What you must know about cyber criminals in Hong Kong
By Daniel WalkerThe Hong Kong Government estimates that between 2009 and 2011, the financial loss to businesses in the SAR from computer crime more than trebled to nearly HK$150 million. Small businesses, increasingly reliant on IT systems, and with generally weaker security measures in place, suffer disproportionately, with approximately 40% of all recent cyber attacks directed at SMEs.
Hong Kong has some of the toughest laws in Asia to both crack down on cyber crime and protect personal data privacy. Cyber criminals can be prosecuted in Hong Kong under a raft of legislation, comprising the Computer Crimes Ordinance, the Crimes Ordinance and the Theft Ordinance.
The protection of personal data meanwhile is governed by the Personal Data (Amendment) Ordinance which makes it a legal requirement in Hong Kong that any personal data collected should be held securely, be kept up-to-date, and used only for the purpose for which it is collected.
A Hong Kong company, in the unfortunate position to lose data through a cyber attack must therefore contend with any number of legal uncertainties, such as IP infringement, defamation, breaching the privacy laws, and even potentially the concern that a computer virus may have been inadvertently sent on to customers or clients.
These are high costs to any business, and potentially crippling to a small company. Directors are the most exposed to potential claims and must ensure they understand exactly what information their company holds, where it is stored and the measures taken to protect it.
It is certainly a good idea to periodically re-assess both the impact and likelihood of a breach of these systems. Company officers should be part of any effort to design a program to prevent breaches and of course have a plan in place to respond properly when one occurs.
Ultimately it is they who must be able to answer to their clients, suppliers, shareholders or the authorities.
The Asian insurance industry is increasingly waking up to the growing demand for cover in this area and it is now possible to obtain insurance to protect against the risks that are connected with a cyber attack.
Businesses should ensure that proposed policies, given the global nature of the internet, at the very least, offer coverage for loss anywhere in the world; and provide cover for legal advice and representation costs in connection with regulatory investigations.
Some policies may go further and cover the professional fees of a forensic cyber risk specialist, or the costs of hiring a PR consultant to advise on how to deal with the inevitable media circus which follows significant lost personal data.
Hong Kong SMEs and startups should be aware of the need to stay ahead of the curve and ensure that they absolutely have in place their own internal data protection policies which are compliant with the Hong Kong legislation and, ideally, additional insurance coverage to meet the significant and growing threat of doing business in an online world.