.
- Improvement: Seek professional advice to improve security measures – whether physical, administrative, contractual or otherwise – to strengthen the company's systems and modes of work to prevent such incidents from happening again.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
While there are no statutory duties on corporate officers or directors with respect to cyber-incident response, such personnel owe common law fiduciary duties and statutory duties to the company under Section 465 of the Companies Ordinance, which requires a director to exercise the reasonable care, skill and due diligence that would be expected from a reasonably diligent person with the general knowledge, skill and experience that may reasonably be expected of someone carrying out the functions carried out by a director. If the director fails to act in accordance with this standard, he or she may be liable for breach of director's duties.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
This is not legally required, but some companies do – in particular, those that handle sensitive information on a daily basis and/or that heavily rely on technologies in their operation.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Statistically speaking, there was a slight decline in the number of security incidents handled by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) in 2019. In the first 11 months of 2019, HKCERT handled a total of 8,827 securities incidents, which represents around 88% of the total for 2018. The main categories of cybersecurity incidents were botnets, followed by phishing and malware. However, the number of denial-of-service attacks increased from 17 cases in 2018 to 25 in 2019.
Separately, the Hong Kong Police Force (HKPF) has also reported that the number of technology crimes cases in 2019 declined when compared to 2018. However, the average monetary loss per case increased from HK$350,000 to HK$490,000.
That said, the overall trend is that cybercrime and cyberattacks are increasing with increased technological innovation, the deeper penetration of the Internet and the deployment of advanced technologies at every level.
Despite the high stakes, there appear to be no plans or active discussions in Hong Kong to introduce standalone cybercrime or cybersecurity statutes, as in neighbouring Asian countries.
The government recently indicated its intention to consider possible amendments to the Personal Data (Privacy) Ordinance (PDPO), with a view to strengthening the protection of personal data in Legislative Council Paper CB(2)512/19-20(03), which was issued for consultation on 20 January 2020. The key focuses are:
- a mandatory data breach notification mechanism;
- a mandatory data retention policy specifying the data retention period;
- direct sanctioning powers and an increase in the relevant criminal fine levels;
- the regulation of data processors (currently not regulated);
- the inclusion of information relating to ‘identifiable' natural persons in the definition of ‘personal data'; and
- further regulation of the disclosure of personal data of other data subjects (ie, prohibiting ‘doxing').
The proposals look promising in addressing new challenges to the protection of personal data since the last major amendments were introduced in 2012. However, it usually takes a long time from the consultation stage to bill drafting, deliberation and enactment. Amendments to the PDPO are therefore unlikely to happen in the near future.
From time to time, there are also discussions on whether Section 33 of the PDPO – which prohibits the transfer of personal data outside of Hong Kong without the data subject's consent – should come into force, despite it having been written into the PDPO since its enactment. However, according to the above key focuses raised by the Government's Legislative Council Panel on Constitutional Affairs, it appears that Section 33 of the PDPO will remain ineffective in the near future.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
Although high-profile cyberattacks, such as WannaCry (ransomware), have garnered a lot of attention among local companies, these companies have done very little in response. The reasons for this are as follows:
Lack of awareness: Small businesses often do not consider or include cybersecurity on their agenda before starting their businesses or implementing new technologies, as they fail to appreciate the importance or benefits of ‘protection by design'. Companies often do not have sufficient resources (both money and manpower) to optimise their digital systems, and eventually expose themselves to cyberattacks or cyber-related incidents that could have been prevented by implementing appropriate measures and controls from the start. One of the best ways to resolve this is through education. Given that the government has many guidelines, leaflets and information platforms available for public access, the government ought to take more proactive steps in promoting these resources to businesses.
Lack of resources: Unlike big enterprises, small businesses may be unable to allocate sufficient resources to defend themselves against cyberattacks. Given the limited number of professionals and specifically trained experts in Hong Kong, the costs of engaging a professional cybersecurity subcontractor to handle information security of a company can be substantial. In this respect, the government has launched the Technology Voucher Programme, which has been running regularly since February 2019. Each enterprise may receive a government subsidy up to HK$600,000 to support any approved project involving the enhancement of cybersecurity measures by technological means. Further, under this initiative, the Hong Kong Internet Registration Corporation Limited started to provide free website screening services to assist small businesses in identifying potential security vulnerabilities for websites in the ‘.hk' domain.
Lack of mandatory rules: Nothing works better than a more robust legislative framework on cybersecurity and cybercrime. It may also be a good idea to set up a governmental body similar to the Office of the Privacy Commissioner for Personal Data to focus on investigating and handling any cybersecurity incidents in Hong Kong – either upon a complaint filed by the public or through mandatory self-reporting. Principle-based sets of rules would be more acceptable, as there may not be hard-and-fast rules on the different kinds of measures required in different industries and sectors. If criminal activities are involved, this authority could always refer cases to or work together with the Hong Kong Police Force.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.