Hong Kong: Nothing is certain but death, taxes and cyber attack
Had Benjamin Franklin been writing to Jean-Baptiste Leroy in 2017 rather than 250 years ago, then he would have probably added ‘cyber-attack” to his list of life’s certainties. It is no longer a question of ‘if’ your business will be subjected to a cyber-attack; but a question of ‘when’.
Increasing attacks, increasing regulation
Businesses operate within an increasingly regulated cyber-landscape, although there is good reason for this. Last year, two thirds of UK big businesses were subjected to a cyber-attack. Sony, Yahoo, Bangladesh Bank, Vtech, Oracle; all businesses who worked hard to become some of the leading players in their respective markets, but whose names are now synonymous with cyber-breach. Despite the high profile currently being given in the media to the risk of state sponsored hackers following events such as the alleged interference with the US presidential election, most mid-market-sized companies will face attacks from less sophisticated criminal syndicates or associated hacker groups operating without any nation-state affiliation. With commoditised attack software now available on the dark web for as little as US$150, ever-increasing volumes of attack look set to be the norm for the foreseeable future.
In the APAC region, governments are responding to this threat with increasing regulation. The trend is towards data localisation and mandatory data-breach notification, particularly for businesses involved in critical infrastructure. So what is the position in Hong Kong?
The Hong Kong position
There is no general cyber security law in Hong Kong. Different aspects of cyber-regulation are contained in different ordinances. The key piece of legislation for businesses to be aware of is the Personal Data (Privacy) Ordinance Cap 486 (“PDPO”), Schedule 1 of which lists 6 data protection principles. These principles cover collection, retention, use, security and access to personal data. For the purposes of cyber-security, principle 4 is key. It provides that:
“All practicable steps shall be taken to ensure that personal data … held by a data user are protected against unauthorised or accidental access, processing, erasure, loss or use …”
There is therefore no absolute obligation or universally applicable security standard which a business must adhere to. The obligation is to take “all practicable steps” to protect personal data. What is practicable will vary depending on the nature of the business and the data concerned although some guidance is given in the PDPO.
In the event of a data breach following a cyber-attack, the Hong Kong Privacy Commissioner has powers to investigate and issue an enforcement notice to the data user to remedy any contravention. Failure to comply with an enforcement notice could lead to a fine of HK$50,000 and imprisonment of two years.
However, data breach reporting is not currently mandatory under the general law. This, coupled with the relatively low level of fines (when compared with those that can be imposed by other regulators), has given rise to a tendency amongst Hong Kong companies to downplay the importance of cyber security and adherence to the data protection principles in the PDPO. This is both unfortunate and ill-considered as it overlooks two important factors. First, the risk of civil suit and damages should third parties suffer loss or harm from the data breach. Second, and perhaps more importantly, reputational risk. In the case of a high profile widely-reported breach, loss of faith by the market in the business could cause irreparable harm from which it may never recover. The Hong Kong Privacy Commissioner has issued guidelines on data breach handling and notifications which were updated in December 2016. These can be found here.
Protecting your business
Protection starts and ends with the Board. An organisation can only be protected by the development and implementation of a “from the top down” cyber security culture and protocol. The first step in this process is to conduct an internal audit to identify the key data stored in the business systems. Thereafter, systems need to be developed/updated and protocols drafted to isolate and secure the business-critical data. Training must be given to ensure that all practicable steps are taken to keep this data secure and un-corrupted. This will include development and testing of an incident response plan.
Cyber-attacks on our business are a certainty; potentially irreparable harm to your business from a successful attack need not be. A successful cyber-attack may expose the company to third party liabilities, regulatory sanction and loss of reputation. It may even result in personal liability for directors if they failed to discharge their fiduciary duty to the company and its shareholders.
Just like any criminal, cyber-attackers look for the soft target. Senior management must act now to ensure their business is not the low hanging fruit. Audit the data held by the business, develop and implement protocols to secure and protect it.
In addition, assess your insurance cover. Many traditional policies are not appropriate. Helpfully, there are new cyber-specific policies available in the market which can often be the final piece you need to complete the cyber-security jigsaw to protect your business from this increasing risk.