The current position
It has been difficult to ignore the headlines this year about data breaches. With good reason, individuals - and the media - are taking notice that personal data has value for business, politics, and certainly for criminals. Cybersecurity firm Norton reported that in 2017 hackers stole a total of £170 billion from consumers. Facebook users are wondering whether they were one of 87 million whose data was improperly shared with a UK political consultancy. And Equifax shareholders are still reeling from a 20% drop in share price following a cybersecurity breach.
The GDPR effects a monumental change in EU data security law from May 2018, introducing:
- mandatory reporting of personal data breaches to national regulators and, in some circumstances, affected individuals, depending on the risk to the individuals’ rights and freedoms
- more rights for data subjects, including greater rights to be informed of data processing, to access personal data, and to correct or erase it, and
- increased liability for data controllers and (for the first time) processers, including penalties of €20m or 4% of global turnover for getting GDPR compliance wrong.
While designed to strengthen the protection of personal data, the GDPR is unlikely to deter cyber criminals from creating malware strains and phishing emails to obtain that data - it is simply too difficult for cyber-attacks to be tracked. The value of the GDPR lies in coercing firms to improve their data security controls - thereby reducing the likelihood of a successful cyber-attack. For more on the GDPR, see our microsite.
Meanwhile, in Singapore, the new Cybersecurity Act, which is due to come into force in mid-2018, will create a new regulatory framework for preventing, responding to and reporting on cyber security threats. Under the Act, owners of computer systems that are directly involved in the provision of “essential services” relating to the running of the country will have to report cybersecurity incidents and data breaches related to these systems to the Commissioner of the Cyber Security Agency of Singapore and comply with other statutory requirements. The Act identifies 11 sectors which are likely to be under the CSA’s remit, including: Banking and Finance. For more, see here.
In Hong Kong, there is no over-arching cybersecurity legislation like those introduced in Singapore and China, and regulatory activity in this regard has been limited to date. Hong Kong’s financial regulators, the HKMA and SFC, have been the most active authorities on this topic, and have issued guidelines for intermediaries subject to their regulations. Whilst these guidelines have no force of law, they represent the SFC and HKMA’s expectations and have helped to coerce licensed and regulated persons to improve their cybersecurity controls. There is no explicit requirement to notify the Privacy Commissioner, the police, nor the SFC or HKMA of a data breach. However, depending on the nature or seriousness of the breach, an obligation to report may be triggered because of its wider implications on the regulated firm’s status as being fit and proper.
Key issues to think about
To date, in most jurisdictions worldwide, reporting data breaches (whether accidental loss by an employee or the result of a successful cyber-attack) has been encouraged but not required. The GDPR’s penalties, of up to 2% of global turnover for failing to report personal data breaches, will change this. Firms must be prepared to report to regulators and individuals about data breaches, given the amount of personal data they hold.
We anticipate that greater transparency about personal data breaches will trigger a wave of litigation and enforcement:
- from EU supervisory authorities charged with data protection regulation, testing their new GPDR powers
- from other regulators concerned about weak cybersecurity controls. For regulated firms in the UK, it is worth bearing in mind that the FCA expects to be told about material cyberevents
- from data subjects, whom we expect to increasingly take collective legal action, assisted by representation from not-for-profit bodies, litigation funding and contingent fee arrangements. They will be encouraged, in the UK, by the recent successful data leak claim against Morrisons Supermarkets (for more on this, see here), and
- from shareholders, disappointed by the serious effect of data breaches on share price.
Where the data breach is the result of cybercrime, there may often be no recourse for the firm against the perpetrators - who are notoriously difficult to trace, often reside in non-extraditable countries and may (worryingly) be sponsored by nation states. While a firm may notionally be a victim of cybercrime, it will nonetheless bear the huge economic and reputational costs of poor cybersecurity.
While Singapore’s forthcoming Cybersecurity Act is a new development, the Banking and Finance sector already face regulatory scrutiny in this area. The Monetary Authority of Singapore (MAS) already places an obligation on organisations to notify it of cybersecurity incidents and submit a report. The MAS recently announced that it is planning to update its Technology Risk Management guidelines, including providing specific guidance on cyber security operations, surveillance, assessment and exercises, and outlining risk management principles that are relevant to new technologies. The revised guidelines will likely raise expected risk management standards for regulated institutions in Singapore.
The MAS’s announcement to asset managers (see here) and banks (see here) are linked.
With EU being Hong Kong’s second largest trading partner, the new GDPR’s extra-territorial effect will have an impact on many Hong Kong businesses, which may face enforcement risks for failing to comply with the GDPR.
From 25 May 2018, the GPDR will apply in all EU member states. It has, to date, presented an enormous compliance burden for all firms doing business within or with the EU. It remains to be seen whether enhanced regulation (and the consequent overhaul by firms of their cybersecurity measures) will reduce the threat of cybercrime.
Singapore’s new Cybersecurity Act is currently expected to come into force in mid-2018.
Although we do not see imminent enhanced regulations in Hong Kong, it will be in many firms’ business interests, especially those with regular dealings with EU, to evaluate and enhance their cybersecurity controls.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.