cybersecurity in hong kong updates on … in hong kong – lessons from the “2 laptops” and...
TRANSCRIPT
Cybersecurity in Hong Kong –
lessons from the “2 laptops” and
updates on cybersecurity and
privacy laws
Dominic Wai, Partner, ONC Lawyers 16 June 2017
Friday Tea Gathering
This presentation is not an exhaustive treatment of the area of law discussed and cannot be relied upon as legal advice. No responsibility for any loss occasioned to any person acting or refrain from acting as a result of the materials and contents of this presentation is accepted by ONC Lawyers.
June 2017 @ ONC Lawyers 2017 All right reserved
Cybersecurity in Hong Kong
• The current situation
• “2 Laptops” – what went wrong and
how we can all do better
• What are our neighbours doing –
developments in cybersecurity and
privacy laws in other jurisdictions
• Trends and Challenges
• Q&A
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
• Cybersecurity regime
• No centralised arrangement or policy initiative
to tackle cybersecurity and no plan to change
the existing arrangement [see response of
ITB to LCQ8: Cyber security, 7 Dec 2016]
• Existing arrangement
• ITB seems to take the lead with support from
Security Bureau
• OGCIO – GovCERT.HK
• CSTCB – Police [SB]
• HKCERT – HKPC – Statutory Body
• PCO – personal data breach
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
• Cross border transfer of personal data – s.33
of PDPO
• Still no indication when it will come into
force
• Note PRC Cybersecurity law
• CFI – HKMA - ongoing
• Cyber Resilience Assessment
Framework
• Professional Development Programme
• Cyber Intelligence Sharing Platform
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
• Phishing and Spearphishing
• Email Scam and CEO Scam
• Ransomware
• Unauthorized stock trading
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
From: Apple Support [email protected]
Subject: Unusual Activity: Please Confirm/Cancel This Payment
Attachment: PDF “ubisoftMS91GOYMHN.pdf”
We found an unusual activity, maybe someone has taken your account and tried
to buy the app with your account.
Detail Activity
From Device: iPhone 7s
Item: Mobile Legends: Bang bang, 5,000 Diamonds
Order ID: MS91GOYMHN
Date and Time: 08 June 2017, 12:51 PM GMT
Operating System: iOS 10.3.1
Developer Item: lazada-store.com
Payment Methode : Apple Pay
Apple Team is aware of suspicious activity with your payment method. Is this you?
What to do next?
- Open Invoice in the Attachment (PDF)
- Read your invoice
- Confirm/Cancel Your Order
Thanks
AppleID Support June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
Scammers often use messages and notifications that are
designed to look like they’re from a legitimate company
or a person that you know to try to trick you into sharing
your password, credit card, or other personal information
with them. Phishing scams can come as an email, text,
or even a phone call or web page.
These are common signs of a possible phishing attempt:
• The sender’s email address doesn’t match the name
of the company that it claims to be from.
• The message was sent to an email address or phone
number that's different from the one that you gave that
company.
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
• A link appears to be legitimate but takes you to a
website whose URL doesn’t match the address of the
company’s website.
• The message starts with a generic greeting, like “Dear
valued customer” — most legitimate companies will
include your name in their messages to you.
• The message looks significantly different from other
messages that you’ve received from the company.
• The message requests personal information, like a
credit card number or account password.
• The message is unsolicited and contains an
attachment.
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
• The phone call is unsolicited and the caller claims to
be an Apple employee or support representative.
Callers might use flattery, threats, or name-dropping
to pressure you to give them information or money.
How to avoid Phishing scams
Never provide personal account information—including
your Apple ID password, credit card info, or other
personal information—by email or text message, and use
extreme caution when clicking links in messages or
sharing information over the phone. Instead, visit the
company's website directly or call them yourself.
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
• Turn on two-factor authentication, so that your
password alone is not enough to access your
account.
• Don’t click any link in or reply to an email or text
without verifying the sender. Instead, go to the
company’s website, find their contact information, and
contact them directly about the issue.
• Don’t click any link or button on a website without
making sure that the address (URL) of the company’s
website appears to be correct.
• Don’t open or save attachments from unknown
senders. If you receive an attachment that you weren't
expecting, contact the company to verify the contents.
• If you’re not sure about the source of a browser pop-
up window, avoid clicking any links or buttons in the
window.
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
Email messages that contain attachments or links to non-
Apple websites are from sources other than Apple,
although they may appear to be from the iTunes Store.
Most often, these attachments are malicious and should
not be opened. You should never enter your Apple
account information on any non-Apple website. Apple
websites that require Account information have
apple.com, such as http://store.apple.com,
or iforgot.apple.com (with the exception
being iCloud.com).
Apple Support, April - May 2017
June 2017 @ ONC Lawyers 2017 All right reserved
The Current Situation
Wannacry
• A Trojan, worm or other form of malicious software
takes an environment hostage by making it
unavailable to use unless a payment is made. The
most common forms totally encrypt the environment
and require payment to decrypt. However, there are
numerous other tactics being deployed that focus on
availability of systems and data.
• Threats
• DDoS – business disruption
• Release of stolen data
June 2017 @ ONC Lawyers 2017 All right reserved
Ransomware
Advice from FBI
• Implement a robust data back-up and recovery plan.
Maintain copies of your files, particularly sensitive or
proprietary data, in a separate secure location. Back-up
copies of sensitive data should not be readily accessible
from local networks i.e. store the back up offline.
• Never open attachments included in unsolicited emails
(but may not be easy these days e.g. HR-CV). Be very
vigilant about links contained in emails, even if the link
appears to be from someone you know. Go to the links
DIRECTLY.
• Keep your anti-virus software up to date (patch up)
• Switch off your computers!
• Enable automated patches for your operating system
and web browser.
• Only download software, especially free software, from
sites you know and trust.
• Don’t pay the ransom (HKCERT advice too) June 2017 @ ONC Lawyers 2017 All right reserved
Ransomware
• Your company’s computers have been hit by
ransomware and the files have been
encrypted and the criminals ask for a ransom
to be paid in Bitcoins for decrypting the files
• To have access to the files, Bitcoins were
bought and paid and the files were decrypted
• Any issues or risks?
• Any reporting or notification requirement?
June 2017 @ ONC Lawyers 2017 All right reserved
Ransomware
Bitcoin – is it a “property”?
OSCO – “property” includes both movable and immovable
property within the meaning of s3 of the IGCO.
IGCO – “property” includes
• (a) money, goods, choses in action and land; and
• Obligations, easements and every description of estate,
interest and profit, present or future, vested or contingent,
arising out of or incident to property as defined in paragraph
(a)
“immovable property” means –
• Land, whether covered by water or not;
• Any estate, right, interest or easement in or over any land;
and
• Things attached to land or permanently fastened to anything
attached to land
June 2017 @ ONC Lawyers 2017 All right reserved
Ransomware
• Cryptocurrency
• US Court in 2016 – for the purpose of
a bankruptcy case treats bitcoin as a
kind of “intangible personal property”.
• US IRS treats bitcoin as property for
tax purposes.
• Dealing?
• Reporting?
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading
“Hacking of internet trading accounts is the most serious
cybersecurity risk faced by internet brokers in Hong Kong,” said
Mr Ashley Alder, the SFC’s Chief Executive Officer.
"If you ask regulators in the industry what is the number one
threat, not surprisingly it’s all about cyber attacks," "We've seen
that happen not only in banking but also at brokers in Hong
Kong, in particular recent attacks to do with basically hijacking
share trading accounts."
- Ashley Alder, CEO of the SFC and chairman of the
International Organization of Securities Commissions, said in a
speech to the local legislature – Reuters, Feb 2017
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading
On 8 May 2017, SFC launched a 2-month consultation
on proposals to reduce and mitigate hacking risks
associated with internet trading
• For the 18 months ended 31 March 2017,12
licensed corporations (LCs) reported 27
cybersecurity incidents, most of which
involved hackers gaining access to
customers internet-based trading accounts
with securities brokers resulting in
unauthorised trades totalling more than $110
million when some others involved DDoS
attacks targeting their websites accompanied
by threats of extortion. June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading
Hacking incidents and potential root causes
The hacking incidents reported by licensed internet brokers
remain under Police investigation. However, the Police shared
case studies suggesting that hackers used compromised
internet trading accounts to carry out a pump-and-dump
scheme which could lead to substantial financial losses. Such
schemes typically follow these steps:
(a) Hackers first gain control of clients’ internet trading accounts
(hacked accounts) which enables them to log into the accounts
“legitimately” to effect unauthorised transactions;
(b) Hackers then employ people to open other internet trading
accounts to accumulate penny stocks;
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading
(c) Using the cash in the hacked accounts, or
cash raised by selling off existing stock
holdings in the hacked accounts, hackers then
buy these penny stocks in order to pump up
their stock prices; and
(d) After the prices of the penny stocks go up,
hackers off-load them and make a profit,
leaving the owners of the hacked accounts to
suffer significant losses.
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading
SFC’s proposal in the consultation:
• Propose to incorporate new guidelines which set out
baseline cybersecurity requirements for internet
brokers to address hacking risks and vulnerabilities
and to clarify expected standards of cybersecurity
controls.
• Key proposed requirements include 2-factor
authentication for clients’ system login and prompt
notification to clients of certain activities in their
internet trading accounts.
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading
• In addition, the SFC proposes to expand the scope of
cybersecurity-related regulatory principles and
requirements which now apply to electronic trading of
securities and futures on exchanges to cover the
internet trading of securities which are not listed or
traded on an exchange. This includes authorised unit
trusts and mutual funds because they are subject to
the same hacking risks.
• The SFC also proposes to update the definition of
“internet trading” to clarify that an internet-based
trading facility may be accessed through a computer,
mobile phone or other electronic device.
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading - 2016
• P is a HK company engaged in the trading of securities,
options and futures contracts, and investment holding.
• D is a corporation licensed to carry on Type 1 (dealing in
securities) regulated activities under SFO (Cap 571) and
also an Exchange Participant of the Stock Exchange of
Hong Kong Limited and Hong Kong Futures Exchange
Limited.
• P has a securities account with D that can be operated
online with the use of specified user ID and password for
online access to the account for the purpose of carrying out
transactions for the sale and purchase of securities.
According to P, there are only 3 persons in the company
who are authorized to access and operate the account with
D and conduct online securities transactions with the
account.
Source: Webb-site.com
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading - 2016
• On 23 Sept 2016, between 14:40 and 15:22, unauthorized
person(s) logged into P’s account with D with a valid user ID
and password from an IP address and in the space of 18
minutes, bought a total of 49.2m shares in a Listco from a
total of 76 selling brokers at a purchase cost of HK$37.69m
(including fees and levies), draining almost all of the
HK$37.85m cash in the account.
• The 49.2m shares represent 4.92% of the Listco’s
shareholding at an average price of HK$0.7636 per share,
36% above the previous day’s close.
• There was a huge spike in the volume and price of the
Listco on 23 Sept 2016: the traded volume was 92.568m
shares or 9.26% of the ListCo and the price at one point
reached HK$0.88, up 57.1% on the previous close of
HK$0.56, before closing at HK$0.66, up 17.9%.
June 2017 @ ONC Lawyers 2017 All right reserved
Unauthorized stock trading - 2016
• On 23 Sept 2016 at around 16:24, P was first alerted by D
of the transactions.
• P then carried out some internal investigation and at around
16:47 on the same day informed D that the transactions
were unauthorized.
• P’s case was that the transactions were unauthorized and
were carried out fraudulently by a “hacker” who somehow
gained access to P’s account through D’s online banking
system.
• P refers to the fact that the records of D’s online trading
system show that the person(s) who logged into the account
between 14:40 to 15:22 on 23 September 2016 did so from
a device with an internet protocol address (IP address)
different from the IP address(es) of the device(s) normally
used by P to access the account.
June 2017 @ ONC Lawyers 2017 All right reserved
2 Laptops case
On 27 March 2017, the Registration and Electoral Office (REO) found
that 2 notebook computers stored inside a locked room in the
AsiaWorld-Expo in Chek Lap Kok were suspected to be stolen. One of
the computers contains the names, addresses and HKID card numbers
of about 3.78 million Geographical Constituencies electors in the 2016
Final Register. All the information has been encrypted and protected by
multiple encryptions which are extremely difficult to break through.
OGCIO – Government Information Security
Moreover, the OGCIO has taken proactive steps in combating threats
related to IT security and cyber attacks by continuously monitoring IT
security related vulnerabilities and threats, providing alerts and
technical assistance to B/Ds in handling information security incidents
and cyber attacks. Up-to-date information about information security is
published on the GovCERT.HK and InfoSec portals.
June 2017 @ ONC Lawyers 2017 All right reserved
2 Laptop case
June 2017 @ ONC Lawyers 2017 All right reserved
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
Do Not Let Thieves Steal Your Notebook
You have to protect your notebook computer from stealing. If
your notebook is lost, you will lose those data that has not been
backup. Your personal data or information such as your name,
bank account, photos for family or friends and your own email
address lists will also be disclosed to unauthorised persons or
even be uploaded to the Internet.
You shall therefore:
Always keep your notebook in a safe place e.g. lock it in a
cabinet when not in use.
Use a computer locking cable to lock your notebook.
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
Never leave your notebook unattended.
If possible, install some motion sensors products into your
notebook. When the sensor is triggered, it will emit a loud
alarm.
Regularly backup your data.
Set a boot password to your notebook. Most notebooks have
the ability to set a password so that an unauthorised person
cannot start the computer.
Do not store personal and sensitive information in the notebook
and in case you have to store sensitive and personal
information in the notebook, consider using data encryption.
How about:
Storing in Cloud and link up remotely by VPN.
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
Mindset – how do you treat your data: copy or puppy?
Problem: not easy to change certain data.
Encrypted data – still personal data?
Personal data means any data:
(a) Relating directly or indirectly to a living individual
(b) From which it is practical for the identity of the individual to
be directly or indirectly ascertained; and
(c) In a form in which access to or processing of the data is
practicable.
“Practicable” means reasonably practicable.
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
PCO Investigation report 12 June 2017
REO contravened DPP4
DPP4 - a data user has to take all practicable steps to ensure
the personal data it held are protected from unauthorized or
accidental access.
• The claimed effectiveness of the need for storing personal
data of all electors was not proportional to the associated
risks.
• The security measures adopted by the REO were not
proportional to the degree of sensitivity of the data (copy or
puppy?) and the harm that might result from a data security
incident either.
• PCO has served an Enforcement Notice on the REO to
remedy and prevent any recurrence of the contravention
2 Laptop case
June 2017 @ ONC Lawyers 2017 All right reserved
• Police classified the case as theft, and
their investigation is still ongoing.
Technical security measures
• “the REO replied that the staff who was responsible
for sending that email in fact did not do so, but instead
printed out the passwords and passed the print-out to
another staff of the Information Technology
Management Unit”
• “The passwords were sent to one of the 6 staffs [sic]
via an encrypted email. That staff then sent the
passwords to the other 4 staffs [sic] via an
unencrypted email, and saved the passwords in a
rearranged sequence on his mobile phone to show
them to the remaining staff;”
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
Encryption
• Users of the notebook computers were
required to go through several programmes
before they were allowed to access Electors’
data, which was protected by multiple
encryption layers;
• The strongest layer appeared to have met
the industrial standard (i.e. satisfying the
requirements of strong encryption).
Decryption could only be carried out by brute
force attacks on the passwords, and using
general commercial computers to crack the
encryption formula would take hundreds of
years;
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
• For every unsuccessful login after inputting the wrong
passwords, the protection layer would delay the login time
so as to strengthen the difficulty of decryption. In other
words, the protection layer would respond slowly and the
decryption time would be lengthened even when a
supercomputer was used to attack the passwords.
Consequently, compromising the passwords would be a
matter of sheer luck; • No automatic deletion even with unsuccessful logins
• Delay time increased from 2 to a maximum of 20 seconds for each
unsuccessful login
• Two-factor authentication was not adopted for accessing the
Electors’ data. In other words, one would only need to input
several sets of correct passwords to open the System to
access the data without using another tool such as an
electronic certificate, security token or mobile phone;
• Hong Kong Identity Card numbers were encrypted before
being stored in the System, while other personal data was
stored in plain text
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
• “The Privacy Commissioner therefore accepts that the
encryption technology and the system setup adopted
by the REO makes it enormously difficult and time-
consuming for unauthorised persons to access all
Electors’ data.” [para 56 of the Investigation Report]
• Comfortable?
• Copy or puppy?
• “The Privacy Commissioner considers that sharing of
passwords would make it impossible for the REO to
ascertain who accessed the data. Using unencrypted
emails to circulate passwords also increased the risk
of leaking the passwords. The Privacy Commissioner
also considers that it would have been practicable for
the REO to assign different passwords to individual
staffs and provide guidelines requiring them to
transmit passwords through more reliable means, but
the REO did not do so.”
2 Laptop case
June 2017 @ ONC Lawyers 2017 All right reserved
Enforcement notice - The REO is directed to: -
• prohibit the download or use of Geographical
Constituencies electors’ personal data (except their
names and addresses) for the purpose of handling
enquiries in Chief Executive Elections; and issue
notice on this to the relevant staffs (sic) on a regular
basis;
• set internal guidelines in respect of the processing of
personal data in all election-related activities,
including: (a) technical security measures (information
system encryption and password management); (b)
physical security measures; (c) administrative
measures on the use of notebook computers and
other portable storage devices; and
• implement effective measures to ensure staffs’ (sic)
compliance with the above policies and guidelines.
2 Laptops case
June 2017 @ ONC Lawyers 2017 All right reserved
s.66(1) of PDPO:
• an individual who suffers damage by reason of a
contravention-
(a) of a requirement under PDPO;
(b) by a data user; and
(c) which relates, whether in whole or in part, to personal
data of which that individual is the data subject,
shall be entitled to compensation from that data user for that
damage.
S66(3):
In any proceedings brought against any person by virtue of this
section it shall be a defence to show that-
(a) he had taken such care as in all the circumstances was
reasonably required to avoid the contravention concerned; or
(b) in any case where the contravention concerned occurred
because the personal data concerned was inaccurate, the data
accurately record data received or obtained by the data user
concerned from the data subject or a third party.
Privacy
Y v The Law Society of Hong Kong [HCAL 39/2016]
Facts
• Y was convicted of an offence in 2006 and was
ordered to perform community service
• Y worked as a solicitor’s clerk, legal assistant or
paralegal in 6 different firms after the convictions. He
did not disclose his convictions to his employers as he
believed that the convictions were spent when he took
up employment
• Y checked with LS:
• (i) whether his spent convictions would be a bar to his
application for admission as a solicitor or registration
as a trainee solicitor; and
June 2017 @ ONC Lawyers 2017 All right reserved
Privacy
• Whether he was required to disclose such spent
convictions to the potential employers, when he would
be employed as a clerk, a trainee solicitor or a
solicitor. Y disclosed to LS his convictions
• Without Y’s consent, LS checked with the DPP and
the Court to verify the convictions of Y
• LS published details of Y’s convictions in 2 circulars,
reminding solicitors not to employ staff convicted of an
offence involving dishonesty without written
permission of LS
• Y sought JR that the publication by LS was unlawful
• LS contended that in its role as regulator and pursuant
to the exception under PDPO, LS was entitled to
publish Y’s convictions.
June 2017 @ ONC Lawyers 2017 All right reserved
Privacy
• A criminal record could constitute personal data within
the meaning of PDPO
• DPP3 provides that personal data shall not, without
the prescribed consent of the data subject, be used
for a new purpose
• Prescribed consent means the express consent of the
person given voluntarily
• The conviction data was not provided by Y to LS with
a view to communication to 3rd parties
• There is a balance to strike between competing
interests – one to protect personal data, the other to
ensure that the highest integrity and reputation of the
solicitors’ profession is maintained and that the
public’s interest is not harmed
June 2017 @ ONC Lawyers 2017 All right reserved
Privacy
• Y was only exploring possibilities of becoming a
solicitor
• While LS is entitled to publish a conviction in the
circulars, in this case Y as an inquirer should be
protected and the publication of Y’s convictions by LS
was not justified.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Australia
• Passed amendments to the Privacy Act 1988 that will
impose a mandatory breach notification requirement.
• Under this scheme, all agencies and businesses
that are regulated by the Privacy Act are required
to provide notice to the Australian Information
Commissioner and affected individuals of certain
data breaches that are likely to result in “serious
harm.”
• This includes most Commonwealth Government
agencies, some private sector organisations,
credit reporting bodies, credit providers and tax file
number recipients.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Singapore
• Changes to the existing Computer Misuse and
Cybersecurity Act (CMCA) passed.
• Under the amended Act, dealing in personal
information obtained via a cybercrime such as trading
in hacked credit card details is deemed illegal, as is
dealing in hacking tools to commit a computer
offence.
• It is also now an offence for someone committing a
criminal act while overseas, against a computer
located overseas, should the act "cause or create a
significant risk of serious harm in Singapore".
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
China’s new cybersecurity law
• Took effect from 1 June 2017
• The Cyberspace Administration of China
(CAC) released a draft (Draft) Measures for
Security Assessment of Outbound
Transmission of Personal Information and
Important Data (Local Data) to solicit public
comments
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Promote 2 key objectives:
• Protect China against cyber attacks
• Protect the rights and interests of
Chinese citizens from cyber attacks
and the misuse of personal
information.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Key provisions:
• Data localization rule: imposed an obligation on
operators of “Critical Information Infrastructure” (CII)
to store personal information and other important data
collected and generated during operations within
China.
• Requires CII operators to undertake security
assessment before transferring such data abroad
• The security assessment shall be conducted by the
CAC and the State Council (unless permission for the
transfer is already provided under another PRC law)
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
• CII is defined broadly as “infrastructure that,
in the event of damage, loss of function, or
data leak, might seriously endanger national
security, national welfare or the livelihoods of
the people, or the public interest”
• Includes public communications and
information services, energy, transportation,
water conservancy, finance, public services
and e-government
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
CII covers:
• Operators who operate networks used for
critical public services
• Private sector operators who operate
networks which, if breached, would cause
serious damage to state security, the
Chinese economy or to the public at
large.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Network Operators (NO) – widely defined that
may apply to any business that owns and
operates IT networks in China including a
computer network, website, app or other
electronic platform where information collected
from 3rd party users in China is stored,
transmitted, exchanged or processed.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
NOs need to:
• Make public all privacy notices
• Obtain individual consent for collecting and
processing personal information
• Implement technical safeguarding measures
to secure against loss and destruction of
personal information, data minimization,
confidentiality and rights to accuracy and
restriction on processing of personal data.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Personal information is defined as including:
• All kinds of information, recorded electronically or
through other means which is sufficient to identify a
natural person’s identity, including but not limited to:
• Full names
• Birth dates
• Identification numbers
• Personal biometric information
• Addresses
• Telephone numbers
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
NOs must provide internal security
management systems that include:
• Appointment of dedicated cybersecurity personnel
• Retention of network logs
• Reporting risks on network services and products to
users and authorities
• Having contingency plans for network security
incidents and reporting such incidents to the
authorities
• Providing assistance and cooperation to public
security bodies and state security bodies to safeguard
national security and investigate crimes.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
IT Product Suppliers are required to:
• Provide security maintenance for all services
and products for the full term of the contract
– security maintenance cannot be terminated
within the contract term.
• Prior to being sold or produced in the PRC
market, cybersecurity products and services
will be required to obtain a government
certification and/or meet prescribed safety
inspection requirements and national
standards.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Regulatory Penalties for non-compliance
• Violations of the personal data protection provisions
may lead to confiscation of illegal gain and a fine of up
to 10 times the illegal gain or RMB 1M (in case there
is no illegal gain), and in serious cases, suspension of
business or revocation of business license and fines
up to RMB 100,000 for responsible individuals
• May also be criminally liable under article 253 of PRC
Criminal Code
• For CII operators, unauthorized cross-border provision
of data may result in confiscation of illegal gain and a
fine of up to RMB 1M as well as suspension of
business or revocation of business license and a fine
of up to RMB 100,000 for responsible officials
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
The Draft
• Seem to extend the applicability of the data
localization rule from CII operators to all NOs
• Virtually all entities established in China that accesses
and uses Internet in the course of business operation
might be caught and could be required to keep a copy
of personal data and other important data collected
and generated in the course of the NO’s operation in
China (Local Data)
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
• If an NO seeks to transfer the Local Data overseas for
business needs, it must undergo a security
assessment that shall abide by the principles of
“fairness, objectiveness and effectiveness”
• to protect the security of the Local Data and promote
the lawful, orderly and free flow of network information
• Remote access of data is considered to be a “transfer”
The Draft provides 2 types of security assessments:
• Self- assessment
• Government administered assessment (GAA)
• NO must conduct a security self-assessment before
transmitting Local Data overseas (unless a GAA is
triggered) and be responsible for the results of the
assessment
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
A GAA is triggered if the intended outbound cross-border data
transmission involves any of the following circumstances:
• contains or accumulatively contains Personal Information of more
than 500,000 individuals
• the amount of data exceeds 1,000 GB
• contains, among others, data regarding sectors such as nuclear
facilities, chemical biology, national defense and military and
population health, as well as data related to large-scale engineering
activities, marine environment and sensitive geographic information
• contains cybersecurity information such as system vulnerabilities or
security protection in respect of critical information infrastructure
• provision of personal data and other important data to overseas
recipients by operators of CII
• Other circumstances that may affect national security or public
interests
A GAA should be completed by the relevant industry regulator within 60
working days and be reported to CAC upon completion.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
A self assessment or GAA should focus on:
• The necessity of the outbound data transmission
• The volume, scope, type and sensitivity of Local Data
to be transferred abroad
• The security measures and ability of the data
recipient, as well as the cybersecurity situation of the
country or region where the data recipient is located
• Possible risks that the outbound data transmission
can pose to national security, public interests and
lawful interests of individuals.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
NOs must, based on its business development and
network operation status, conduct a security assessment
on outbound data transmission at least once a year and
report the assessment results to the relevant industry
regulator.
In addition to the annual security assessment, NOs are
required to conduct a new security assessment each
time:
• There is a change in the data recipient or significant
change in the purpose, scope, volume or type of the
outbound data transmission; or
• There is a major security incident involving the data
recipient or the data transmission abroad.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
• Industry regulators shall be responsible for
organizing and administering GAA.
• If a GAA is triggered but the competent
industry regulator cannot be identified, CAC
shall take charge of the GAA.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Draft – Important Data refers to data that is
closely related to national security, economic
development and public interest.
General – NOs shall inform data subjects of the
purpose, method and scope of collection and
use of personal data and obtain data subjects’
consent.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
• Draft – in order to transmit personal data
overseas, NOs must inform data subjects of
the purpose and scope of the outbound data
transmission, the content and the
recipient(s)(countries or regions) of the
information transmitted and need to obtain
consent.
• If the data subject is a minor, then need to
obtain the consent of the data subject’s
guardian.
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
Draft – outbound transmission of Local Data is
prohibited:
• If data subject has not consented or the transmission
could infringe the data subject’s interests
• The intended transmission would create a security risk
in terms of national politics, the economy, science and
technology, or national defense etc and could affect
national security or harm public interest
A relevant authority such as CAC, PSB or national
security authority etc determines that the data may not be
transmitted abroad
June 2017 @ ONC Lawyers 2017 All right reserved
Other jurisdictions
• Organizations that conduct business
in China should start to review their
data privacy and cybersecurity policies
to ensure compliance with the
incoming law and measures.
• NOs with a need to transmit personal
data collected within China abroad
should review and amend their
existing privacy policies or statements
in order to ensure compliance.
June 2017 @ ONC Lawyers 2017 All right reserved
Trends and challenges
• Emails
• Attack Trends
• Against less mature financial services organizations
• ATM attacks
• Nation-states hunting for PII
• Espionage targets on China’s periphery
• Target Industries
• Construction and engineering
• Financial
• Governments
• High Tech and Electronics
Source: FireEye Cyber Defense Live Hong Kong 2017
June 2017 @ ONC Lawyers 2017 All right reserved
Key takeaways
• Be vigilant – err on the side of caution
• Switch off your computers
• Do not share password with others
• Never click suspicious link or attachments in an email
• There are probably available guidelines and policies
already, read and follow them.
• Professional Conduct Guide 1.07
• A solicitor using information communication technology
should endeavour to ensure within the parameters of
technology, information and knowledge available at the
time of use, that no Principle in the Guide or a provision
in the Practice Directions or applicable law is breached
by such use.
June 2017 @ ONC Lawyers 2017 All right reserved
Q&A
June 2017 @ ONC Lawyers 2017 All right reserved
June 2017 @ ONC Lawyers 2017 All right reserved