Read reprint by Bloomberg BNA

Reproduced with permission from World Securities Law Report, null, 11/14/2014. Copyright 姝 2014 by The Bureau
of National Affairs, Inc. (800-372-1033) http://www.bna.com
VOLUME 20, NUMBER 11 >>> NOVEMBER 2014
Hong Kong: Data Privacy and Cybersecurity in the
Financial Services Industry
By Kareena Teh, Jonathan Crompton and Fabian Roday, in
Dechert LLP’s Hong Kong office.
Cybersecurity has gained increasing attention in recent
years and cyber attacks have become more sophisticated and more frequent. Cyber attacks and other data
breaches can affect millions of customers and leave
them vulnerable to credit card fraud and other fraudulent conduct based on stolen conﬁdential personal information.
Companies implicated in data breaches face the compounded risks of:
s loss of their own valuable business data and intellectual property, and customer information;
s reputational damage;
s investigations by regulators and other enforcement
agencies, and resultant ﬁnes; and
s complaints and civil claims from customers/
counterparties (including class actions in certain jurisdictions).
In the ﬁnancial services industry, data breaches also
pose risks to the integrity of the ﬁnancial markets
through the theft of conﬁdential ﬁnancial and customer information with which to place trades or effect
monetary transfers.
In light of recent high proﬁle data security breaches,
companies that handle and process personal data can
expect heightened regulatory scrutiny.
In Hong Kong, enforcement action can be taken by
the Ofﬁce of the Privacy Commissioner for Personal
Data (the ‘‘Privacy Commissioner’’), which enforces
the statutory personal data protection regime in the
Personal Data (Privacy) Ordinance (the ‘‘PDPO’’),
working with the Hong Kong Police, as well as by the
Hong Kong Securities and Futures Commission (the
‘‘SFC’’), which regulates the securities and futures markets in Hong Kong. The Privacy Commissioner recently issued guidance on the handling of personal
data in the banking industry, citing the growth of complaints relating to the banking industry from 212 cases
in 2011-2012 to 373 cases in 2013-2014 as the impetus
for the guidance. The SFC has also stated on several recent occasions that it intends to use its existing powers
to ensure the integrity of licensed persons’ systems and
the security of personal data they hold.
This article highlights recent data breaches in Hong
Kong, outlines the regulatory and enforcement framework for data protection, and provides recommendations to data users, including ensuring that they employ controls and techniques suggested by the SFC in a
recent circular, and other measures that might reasonably be expected to protect against a data breach.
BNA International Inc., a subsidiary of The Bureau of National Affairs, Inc., U.S.A.
2
The Privacy Commissioner expects ‘‘a higher degree
of care’’ for personal data held by a financial
services company, such as financial statements, and
‘‘extra care’’ from companies providing online
services, such as e-banking.
Putting the Law in Context: The Rise of the
Data Breach
Data breaches, including cyber attacks, are increasing in
frequency and severity globally. Six of the top 10 data
breaches in the United States have occurred since the
start of 2013 and the top ﬁve all involved more than 100
million records.1
In Hong Kong, notable data breaches in recent years include the following:
s In August 2011, Hong Kong’s stock exchange had to
halt trading in shares of several well-known companies worth a collective HK$1.5 trillion (U.S.$193.5 billion), after its HKExnews website was hacked using a
denial of service attack;
s In October 2012, personal data of 3,000 travellers, including scanned passport images, were stolen on
three laptops taken from the high security immigration control area at Hong Kong’s Chek Lap Kok airport;
s In August 2014, a U.S.-based international bank conﬁrmed that it had discovered a data breach beginning
in June 2014 in which hackers used sophisticated
tools to transfer large quantities of data from the
bank’s computer systems. In the ensuing investigation, it became apparent that the bank’s Hong Kong
ofﬁce was also infected in July 2014 with Trojan Horse
malware used to steal banking credentials. These attacks happened despite the bank spending U.S.$200
million per year on protection from cyber attacks;
and
s Also in August 2014, four of Hong Kong’s biggest Internet service providers (‘‘ISPs’’) were compromised
in an international cyber attack that also affected
10,000 patients’ health records held by Hong Kong’s
Chinese University. The data breaches in Hong Kong
were part of a cyber attack that targeted half a million
servers globally, with 14 servers in Hong Kong affected, and one Hong Kong ISP suspecting that end
users’ devices may also have been hacked.
Past and future data breaches could result in investigations and civil and criminal liability for the holders of
personal data — themselves victims of this increasingly
pervasive problem.
11/14
Data Protection by Design: The PDPO and
the Privacy Commissioner
Personal data is afforded speciﬁc statutory protection in
Hong Kong by the PDPO,2 enforced by the Privacy
Commissioner together with the Hong Kong Police.
The Statutory Data Protection Regime
‘‘Personal data’’ includes any data relating directly or indirectly to a living individual (a ‘‘data subject’’) in an
accessible/processable form that can be used to ascertain the identity of that person directly or indirectly. A
company that collects, or controls the collection of, personal data is a ‘‘data user’’ and is required to comply
with the six Data Protection Principles (‘‘DPPs’’) set out
in Schedule 1 to the PDPO.3
DPP 4 (security of personal data) provides that ‘‘All
practicable steps shall be taken to ensure that personal
data (including data in a form in which access to or processing of the data is not practicable) held by a data user
are protected against unauthorized or accidental access,
processing, erasure, loss or use . . .’’.4 The steps required to protect personal data will depend on ‘‘the
kind of data [held] and the harm that could result
[from a data breach]’’.
The Privacy Commissioner made clear in guidance issued in 20105 that data users must satisfy the ‘‘harm
test’’ by ensuring that security measures taken are ‘‘proportionate to the degree of sensitivity of the data and
harm that will result from accidental or unauthorized access’’.
The Privacy Commissioner expects ‘‘a higher degree of
care’’ for personal data held by a ﬁnancial services company, such as ﬁnancial statements, and ‘‘extra care’’ from
companies providing online services, such as e-banking,
‘‘so as to prevent unauthorized or accidental access of
data by, for example, computer hackers or unintended
users’’.
Breach of the DPPs, although not a direct offence under the PDPO, may result in an investigation by the Privacy Commissioner, a public report or enforcement notice and, in the event of a contravention of the enforcement notice, a criminal offence.
Enforcing a Breach
Where the Privacy Commissioner has a reasonable suspicion of a potential breach of a requirement under the
PDPO, he has discretion to start an investigation.6
Where he receives a complaint about a potential breach
of the PDPO, he has a prima facie obligation to start an
investigation (subject to certain statutory exemptions).7
Although there is no obligation on a data user to report
a data breach to the PDPO, in 2013 the Privacy Commissioner received 1,792 complaints, of which 169 related
to data security.8 The Privacy Commissioner became
aware of 61 ‘‘known data breach incidents’’ in 2013 (an
average of 1.2 per week) through voluntary notiﬁcations
by data users, or from reports by the media or the general public.
In investigating potential breaches of the PDPO, the Pri-
COPYRIGHT 姝 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C.
WSLR
ISSN 1357-0889
3
vacy Commissioner has the power to enter premises to
carry out an inspection either with the owner’s consent
or forcibly with a warrant.9 Obstructing the Privacy
Commissioner in performing his functions under the
PDPO, failing to comply with a lawful instruction of the
Privacy Commissioner, and knowingly misleading the
Privacy Commissioner constitute criminal offences for
which the maximum penalty is six months’ imprisonment and a HK$10,000 (U.S.$1,290) ﬁne.10
At the end of his investigation, the Privacy Commissioner can issue recommendations to the data user to
promote compliance with the PDPO, issue a public report on the investigation and his recommendations,
and/or serve an enforcement notice on the data user
stating that the data user has breached a requirement
under the PDPO and specifying remedial measures that
must be taken before a speciﬁed date. A recipient of an
enforcement notice has 14 days to lodge an appeal to
the Administrative Appeals Board.11
Prosecuting Criminal and Civil Proceedings for
Breaches of the PDPO
Failure to comply with an enforcement notice is an offence, with a maximum penalty on ﬁrst conviction of
two years’ imprisonment, a ﬁne of HK$50,000
(U.S.$6,449) and a daily ﬁne of HK$1,000 (U.S.$129)
for continued contravention. For a second or subsequent conviction, the maximum liability is two years’ imprisonment, a ﬁne of HK$100,000 (U.S.$12,898) and a
daily ﬁne of HK$2,000 (U.S.$258) for continued contravention.12 A data user that complies with an enforcement notice, but intentionally does the same act or
makes the same omission, commits an offence (with the
same penalties as for a ﬁrst contravention) without the
need for a second investigation and enforcement notice.13
The Privacy Commissioner does not himself impose
ﬁnes or prosecute offences under the PDPO, but can,
and does, refer cases to the Hong Kong Police for consideration and prosecution by the Department of Justice. In 2013, the Privacy Commissioner referred 20
cases to the Police for consideration for prosecution.14
As for civil liability, the PDPO provides a right for a data
subject to bring civil court proceedings for damages (including injury to feelings) suffered as a result of a contravention of the PDPO and/or the DPPs.15 The Privacy
Commissioner has power under the PDPO to assist any
person entitled to bring a damages claim by providing
advice or assistance, arranging for representation, or
providing any other assistance the Privacy Commissioner
considers appropriate.16 In the nine months from the
introduction of the legal assistance powers to December
2013, the Privacy Commissioner received 16 applications
for assistance and granted one application.17
Regulating Data Breaches in the Financial
Services Industry
In order to promote the security of personal data collected from banking customers, the Privacy Commissioner issued a guidance note on October 6, 2014, titled
WORLD SECURITIES LAW REPORT
ISSN 1357-0889
‘‘Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry’’ (the ‘‘Guidance
Note’’)18 (see report in this issue). The Guidance Note
clariﬁes the application of the PDPO and the DPPs to
various situations in which banks handle personal data.
The Guidance Note also deals with the collection and security of personal data during e-banking transactions. In
that context, the Guidance Note highlights the inherent
security risks of transactions in an Internet environment
and refers to another guidance note issued by the Privacy Commissioner in April 2014 (‘‘Guidance for Data
Users on the Collection and Use of Personal Data
through the Internet’’)19 that provides guidelines for,
inter alia, the safe storage of personal data on the Internet.
In a statement issued alongside the Guidance Note, the
Privacy Commissioner urged all banks and other ﬁnancial institutions to make good use of the Guidance Note
in ensuring compliance with the PDPO in handling customers’ personal data.20
In addition to the recent focus on the banking industry
by the Privacy Commissioner, the SFC has been alert to
the issue of information technology (‘‘IT’’) systems security failings for some time. In March 2010, it issued a circular to all licensed corporations on ‘‘information technology management’’, in which the SFC reminded licensed persons of their regulatory obligations and
suggested certain techniques for ensuring IT systems security.21 As recent cyber attacks in Asia and globally
have targeted banks and other ﬁnancial services companies, the SFC has made clear that it will be focusing its
attention on the security of technology and infrastructure.
On January 27, 2014, the SFC issued a circular22
‘‘urg[ing] licensed corporations to review and, where appropriate, enhance their IT security controls and other
preventive and detective measures to reduce internet
hacking risks and the potential damage arising from an
internet attack’’. To that end, the SFC has conducted a
review of Internet trading systems at several ﬁnancial services companies, focussing on the existing IT and management controls for Internet hacking risks and the potential damage arising from Internet attacks.
On June 4, 2014, in a speech highlighting the SFC’s enforcement priorities, James Shipton, Executive Director
of the Intermediaries Division, stated that the SFC will
place a ‘‘focus on technology and electroniﬁcation risks,
trading and market and infrastructure risks and operational risks to ﬁrms’’, which he called an ‘‘important initiative’’.23
Bloomberg BNA
11/14
4
As recent cyber attacks in Asia and globally have
targeted banks and other financial services
companies, the SFC has made clear that it will be
focusing its attention on the security of technology
and infrastructure.
At the SFC’s ﬁrst supervisory brieﬁng for market intermediaries, on September 2, 2014, Mark Steward, Executive Director of the Enforcement Division, reported that
Compliance Advice letters sent out in the past year
‘‘touched on new areas such as IT-related systems issues’’. At the same brieﬁng, Stephen Po, Senior Director
of Intermediaries Supervision, reiterated that the SFC’s
inspections will continue to focus on three key areas, including electronic trading controls such as information
security measures.24
The SFC has the power to investigate and take action in
the event that a licensed person’s systems and controls
are inadequate and lead to a data breach or fail to defend against a cyber attack. The powers exist in the
broadly worded general provisions of the SFC’s Code of
Conduct for Persons Licensed by or Registered with the
Securities and Futures Commission and in speciﬁc provisions relating to Internet trading.
SFC’s Code of Conduct
The SFC’s Code of Conduct for Persons Licensed by or
Registered with the Securities and Futures Commission
(the ‘‘Code of Conduct’’) applies to all licensed persons
and contains broadly applicable provisions that apply to
licensed persons subjected to cyber attacks.25
General Principle 3 of the Code of Conduct provides
that ‘‘A licensed or registered person should have and
employ effectively the resources and procedures which
are needed for the proper performance of its business
activities’’.
Paragraph 4.3 of the Code of Conduct provides that a licensed person ‘‘should have internal control procedures
and ﬁnancial and operational capabilities which can be
reasonably expected to protect its operations, its clients
and other licensed or registered persons from ﬁnancial
loss arising from theft, fraud and other dishonest acts,
professional misconduct or omissions’’.
Paragraph 18.5 of the Code of Conduct also provides
speciﬁc provision for electronic trading systems. It requires the ‘‘integrity of [any] electronic trading system
[a licensed person] uses or provides to clients for use . . .
including the system’s reliability, security and capacity’’.
Schedule 7 to the Code of Conduct provides ‘‘additional
requirements for licensed or registered persons conducting electronic trading’’. Among other provisions of
Schedule 7 that are relevant to data security in an electronic trading system, Paragraph 1.2.4 requires a licensed person to ‘‘employ adequate and appropriate se11/14
curity controls to protect the electronic trading system
. . . from being abused’’. Such controls ‘‘should at least
include:
(a) reliable techniques to authenticate or validate the
identity and authority of the system users to ensure that
the access of the use of the system is restricted to persons approved to use the system on a need-to-have basis;
(b) effective techniques to protect the conﬁdentiality
and integrity of information stored in the system and
passed between internal and external networks;
(c) appropriate operating controls to prevent and detect
unauthorized intrusion, security breach and security attack; and
(d) appropriate steps to raise the awareness of system users on the importance of security precautions they need
to take in using the system’’.
The Code of Conduct contains an express requirement
(in Paragraph 12.5) that a licensed person must report
a breach or suspected breach of the Code of Conduct by
it or anyone it employs or appoints to conduct business
with clients or other licensed or registered persons.
Cyber attacks that result in data breaches might also indicate a lack of sufﬁcient internal controls in breach of
the above provisions of the Code of Conduct. Such
breaches can be investigated by the SFC and taken into
account in determining whether a person is ﬁt and
proper to be or remain licensed.26 A licensed person
that suffers a successful cyber attack may therefore also
face the risks associated with an SFC investigation, including signiﬁcant management time and legal costs,
potential censure, ﬁne or loss of license, and reputational harm associated with an adverse regulatory ﬁnding.
Data Breach Prevention and Response
Measures
Given the potential harm from a data breach and the covert and swift nature of cyber attacks, licensed persons
should ensure they employ controls and techniques suggested by the SFC in its January 27, 2014, circular and
other measures that might reasonably be expected to
protect against a data breach.27 The same techniques
and procedures are also highly recommended for other
data users that are not licensed by the SFC.
Such measures will include, for example, appropriate security policies placing strict limits on the use of e-mail
and messaging systems, and restricting the use of external storage devices. In light of recent reports on the fundamental ﬂaws in the security of USB devices, licensed
persons should seriously consider prohibiting the use of
USB devices. Systems policies should also restrict access
to ﬁles to only those employees who require them and
reduce the risks arising from data breaches, for example, by limiting the authority of a transfer authorised
by Internet or telephone. Incident response and escalation policies should also be established to ensure that incidents are handled swiftly, efﬁciently and at the appropriate level. Users should receive training or periodic reminders of the importance of IT and data security.
COPYRIGHT 姝 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C.
WSLR
ISSN 1357-0889
5
Licensed persons should designate at least one qualiﬁed
individual as an IT and data security ofﬁcer who is provided with IT security awareness training. That person
should have responsibility for maintaining security measures and system integrity, monitoring the licensed person’s systems for unusual activity and keeping apprised
of the latest security threats. A licensed person should
also consider joining local and international information security associations or cyber threat information
sharing groups which circulate ‘‘actionable threat data’’
on security or infrastructure threats.
From a technical perspective, companies should ensure
they have in place reasonable security measures, such as
requiring complex alphanumeric or two stage passwords, employing secure token remote log-in devices,
automatically logging out idle users, intrusion prevention and detection systems and/or subscribing to distributed denial of service attack prevention solutions.
Finally, licensed persons should consider engaging an
independent security expert to conduct a mock cyber attack to test the resilience of their systems.
Conclusion
In light of recent high proﬁle data security breaches,
companies that handle and process personal data can
expect heightened regulatory scrutiny.
The Privacy Commissioner, working under the PDPO’s
statutory scheme for the protection of personal data and
with the Hong Kong Police, has taken enforcement action for breaches of the PDPO. This enforcement action
has resulted in public reports on personal data privacy
breaches, enforcement notices and prosecutions and
convictions.
To date, convictions have related to breaches of other
provisions of the PDPO, such as direct marketing provisions. However, due to the nature of the harm caused by
data breaches and the increasing prevalence of cyber attacks, we envisage future prosecutions of data users for
failing to comply with enforcement notices or for committing the same acts/making the same omissions criticised in an enforcement notice.
As evident from the issuance of the Guidance Note, going forward, the Privacy Commissioner will increasingly
monitor critical industries such as the banking industry
for compliance with the applicable provisions and DPPs
as set out in the PDPO in order to safeguard customers’
personal data. In addition, the SFC has also stated on
several recent occasions that Internet hacking, electroniﬁcation risks, and information security will be key areas
of focus.
duty to report a breach of the Code of Conduct and because the SFC may view the breach (and any failure to
report it) as an indication the licensed person is not ﬁt
and proper to remain licensed.
Essentially, the best way to respond to a data breach is to
proactively and conscientiously prepare for it and to ensure that all measures that could reasonably be taken are
taken before (not if) the next data breach occurs.
NOTES
1
‘‘10 Biggest Data Breaches: Facts and Lessons’’, posted by Daniel
Solove on LinkedIn, August 27, 2014, available at https://
www.linkedin.com/pulse/article/20140827043656-2259773-10-biggestdata-breaches-facts-and-lessons; ‘‘Data Breaches in the U.S.’’,
Bloomberg, updated September 4, 2014, available at http://
www.bloomberg.com/infographics/2014-08-21/top-databreaches.html.
2
Personal Data (Privacy) Ordinance, available at http://
www.legislation.gov.hk/blis_pdf.nsf/
6799165D2FEE3FA94825755E0033E532/
B4DF8B4125C4214D482575EF000EC5FF/$FILE/CAP_486_e_b5.pdf.
3
Section 4 PDPO.
4
Paragraph 4 of Schedule 1 to PDPO.
5
‘‘Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner’s perspective (2nd Edition)’’,
Chapters 8.3 and 8.5, available at http://www.pcpd.org.hk/tc_chi/
publications/ﬁles/Perspective_2nd.pdf.
6
Section 38(ii) PDPO.
7
Section 38(i) PDPO.
8
‘‘The Year 2013 Saw a 48% Increase in Privacy Complaints’’, Privacy
Commissioner, media statement, January 23, 2014, available at
https://www.pcpd.org.hk/english/infocentre/press_20140123a.htm.
This unfortunately does not state how many of those complaints led to
investigations.
9
Section 42 PDPO.
10
Section 50B PDPO.
Section 50(7) PDPO.
12
Section 50A PDPO.
13
Section 50A(3) PDPO.
14
n. 8 supra, paragraph 19. No prosecutions had been brought on the
breaches referred by the time of the Privacy Commissioner’s report.
15
Section 66 PDPO.
16
Section 66B PDPO.
17
n. 8 supra, paragraph 21.
18
‘‘Guidance on the Proper Handling of Customers’ Personal Data
for the Banking Industry’’, Privacy Commissioner, October 6, 2014,
available at http://www.pcpd.org.hk/english/publications/ﬁles/GN_
banking_e.pdf.
11
19
‘‘Guidance for Data Users on the Collection and Use of Personal
Data through the Internet’’, Privacy Commissioner, April 2014, available
at
http://www.pcpd.org.hk/english/publications/ﬁles/
guidance_internet_e.pdf.
20
The Privacy Commissioner, media statement, October 6, 2014, available
at
http://www.pcpd.org.hk/english/infocentre/press_
20141006.htm.
21
‘‘Circular to All Licensed Corporations on Information Technology
Management’’, SFC, March 16, 2010, available at http://www.sfc.hk/
edistributionWeb/gateway/EN/circular/openFile?refNo=H569.
22
Companies that collect personal data, especially those in
the regulated securities and futures markets, will therefore need to invest and take necessary steps to ensure
they are sufﬁciently prepared to defend and respond to
increasingly sophisticated cyber attacks. Once a data
breach has occurred, companies will need to consider
whether to notify the Privacy Commissioner proactively.
Licensed persons will also need to consider notifying the
SFC of any data breach, because of the licensed person’s
WORLD SECURITIES LAW REPORT
ISSN 1357-0889
‘‘Circular to All Licensed Corporations on Internet Trading, Reducing Internet Hacking Risks’’, SFC, January 27, 2014, available at
http://www.sfc.hk/edistributionWeb/gateway/EN/circular/doc?
refNo=14EC3.
23
‘‘Supervision of intermediaries: key initiatives and focus in 2014’’,
SFC, June 4, 2014, available at http://www.sfc.hk/web/EN/ﬁles/ER/
PDF/Speeches/James%20Shipton_20140604.pdf.
24
‘‘Highlights of ﬁrst SFC supervisory brieﬁng for market intermediaries’’, SFC, September 2, 2014, available at http://www.sfc.hk/web/
EN/ﬁles/ER/PDF/Speeches/Highlights%20of%20ﬁrst%20SFC%
20supervisory%20brieﬁng_20140917.pdf.
Bloomberg BNA
11/14
6
25
Code of Conduct for Persons Licensed by or Registered with the
Securities and Futures Commission, SFC, available at http://enrules.sfc.hk/net_ﬁle_store/new_rulebooks/h/k/HKSFC3527_1868_
VER50.pdf.
26
Sections 129(1)(c) and 169(4)(b) of the Securities and Futures Ordinance and the Code of Conduct Explanatory Notes.
27
‘‘Circular to All Licensed Corporations on Internet Trading, Reducing Internet Hacking Risks’’, SFC, January 27, 2014, available at
http://www.sfc.hk/edistributionWeb/gateway/EN/circular/openFile?
refNo=14EC3; and ‘‘Suggested Control Techniques and Procedures for
11/14
Reducing Internet Hacking Risks’’, SFC, available at http://
www.sfc.hk/edistributionWeb/gateway/EN/circular/openAppendix?
refNo=14EC3&appendix=0.
Kareena Teh is a Partner, Jonathan Crompton is an Associate
and Fabian Roday is an Associate (Registered Foreign Lawyer) in Dechert LLP’s Hong Kong office. They may be contacted at [email protected], jonathan.crompton@
dechert.com and [email protected].
COPYRIGHT 姝 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C.
WSLR
ISSN 1357-0889

Download Report