Top tips to prevent and handle cyber incidents in Hong Kong

This trend has been exacerbated by the global pandemic, which has forced criminals on-line, with the number of cases in 2020 representing a 55% increase on the 2019 figure alone. Being prepared for cyber incidents (both data breaches and the theft of funds by cyber fraud) is now more important than ever and should be at the top of all companies’ agendas. Here are our top tips for directors and senior officers of corporates looking to manage the potential legal risks:

1. Companies should ensure that written policies and procedures are in place specifying the manner in which a suspected or actual cyber incident should be escalated and reported internally (eg to directors and other senior officers) and externally (eg to clients, regulators and law enforcement agencies).
2. In addition to the general legal requirements concerning the protection of data (most notably in Hong Kong under the Personal Data (Privacy) Ordinance (PDPO)), attention should be paid to any applicable sector-specific requirements, such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading issued by the Hong Kong Securities and Futures Commission, the Cybersecurity Fortification Initiative introduced by the Hong Kong Monetary Authority and the Guidelines on Cybersecurity published by the Hong Kong Insurance Authority.
3. Upon occurrence of a data breach incident, companies should immediately gather essential information relating to the breach, adopt measures to contain the breach (including notifying law enforcement agencies, regulators and other interested parties, such as internet companies, if necessary) and assess the risk of harm.  If individuals can be identified from the data and a real risk of harm is reasonably foreseeable, companies should consider notifying those individuals.
4. If a listed company is subject to a cyber incident, it should assess whether the incident amounts to inside information.  If so, it is required to disclose the same to the public under the Securities and Futures Ordinance (Cap. 571).
5. Employers can monitor employees’ internet usage in order to prevent or mitigate the impact of cyber attacks, but any monitoring that involves handling personal data must comply with the PDPO and its data protection principles.  For example, collecting personal data by means which are lawful and fair in the circumstances; informing the employees of the purpose for which the data is to be used; and seeking consent when using the data for a new purpose.
6. If a company engages a data processor (such as a third-party IT provider) to process personal data of employees or customers, the company must adopt protections to ensure the security of the data in accordance with data protection principle 4 under the PDPO.
7. When faced with cyber fraud cases where the misappropriated proceeds are transferred to Hong Kong, reports should be made to the Hong Kong Police Force and civil recovery actions should be commenced before the Hong Kong courts as soon as practicable.  Injunctive relief to freeze the funds and disclosure orders seeking further information should also be sought as appropriate.  Allen & Overy’s Hong Kong Cyber Fraud Portal is a free, web-based tool that provides guidance on the immediate steps that should be taken following the discovery of a fraud.

For further details, including an overview of: Hong Kong’s legal framework on cybersecurity and cyber crimes; how to protect individuals’ data from attempted breaches; and handling the aftermath of a cyber incident, from a legal perspective, please see A guide to Hong Kong’s cybersecurity laws and practices.