cybersecurity in hong kong updates on … in hong kong – lessons from the “2 laptops” and...

Cybersecurity in Hong Kong –

lessons from the “2 laptops” and

updates on cybersecurity and

privacy laws

Dominic Wai, Partner, ONC Lawyers 16 June 2017

Friday Tea Gathering

This presentation is not an exhaustive treatment of the area of law discussed and cannot be relied upon as legal advice. No responsibility for any loss occasioned to any person acting or refrain from acting as a result of the materials and contents of this presentation is accepted by ONC Lawyers.

June 2017 @ ONC Lawyers 2017 All right reserved

Cybersecurity in Hong Kong

• The current situation

• “2 Laptops” – what went wrong and

how we can all do better

• What are our neighbours doing –

developments in cybersecurity and

privacy laws in other jurisdictions

• Trends and Challenges

• Q&A


The Current Situation

• Cybersecurity regime

• No centralised arrangement or policy initiative

to tackle cybersecurity and no plan to change

the existing arrangement [see response of

ITB to LCQ8: Cyber security, 7 Dec 2016]

• Existing arrangement

• ITB seems to take the lead with support from

Security Bureau

• OGCIO – GovCERT.HK

• CSTCB – Police [SB]

• HKCERT – HKPC – Statutory Body

• PCO – personal data breach



• Cross border transfer of personal data – s.33

of PDPO

• Still no indication when it will come into

force

• Note PRC Cybersecurity law

• CFI – HKMA - ongoing

• Cyber Resilience Assessment

Framework

• Professional Development Programme

• Cyber Intelligence Sharing Platform



• Phishing and Spearphishing

• Email Scam and CEO Scam

• Ransomware

• Unauthorized stock trading



From: Apple Support [email protected]

Subject: Unusual Activity: Please Confirm/Cancel This Payment

Attachment: PDF “ubisoftMS91GOYMHN.pdf”

We found an unusual activity, maybe someone has taken your account and tried

to buy the app with your account.

Detail Activity

From Device: iPhone 7s

Item: Mobile Legends: Bang bang, 5,000 Diamonds

Order ID: MS91GOYMHN

Date and Time: 08 June 2017, 12:51 PM GMT

Operating System: iOS 10.3.1

Developer Item: lazada-store.com

Payment Methode : Apple Pay

Apple Team is aware of suspicious activity with your payment method. Is this you?

What to do next?

- Open Invoice in the Attachment (PDF)

- Read your invoice

- Confirm/Cancel Your Order

Thanks

AppleID Support June 2017 @ ONC Lawyers 2017 All right reserved

mailto:[email protected]




Scammers often use messages and notifications that are

designed to look like they’re from a legitimate company

or a person that you know to try to trick you into sharing

your password, credit card, or other personal information

with them. Phishing scams can come as an email, text,

or even a phone call or web page.

These are common signs of a possible phishing attempt:

• The sender’s email address doesn’t match the name

of the company that it claims to be from.

• The message was sent to an email address or phone

number that's different from the one that you gave that

company.



• A link appears to be legitimate but takes you to a

website whose URL doesn’t match the address of the

company’s website.

• The message starts with a generic greeting, like “Dear

valued customer” — most legitimate companies will

include your name in their messages to you.

• The message looks significantly different from other

messages that you’ve received from the company.

• The message requests personal information, like a

credit card number or account password.

• The message is unsolicited and contains an

attachment.



• The phone call is unsolicited and the caller claims to

be an Apple employee or support representative.

Callers might use flattery, threats, or name-dropping

to pressure you to give them information or money.

How to avoid Phishing scams

Never provide personal account information—including

your Apple ID password, credit card info, or other

personal information—by email or text message, and use

extreme caution when clicking links in messages or

sharing information over the phone. Instead, visit the

company's website directly or call them yourself.



• Turn on two-factor authentication, so that your

password alone is not enough to access your

account.

• Don’t click any link in or reply to an email or text

without verifying the sender. Instead, go to the

company’s website, find their contact information, and

contact them directly about the issue.

• Don’t click any link or button on a website without

making sure that the address (URL) of the company’s

website appears to be correct.

• Don’t open or save attachments from unknown

senders. If you receive an attachment that you weren't

expecting, contact the company to verify the contents.

• If you’re not sure about the source of a browser pop-

up window, avoid clicking any links or buttons in the

window.



Email messages that contain attachments or links to non-

Apple websites are from sources other than Apple,

although they may appear to be from the iTunes Store.

Most often, these attachments are malicious and should

not be opened. You should never enter your Apple

account information on any non-Apple website. Apple

websites that require Account information have

apple.com, such as http://store.apple.com,

or iforgot.apple.com (with the exception

being iCloud.com).

Apple Support, April - May 2017


http://store.apple.com/

http://iforgot.apple.com/

http://www.icloud.com/


Wannacry

• A Trojan, worm or other form of malicious software

takes an environment hostage by making it

unavailable to use unless a payment is made. The

most common forms totally encrypt the environment

and require payment to decrypt. However, there are

numerous other tactics being deployed that focus on

availability of systems and data.

• Threats

• DDoS – business disruption

• Release of stolen data


Ransomware

Advice from FBI

• Implement a robust data back-up and recovery plan.

Maintain copies of your files, particularly sensitive or

proprietary data, in a separate secure location. Back-up

copies of sensitive data should not be readily accessible

from local networks i.e. store the back up offline.

• Never open attachments included in unsolicited emails

(but may not be easy these days e.g. HR-CV). Be very

vigilant about links contained in emails, even if the link

appears to be from someone you know. Go to the links

DIRECTLY.

• Keep your anti-virus software up to date (patch up)

• Switch off your computers!

• Enable automated patches for your operating system

and web browser.

• Only download software, especially free software, from

sites you know and trust.

• Don’t pay the ransom (HKCERT advice too) June 2017 @ ONC Lawyers 2017 All right reserved

Ransomware

• Your company’s computers have been hit by

ransomware and the files have been

encrypted and the criminals ask for a ransom

to be paid in Bitcoins for decrypting the files

• To have access to the files, Bitcoins were

bought and paid and the files were decrypted

• Any issues or risks?

• Any reporting or notification requirement?


Ransomware

Bitcoin – is it a “property”?

OSCO – “property” includes both movable and immovable

property within the meaning of s3 of the IGCO.

IGCO – “property” includes

• (a) money, goods, choses in action and land; and

• Obligations, easements and every description of estate,

interest and profit, present or future, vested or contingent,

arising out of or incident to property as defined in paragraph

(a)

“immovable property” means –

• Land, whether covered by water or not;

• Any estate, right, interest or easement in or over any land;

and

• Things attached to land or permanently fastened to anything

attached to land


Ransomware

• Cryptocurrency

• US Court in 2016 – for the purpose of

a bankruptcy case treats bitcoin as a

kind of “intangible personal property”.

• US IRS treats bitcoin as property for

tax purposes.

• Dealing?

• Reporting?


Unauthorized stock trading

“Hacking of internet trading accounts is the most serious

cybersecurity risk faced by internet brokers in Hong Kong,” said

Mr Ashley Alder, the SFC’s Chief Executive Officer.

"If you ask regulators in the industry what is the number one

threat, not surprisingly it’s all about cyber attacks," "We've seen

that happen not only in banking but also at brokers in Hong

Kong, in particular recent attacks to do with basically hijacking

share trading accounts."

- Ashley Alder, CEO of the SFC and chairman of the

International Organization of Securities Commissions, said in a

speech to the local legislature – Reuters, Feb 2017



On 8 May 2017, SFC launched a 2-month consultation

on proposals to reduce and mitigate hacking risks

associated with internet trading

• For the 18 months ended 31 March 2017,12

licensed corporations (LCs) reported 27

cybersecurity incidents, most of which

involved hackers gaining access to

customers internet-based trading accounts

with securities brokers resulting in

unauthorised trades totalling more than $110

million when some others involved DDoS

attacks targeting their websites accompanied

by threats of extortion. June 2017 @ ONC Lawyers 2017 All right reserved


Hacking incidents and potential root causes

The hacking incidents reported by licensed internet brokers

remain under Police investigation. However, the Police shared

case studies suggesting that hackers used compromised

internet trading accounts to carry out a pump-and-dump

scheme which could lead to substantial financial losses. Such

schemes typically follow these steps:

(a) Hackers first gain control of clients’ internet trading accounts

(hacked accounts) which enables them to log into the accounts

“legitimately” to effect unauthorised transactions;

(b) Hackers then employ people to open other internet trading

accounts to accumulate penny stocks;



(c) Using the cash in the hacked accounts, or

cash raised by selling off existing stock

holdings in the hacked accounts, hackers then

buy these penny stocks in order to pump up

their stock prices; and

(d) After the prices of the penny stocks go up,

hackers off-load them and make a profit,

leaving the owners of the hacked accounts to

suffer significant losses.



SFC’s proposal in the consultation:

• Propose to incorporate new guidelines which set out

baseline cybersecurity requirements for internet

brokers to address hacking risks and vulnerabilities

and to clarify expected standards of cybersecurity

controls.

• Key proposed requirements include 2-factor

authentication for clients’ system login and prompt

notification to clients of certain activities in their

internet trading accounts.



• In addition, the SFC proposes to expand the scope of

cybersecurity-related regulatory principles and

requirements which now apply to electronic trading of

securities and futures on exchanges to cover the

internet trading of securities which are not listed or

traded on an exchange. This includes authorised unit

trusts and mutual funds because they are subject to

the same hacking risks.

• The SFC also proposes to update the definition of

“internet trading” to clarify that an internet-based

trading facility may be accessed through a computer,

mobile phone or other electronic device.


Unauthorized stock trading - 2016

• P is a HK company engaged in the trading of securities,

options and futures contracts, and investment holding.

• D is a corporation licensed to carry on Type 1 (dealing in

securities) regulated activities under SFO (Cap 571) and

also an Exchange Participant of the Stock Exchange of

Hong Kong Limited and Hong Kong Futures Exchange

Limited.

• P has a securities account with D that can be operated

online with the use of specified user ID and password for

online access to the account for the purpose of carrying out

transactions for the sale and purchase of securities.

According to P, there are only 3 persons in the company

who are authorized to access and operate the account with

D and conduct online securities transactions with the

account.

Source: Webb-site.com



• On 23 Sept 2016, between 14:40 and 15:22, unauthorized

person(s) logged into P’s account with D with a valid user ID

and password from an IP address and in the space of 18

minutes, bought a total of 49.2m shares in a Listco from a

total of 76 selling brokers at a purchase cost of HK$37.69m

(including fees and levies), draining almost all of the

HK$37.85m cash in the account.

• The 49.2m shares represent 4.92% of the Listco’s

shareholding at an average price of HK$0.7636 per share,

36% above the previous day’s close.

• There was a huge spike in the volume and price of the

Listco on 23 Sept 2016: the traded volume was 92.568m

shares or 9.26% of the ListCo and the price at one point

reached HK$0.88, up 57.1% on the previous close of

HK$0.56, before closing at HK$0.66, up 17.9%.



• On 23 Sept 2016 at around 16:24, P was first alerted by D

of the transactions.

• P then carried out some internal investigation and at around

16:47 on the same day informed D that the transactions

were unauthorized.

• P’s case was that the transactions were unauthorized and

were carried out fraudulently by a “hacker” who somehow

gained access to P’s account through D’s online banking

system.

• P refers to the fact that the records of D’s online trading

system show that the person(s) who logged into the account

between 14:40 to 15:22 on 23 September 2016 did so from

a device with an internet protocol address (IP address)

different from the IP address(es) of the device(s) normally

used by P to access the account.


2 Laptops case

On 27 March 2017, the Registration and Electoral Office (REO) found

that 2 notebook computers stored inside a locked room in the

AsiaWorld-Expo in Chek Lap Kok were suspected to be stolen. One of

the computers contains the names, addresses and HKID card numbers

of about 3.78 million Geographical Constituencies electors in the 2016

Final Register. All the information has been encrypted and protected by

multiple encryptions which are extremely difficult to break through.

OGCIO – Government Information Security

Moreover, the OGCIO has taken proactive steps in combating threats

related to IT security and cyber attacks by continuously monitoring IT

security related vulnerabilities and threats, providing alerts and

technical assistance to B/Ds in handling information security incidents

and cyber attacks. Up-to-date information about information security is

published on the GovCERT.HK and InfoSec portals.


http://www.govcert.gov.hk/en/index.html

http://www.infosec.gov.hk/english/main.html

2 Laptop case


2 Laptops case


Do Not Let Thieves Steal Your Notebook

You have to protect your notebook computer from stealing. If

your notebook is lost, you will lose those data that has not been

backup. Your personal data or information such as your name,

bank account, photos for family or friends and your own email

address lists will also be disclosed to unauthorised persons or

even be uploaded to the Internet.

You shall therefore:

Always keep your notebook in a safe place e.g. lock it in a

cabinet when not in use.

Use a computer locking cable to lock your notebook.

2 Laptops case


2 Laptops case


Never leave your notebook unattended.

If possible, install some motion sensors products into your

notebook. When the sensor is triggered, it will emit a loud

alarm.

Regularly backup your data.

Set a boot password to your notebook. Most notebooks have

the ability to set a password so that an unauthorised person

cannot start the computer.

Do not store personal and sensitive information in the notebook

and in case you have to store sensitive and personal

information in the notebook, consider using data encryption.

How about:

Storing in Cloud and link up remotely by VPN.

2 Laptops case


Mindset – how do you treat your data: copy or puppy?

Problem: not easy to change certain data.

Encrypted data – still personal data?

Personal data means any data:

(a) Relating directly or indirectly to a living individual

(b) From which it is practical for the identity of the individual to

be directly or indirectly ascertained; and

(c) In a form in which access to or processing of the data is

practicable.

“Practicable” means reasonably practicable.

2 Laptops case


PCO Investigation report 12 June 2017

REO contravened DPP4

DPP4 - a data user has to take all practicable steps to ensure

the personal data it held are protected from unauthorized or

accidental access.

• The claimed effectiveness of the need for storing personal

data of all electors was not proportional to the associated

risks.

• The security measures adopted by the REO were not

proportional to the degree of sensitivity of the data (copy or

puppy?) and the harm that might result from a data security

incident either.

• PCO has served an Enforcement Notice on the REO to

remedy and prevent any recurrence of the contravention

2 Laptop case


• Police classified the case as theft, and

their investigation is still ongoing.

Technical security measures

• “the REO replied that the staff who was responsible

for sending that email in fact did not do so, but instead

printed out the passwords and passed the print-out to

another staff of the Information Technology

Management Unit”

• “The passwords were sent to one of the 6 staffs [sic]

via an encrypted email. That staff then sent the

passwords to the other 4 staffs [sic] via an

unencrypted email, and saved the passwords in a

rearranged sequence on his mobile phone to show

them to the remaining staff;”

2 Laptops case


Encryption

• Users of the notebook computers were

required to go through several programmes

before they were allowed to access Electors’

data, which was protected by multiple

encryption layers;

• The strongest layer appeared to have met

the industrial standard (i.e. satisfying the

requirements of strong encryption).

Decryption could only be carried out by brute

force attacks on the passwords, and using

general commercial computers to crack the

encryption formula would take hundreds of

years;

2 Laptops case


• For every unsuccessful login after inputting the wrong

passwords, the protection layer would delay the login time

so as to strengthen the difficulty of decryption. In other

words, the protection layer would respond slowly and the

decryption time would be lengthened even when a

supercomputer was used to attack the passwords.

Consequently, compromising the passwords would be a

matter of sheer luck; • No automatic deletion even with unsuccessful logins

• Delay time increased from 2 to a maximum of 20 seconds for each

unsuccessful login

• Two-factor authentication was not adopted for accessing the

Electors’ data. In other words, one would only need to input

several sets of correct passwords to open the System to

access the data without using another tool such as an

electronic certificate, security token or mobile phone;

• Hong Kong Identity Card numbers were encrypted before

being stored in the System, while other personal data was

stored in plain text

2 Laptops case


• “The Privacy Commissioner therefore accepts that the

encryption technology and the system setup adopted

by the REO makes it enormously difficult and time-

consuming for unauthorised persons to access all

Electors’ data.” [para 56 of the Investigation Report]

• Comfortable?

• Copy or puppy?

• “The Privacy Commissioner considers that sharing of

passwords would make it impossible for the REO to

ascertain who accessed the data. Using unencrypted

emails to circulate passwords also increased the risk

of leaking the passwords. The Privacy Commissioner

also considers that it would have been practicable for

the REO to assign different passwords to individual

staffs and provide guidelines requiring them to

transmit passwords through more reliable means, but

the REO did not do so.”

2 Laptop case


Enforcement notice - The REO is directed to: -

• prohibit the download or use of Geographical

Constituencies electors’ personal data (except their

names and addresses) for the purpose of handling

enquiries in Chief Executive Elections; and issue

notice on this to the relevant staffs (sic) on a regular

basis;

• set internal guidelines in respect of the processing of

personal data in all election-related activities,

including: (a) technical security measures (information

system encryption and password management); (b)

physical security measures; (c) administrative

measures on the use of notebook computers and

other portable storage devices; and

• implement effective measures to ensure staffs’ (sic)

compliance with the above policies and guidelines.

2 Laptops case


s.66(1) of PDPO:

• an individual who suffers damage by reason of a

contravention-

(a) of a requirement under PDPO;

(b) by a data user; and

(c) which relates, whether in whole or in part, to personal

data of which that individual is the data subject,

shall be entitled to compensation from that data user for that

damage.

S66(3):

In any proceedings brought against any person by virtue of this

section it shall be a defence to show that-

(a) he had taken such care as in all the circumstances was

reasonably required to avoid the contravention concerned; or

(b) in any case where the contravention concerned occurred

because the personal data concerned was inaccurate, the data

accurately record data received or obtained by the data user

concerned from the data subject or a third party.

Privacy

Y v The Law Society of Hong Kong [HCAL 39/2016]

Facts

• Y was convicted of an offence in 2006 and was

ordered to perform community service

• Y worked as a solicitor’s clerk, legal assistant or

paralegal in 6 different firms after the convictions. He

did not disclose his convictions to his employers as he

believed that the convictions were spent when he took

up employment

• Y checked with LS:

• (i) whether his spent convictions would be a bar to his

application for admission as a solicitor or registration

as a trainee solicitor; and


Privacy

• Whether he was required to disclose such spent

convictions to the potential employers, when he would

be employed as a clerk, a trainee solicitor or a

solicitor. Y disclosed to LS his convictions

• Without Y’s consent, LS checked with the DPP and

the Court to verify the convictions of Y

• LS published details of Y’s convictions in 2 circulars,

reminding solicitors not to employ staff convicted of an

offence involving dishonesty without written

permission of LS

• Y sought JR that the publication by LS was unlawful

• LS contended that in its role as regulator and pursuant

to the exception under PDPO, LS was entitled to

publish Y’s convictions.


Privacy

• A criminal record could constitute personal data within

the meaning of PDPO

• DPP3 provides that personal data shall not, without

the prescribed consent of the data subject, be used

for a new purpose

• Prescribed consent means the express consent of the

person given voluntarily

• The conviction data was not provided by Y to LS with

a view to communication to 3rd parties

• There is a balance to strike between competing

interests – one to protect personal data, the other to

ensure that the highest integrity and reputation of the

solicitors’ profession is maintained and that the

public’s interest is not harmed


Privacy

• Y was only exploring possibilities of becoming a

solicitor

• While LS is entitled to publish a conviction in the

circulars, in this case Y as an inquirer should be

protected and the publication of Y’s convictions by LS

was not justified.


Other jurisdictions

Australia

• Passed amendments to the Privacy Act 1988 that will

impose a mandatory breach notification requirement.

• Under this scheme, all agencies and businesses

that are regulated by the Privacy Act are required

to provide notice to the Australian Information

Commissioner and affected individuals of certain

data breaches that are likely to result in “serious

harm.”

• This includes most Commonwealth Government

agencies, some private sector organisations,

credit reporting bodies, credit providers and tax file

number recipients.


Other jurisdictions

Singapore

• Changes to the existing Computer Misuse and

Cybersecurity Act (CMCA) passed.

• Under the amended Act, dealing in personal

information obtained via a cybercrime such as trading

in hacked credit card details is deemed illegal, as is

dealing in hacking tools to commit a computer

offence.

• It is also now an offence for someone committing a

criminal act while overseas, against a computer

located overseas, should the act "cause or create a

significant risk of serious harm in Singapore".


Other jurisdictions

China’s new cybersecurity law

• Took effect from 1 June 2017

• The Cyberspace Administration of China

(CAC) released a draft (Draft) Measures for

Security Assessment of Outbound

Transmission of Personal Information and

Important Data (Local Data) to solicit public

comments


Other jurisdictions

Promote 2 key objectives:

• Protect China against cyber attacks

• Protect the rights and interests of

Chinese citizens from cyber attacks

and the misuse of personal

information.


Other jurisdictions

Key provisions:

• Data localization rule: imposed an obligation on

operators of “Critical Information Infrastructure” (CII)

to store personal information and other important data

collected and generated during operations within

China.

• Requires CII operators to undertake security

assessment before transferring such data abroad

• The security assessment shall be conducted by the

CAC and the State Council (unless permission for the

transfer is already provided under another PRC law)


Other jurisdictions

• CII is defined broadly as “infrastructure that,

in the event of damage, loss of function, or

data leak, might seriously endanger national

security, national welfare or the livelihoods of

the people, or the public interest”

• Includes public communications and

information services, energy, transportation,

water conservancy, finance, public services

and e-government


Other jurisdictions

CII covers:

• Operators who operate networks used for

critical public services

• Private sector operators who operate

networks which, if breached, would cause

serious damage to state security, the

Chinese economy or to the public at

large.


Other jurisdictions

Network Operators (NO) – widely defined that

may apply to any business that owns and

operates IT networks in China including a

computer network, website, app or other

electronic platform where information collected

from 3rd party users in China is stored,

transmitted, exchanged or processed.


Other jurisdictions

NOs need to:

• Make public all privacy notices

• Obtain individual consent for collecting and

processing personal information

• Implement technical safeguarding measures

to secure against loss and destruction of

personal information, data minimization,

confidentiality and rights to accuracy and

restriction on processing of personal data.


Other jurisdictions

Personal information is defined as including:

• All kinds of information, recorded electronically or

through other means which is sufficient to identify a

natural person’s identity, including but not limited to:

• Full names

• Birth dates

• Identification numbers

• Personal biometric information

• Addresses

• Telephone numbers


Other jurisdictions

NOs must provide internal security

management systems that include:

• Appointment of dedicated cybersecurity personnel

• Retention of network logs

• Reporting risks on network services and products to

users and authorities

• Having contingency plans for network security

incidents and reporting such incidents to the

authorities

• Providing assistance and cooperation to public

security bodies and state security bodies to safeguard

national security and investigate crimes.


Other jurisdictions

IT Product Suppliers are required to:

• Provide security maintenance for all services

and products for the full term of the contract

– security maintenance cannot be terminated

within the contract term.

• Prior to being sold or produced in the PRC

market, cybersecurity products and services

will be required to obtain a government

certification and/or meet prescribed safety

inspection requirements and national

standards.


Other jurisdictions

Regulatory Penalties for non-compliance

• Violations of the personal data protection provisions

may lead to confiscation of illegal gain and a fine of up

to 10 times the illegal gain or RMB 1M (in case there

is no illegal gain), and in serious cases, suspension of

business or revocation of business license and fines

up to RMB 100,000 for responsible individuals

• May also be criminally liable under article 253 of PRC

Criminal Code

• For CII operators, unauthorized cross-border provision

of data may result in confiscation of illegal gain and a

fine of up to RMB 1M as well as suspension of

business or revocation of business license and a fine

of up to RMB 100,000 for responsible officials


Other jurisdictions

The Draft

• Seem to extend the applicability of the data

localization rule from CII operators to all NOs

• Virtually all entities established in China that accesses

and uses Internet in the course of business operation

might be caught and could be required to keep a copy

of personal data and other important data collected

and generated in the course of the NO’s operation in

China (Local Data)


Other jurisdictions

• If an NO seeks to transfer the Local Data overseas for

business needs, it must undergo a security

assessment that shall abide by the principles of

“fairness, objectiveness and effectiveness”

• to protect the security of the Local Data and promote

the lawful, orderly and free flow of network information

• Remote access of data is considered to be a “transfer”

The Draft provides 2 types of security assessments:

• Self- assessment

• Government administered assessment (GAA)

• NO must conduct a security self-assessment before

transmitting Local Data overseas (unless a GAA is

triggered) and be responsible for the results of the

assessment


Other jurisdictions

A GAA is triggered if the intended outbound cross-border data

transmission involves any of the following circumstances:

• contains or accumulatively contains Personal Information of more

than 500,000 individuals

• the amount of data exceeds 1,000 GB

• contains, among others, data regarding sectors such as nuclear

facilities, chemical biology, national defense and military and

population health, as well as data related to large-scale engineering

activities, marine environment and sensitive geographic information

• contains cybersecurity information such as system vulnerabilities or

security protection in respect of critical information infrastructure

• provision of personal data and other important data to overseas

recipients by operators of CII

• Other circumstances that may affect national security or public

interests

A GAA should be completed by the relevant industry regulator within 60

working days and be reported to CAC upon completion.


Other jurisdictions

A self assessment or GAA should focus on:

• The necessity of the outbound data transmission

• The volume, scope, type and sensitivity of Local Data

to be transferred abroad

• The security measures and ability of the data

recipient, as well as the cybersecurity situation of the

country or region where the data recipient is located

• Possible risks that the outbound data transmission

can pose to national security, public interests and

lawful interests of individuals.


Other jurisdictions

NOs must, based on its business development and

network operation status, conduct a security assessment

on outbound data transmission at least once a year and

report the assessment results to the relevant industry

regulator.

In addition to the annual security assessment, NOs are

required to conduct a new security assessment each

time:

• There is a change in the data recipient or significant

change in the purpose, scope, volume or type of the

outbound data transmission; or

• There is a major security incident involving the data

recipient or the data transmission abroad.


Other jurisdictions

• Industry regulators shall be responsible for

organizing and administering GAA.

• If a GAA is triggered but the competent

industry regulator cannot be identified, CAC

shall take charge of the GAA.


Other jurisdictions

Draft – Important Data refers to data that is

closely related to national security, economic

development and public interest.

General – NOs shall inform data subjects of the

purpose, method and scope of collection and

use of personal data and obtain data subjects’

consent.


Other jurisdictions

• Draft – in order to transmit personal data

overseas, NOs must inform data subjects of

the purpose and scope of the outbound data

transmission, the content and the

recipient(s)(countries or regions) of the

information transmitted and need to obtain

consent.

• If the data subject is a minor, then need to

obtain the consent of the data subject’s

guardian.


Other jurisdictions

Draft – outbound transmission of Local Data is

prohibited:

• If data subject has not consented or the transmission

could infringe the data subject’s interests

• The intended transmission would create a security risk

in terms of national politics, the economy, science and

technology, or national defense etc and could affect

national security or harm public interest

A relevant authority such as CAC, PSB or national

security authority etc determines that the data may not be

transmitted abroad


Other jurisdictions

• Organizations that conduct business

in China should start to review their

data privacy and cybersecurity policies

to ensure compliance with the

incoming law and measures.

• NOs with a need to transmit personal

data collected within China abroad

should review and amend their

existing privacy policies or statements

in order to ensure compliance.


Trends and challenges

• Emails

• Attack Trends

• Against less mature financial services organizations

• ATM attacks

• Nation-states hunting for PII

• Espionage targets on China’s periphery

• Target Industries

• Construction and engineering

• Financial

• Governments

• High Tech and Electronics

Source: FireEye Cyber Defense Live Hong Kong 2017


Key takeaways

• Be vigilant – err on the side of caution

• Switch off your computers

• Do not share password with others

• Never click suspicious link or attachments in an email

• There are probably available guidelines and policies

already, read and follow them.

• Professional Conduct Guide 1.07

• A solicitor using information communication technology

should endeavour to ensure within the parameters of

technology, information and knowledge available at the

time of use, that no Principle in the Guide or a provision

in the Practice Directions or applicable law is breached

by such use.


Q&A


cybersecurity in hong kong updates on … in hong kong – lessons from the “2 laptops” and...

Documents