Introduction

Cyber security has gained increasing attention in recent years and cyber attacks have become more sophisticated and more frequent. Cyber attacks and other data breaches can affect millions of customers and leave them vulnerable to credit card fraud and other fraudulent conduct based on stolen confidential personal information. Companies implicated in data breaches face the compounded risks of:

1. loss of their own valuable business data and intellectual property, and customer information;
2. reputational damage;
3. investigations by regulators and other enforcement agencies, and resultant fines; and
4. complaints and civil claims from customers/ counterparties (including class actions in certain jurisdictions).

In the financial services industry, data breaches also pose risks to the integrity of the financial markets through the theft of confidential financial and customer information with which to place trades or effect monetary transfers.

In light of recent high profile data security breaches, companies that handle and process personal data can expect heightened regulatory scrutiny. In Hong Kong, we envisage enforcement action by the Office of the Privacy Commissioner for Personal Data (the “Privacy Commissioner”) that enforces the statutory personal data protection regime in the Personal Data Privacy Ordinance (the “PDPO”), working with the Hong Kong Police, as well as by the Hong Kong Securities and Futures Commission (the “SFC”), that regulates the securities and futures markets in Hong Kong. The SFC, in particular, has stated on several recent occasions that it intends to use its existing powers to ensure the integrity of licensed persons’ systems and the security of personal data they hold.

This OnPoint highlights recent data breaches, outlines Hong Kong’s regulatory and enforcement framework for data protection, and provides recommendations to data users, including ensuring that they employ controls and techniques suggested by the SFC in its recent Circular and other measures that might reasonably be expected to protect against a data breach.

Putting the law in context – The rise of the data breach

Data breaches, including cyber attacks, are increasing in frequency and severity globally. Six of the top ten data breaches in the United States have occurred since the start of 2013 and the top five all involved more than 100 million records.¹ In Hong Kong, notable data breaches in recent years include:

• In August 2011, Hong Kong’s stock exchange had to halt trading in shares of several well-known companies worth a collective HK$1.5 trillion, after its HKExnews website was hacked using a Denial of Service attack;
• In October 2012, personal data of 3,000 travellers including scanned passport images were stolen on three laptops taken from the high-security immigration control area at Hong Kong’s Chek Lap Kok airport;
• In August 2014, a US-based international bank confirmed that it had discovered a data breach beginning in June 2014 in which hackers used sophisticated tools to transfer large quantities of data from the bank’s computer systems. In the ensuing investigation, it became apparent that the bank’s Hong Kong office was also infected in July 2014 with Trojan horse malware used to steal banking credentials. These attacks happened despite the bank spending US$200 million per year on protection from cyber-attacks;
• Also in August 2014, four of Hong Kong's biggest internet service providers were compromised in an international cyber-attack that also affected 10,000 patients’ health records held by Hong Kong’s Chinese University. The data breaches in Hong Kong were part of a cyber-attack that targeted half a million servers globally, with 14 servers in Hong Kong affected, and one Hong Kong ISP suspecting that end users’ devices may also have been hacked.

Past and future data breaches could result in investigations, civil and criminal liability for the holders of personal data – themselves victims of this increasingly pervasive problem.

Data protection by design – The PDPO and the Privacy Commissioner

Personal data is afforded specific statutory protection in Hong Kong by the PDPO,² enforced by the Privacy Commissioner together with the Hong Kong Police.

The statutory data protection regime

‘Personal data’ includes any data relating directly or indirectly to a living individual (a “data subject”) in an accessible/ processable form that can be used to ascertain the identity of that person directly or indirectly. A company that collects, or controls the collection of, personal data is a “data user” and is required to comply with the six Data Protection Principles (“DPPs”) set out in Schedule 1 to the PDPO.³

DPP 4 (security of personal data) provides that “All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure, loss or use…”.⁴ The steps required to protect personal data will depend on “the kind of data [held] and the harm that could result [from a data breach]”. The Privacy Commissioner has made clear in guidance issued in 2010⁵ that data users must satisfy the ‘harm test’ by ensuring that security measures taken are “proportionate to the degree of sensitivity of the data and harm that will result from accidental or unauthorized access”. The Privacy Commissioner expects “a higher degree of care” for personal data held by a financial services company, such as financial statements, and “extra care” from companies providing online services such as e-banking “so as to prevent unauthorized or accidental access of data by, for example, computer hackers or unintended users”.

Breach of the DPPs, although not a direct offence under the PDPO, may result in an investigation by the Privacy Commissioner, a public report or enforcement notice and, in the event of a contravention of the enforcement notice, a criminal offence.

Enforcing a breach

Where the Privacy Commissioner has a reasonable suspicion of a potential breach of a requirement under the PDPO, he has discretion to start an investigation.⁶ Where he receives a complaint about a potential breach of the PDPO, he has a prima facie obligation to start an investigation (subject to certain statutory exemptions).⁷ Although there is no obligation on a data user to report a data breach to the PDPO, in 2013 the Privacy Commissioner received 1,792 complaints, of which 169 related to data security.⁸ The Privacy Commissioner became aware of 61 “known data breach incidents” in 2013 (an average of 1.2 per week) through voluntary notifications by data users, or from reports by the media or general public.

In investigating potential breaches of the PDPO, the Privacy Commissioner has the power to enter premises to carry out an inspection either with the owner’s consent or forcibly with a warrant.⁹ Obstructing the Privacy Commissioner in performing his functions under the PDPO, failing to comply with a lawful instruction of the Privacy Commissioner, and knowingly misleading the Privacy Commissioner, constitute criminal offences for which the maximum penalty is six months’ imprisonment and HK$10,000 fine.¹⁰

At the end of his investigation, the Privacy Commissioner can issue recommendations to the data user to promote compliance with the PDPO, issue a public report on the investigation and his recommendations, and/ or serve an enforcement notice on the data user stating that the data user has breached a requirement under the PDPO specifying remedial measures that must be taken before a specified date. A recipient of an enforcement notice has 14 days to lodge an appeal to the Administrative Appeals Board.¹¹

Prosecuting criminal and civil proceedings for breaches of the PDPO

Failure to comply with an enforcement notice is an offence, with a maximum penalty on first conviction of two years’ imprisonment, a fine of HK$50,000 and a daily fine of HK$1,000 for continued contravention. For a second or subsequent conviction, the maximum liability is two years’ imprisonment, a fine of HK$100,000 and a daily fine of HK$2,000 for continued contravention.¹² A data user that complies with an enforcement notice, but intentionally does the same act or makes the same omission, commits an offence (with the same penalties as for a first contravention) without the need for a second investigation and enforcement notice.¹³

The Privacy Commissioner does not himself impose fines or prosecute offences under the PDPO, but can, and does, refer cases to the Hong Kong Police for consideration and prosecution by the Department of Justice. In 2013, the PCPD referred 20 cases to the Police for consideration for prosecution.¹⁴

As for civil liability, the PDPO provides a right for a data subject to bring civil court proceedings for damages (including injury to feelings) suffered as a result of a contravention of the PDPO and/or the DPPs.¹⁵ The Privacy Commissioner has power under the PDPO to assist any person entitled to bring a damages claim by providing advice or assistance, arranging for representation, or providing any other assistance the Privacy Commissioner considers appropriate.¹⁶ In the nine months from the introduction of the legal assistance powers to December 2013, the Privacy Commissioner had received 16 applications for assistance and granted one application.¹⁷

Regulating data breaches in the financial services industry

The SFC has been alert to the issue of IT systems security failings for some time. In March 2010, it issued a circular to all licensed corporations on “information technology management”, in which the SFC reminded licensed persons of their regulatory obligations and suggested certain techniques for ensuring IT systems security.¹⁸ As recent cyber attacks in Asia and globally have targeted banks and other financial services companies, the SFC has made clear that it will be focusing its attention on the security of technology and infrastructure.

On 27 January 2014, the SFC issued a Circular¹⁹ “urg[ing] licensed corporations to review and, where appropriate, enhance their IT security controls and other preventive and detective measures to reduce internet hacking risks and the potential damage arising from an internet attack”. To that end, the SFC has conducted a review of internet trading systems at several financial services companies, focussing on the existing information technology and management controls for internet hacking risks and the potential damage arising from internet attacks.

On 4 June 2014, in a speech highlighting the SFC’s enforcement priorities, James Shipton, Executive Director of the Intermediaries Division, stated that the SFC will place a “focus on technology and electronification risks, trading and market and infrastructure risks and operational risks to firms”, which he called an “important initiative”.²⁰

At the SFC’s recent first supervisory briefing for market intermediaries on 2 September 2014, Mark Steward, Executive Director of the Enforcement Division, reported that Compliance Advice letters sent out in the past year “touched on new areas such as IT-related systems issues”. At the same briefing Stephen Po, Senior Director of Intermediaries Supervision reiterated the SFC’s inspections will continue to focus on three key areas including electronic trading controls such as information security measures.²¹

The SFC has the power to investigate and take action in the event that a licensed person’s systems and controls are inadequate and lead to a data breach or fail to defend against a cyber attack. The powers exist in the broadly-worded general provisions of the Code of Conduct and in specific provisions relating to internet trading.

SFC’s Code of Conduct

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission applies to all licensed persons and contains broadly applicable provisions that apply to licensed persons subjected to cyber attacks.²²

General Principle 3 of the Code of Conduct provides that “A licensed or registered person should have and employ effectively the resources and procedures which are needed for the proper performance of its business activities”. Paragraph 4.3 of the Code of Conduct provides that licensed persons generally “should have internal control procedures and financial and operational capabilities which can be reasonably expected to protect its operations, its clients and other licensed or registered persons from financial loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions”.

Paragraph 18.5 of the Code of Conduct also provides specific provision for electronic trading systems. It requires the “integrity of [any] electronic trading system [a licensed person] uses or provides to clients for use… including the system’s reliability, security and capacity”. Schedule 7 to the Code of Conduct provides “additional requirements for licensed or registered persons conducting electronic trading.” Among other provisions of Schedule 7 that are relevant to data security in an electronic trading system, paragraph 1.2.4 requires a licensed person to “employ adequate and appropriate security controls to protect the electronic trading system… from being abused”. Such controls “should at least include:

(a)  reliable techniques to authenticate or validate the identity and authority of the system users to ensure that the access of the use of the system is restricted to persons approved to use the system on a need-to-have basis;

(b)  effective techniques to protect the confidentiality and integrity of information stored in the system and passed between internal and external networks;

(c)  appropriate operating controls to prevent and detect unauthorized intrusion, security breach and security attack; and

(d)  appropriate steps to raise the awareness of system users on the importance of security precautions they need to take in using the system.”

The Code of Conduct contains an express requirement (in paragraph 12.5) that a licensed person must report a breach or suspected breach of the Code of Conduct by it or anyone it employs or appoints to conduct business with clients or other licensed or registered persons.

Cyber attacks that result in data breaches might also indicate a lack of sufficient internal controls in breach of the above provisions of the Code of Conduct. Such breaches can be investigated by the SFC and taken into account in determining whether a person is fit and proper to be or remain licensed.²³ A licensed person that suffers a successful cyber attack may therefore also face the risks associated with an SFC investigation, including significant management time and legal costs, potential censure, fine or loss of license, and reputational harm associated with an adverse regulatory finding.

Data breach prevention and response measures

Given the potential harm from a data breach and the covert and swift nature of cyber attacks, licensed persons should ensure they employ controls and techniques suggested by the SFC in its 27 January 2014 Circular and other measures that might reasonably be expected to protect against a data breach.²⁴ The same techniques and procedures are also highly recommended for other data users that are not licensed by the SFC.

Such measures will include for example appropriate security policies placing strict limits on the use of e-mail and messaging systems, and restricting the use of external storage devices. In light of recent reports on the fundamental flaws in the security of USB devices, licensed persons should consider seriously prohibiting the use of USB devices. Systems policies should also restrict access to files to only those employees who require them and reduce the risks arising from data breaches, for example by limiting the authority of a transfer authorised by internet or telephone. Incident response and escalation policies should also be established to ensure that incidents are handled swiftly, efficiently and at the appropriate level. Users should receive training or periodic reminders of the importance of IT and data security.

Licensed persons should designate at least one qualified individual as an IT and data security officer who is provided with IT security awareness training. That person should have responsibility for maintaining security measures and system integrity, monitoring the licensed person’s systems for unusual activity and keeping apprised of the latest security threats. A licensed person should also consider joining local and international information security associations or cyber threat information sharing groups which circulate ‘actionable threat data’ on security or infrastructure threats.

From a technical perspective, companies should ensure they have in place reasonable security measures such as requiring complex alphanumeric or two stage passwords, employing secure token remote log-in devices, automatically logging out idle users, intrusion prevention and detection systems and/ or subscribing to Distributed Denial of Service attack prevention solutions.

Finally, licensed persons should consider engaging an independent security expert to conduct a mock cyber attack to test the resilience of its systems.

Conclusion

In light of recent high profile data security breaches, companies that handle and process personal data can expect heightened regulatory scrutiny. The Privacy Commissioner, working under the PDPO’s statutory scheme for the protection of personal data and with the Hong Kong Police, has taken enforcement action for breaches of the PDPO. This enforcement action has resulted in public reports on personal data privacy breaches, enforcement notices and prosecutions and convictions. To date, convictions have related to breaches of other provisions of the PDPO such as direct marketing provisions. However, due to the nature of the harm caused by data breaches and the increasing prevalence of cyber attacks, we envisage future prosecutions of data users for failing to comply with enforcement notices or for committing the same acts/ making the same omissions criticised in an enforcement notice. The SFC has also stated on several recent occasions that internet hacking, electronification risks, and information security will be key areas of focus for the financial regulator.

Companies that collect personal data, especially those in the regulated securities and futures markets, will therefore need to invest and take necessary steps to ensure they are sufficiently prepared to defend and respond to increasingly sophisticated cyber attacks. Once a data breach has occurred, companies will need to consider whether to notify the Privacy Commissioner pro-actively. Licensed persons will also need to consider notifying the SFC of any data breach, because of the licensed person’s duty to report a breach of the Code of Conduct and because the SFC may view the breach (and any failure to report it) as an indication the licensed person is not fit and proper to remain licensed.

Essentially, the best way to respond to a data breach is to proactively and conscientiously prepare for it and to ensure that all measures that could reasonably be taken are taken before (not if) the next data breach occurs.