Hong Kong has passed a law meant to enhance safeguards for the city’s key infrastructure systems against cyberattacks, imposing fines of up to HK$5 million for cybersecurity lapses.
At the Legislative Council on Wednesday, security minister Chris Tang said that the purpose of the law was to “establish legal requirements for organisations designated as critical infrastructure operators.”
The law will cover computer systems for various sectors, including energy, information technology, banking and financial services, land transport, air transport, maritime, communications and broadcasting, and healthcare services.
Infrastructure for “critical societal or economic activities,” such as sports stadiums, performance venues, and science and tech parks, will also be included within the scope of the law.
It will also empower the government to seek a court warrant to connect to computer systems or install programs onto critical infrastructure systems if operators are unwilling or unable to respond to cybersecurity incidents.
The passing of the Protection of Critical Infrastructures (Computer Systems) Bill came after the Asia Internet Coalition and the American Chamber of Commerce in Hong Kong said, in similarly worded submissions last year, that introducing such powers would likely have a “chilling effect” on tech investment in Hong Kong. HKFP has contacted them for comment.
Article 19, a London-based advocacy group promoting free expression, said in July last year that the law would afford the government “excessive” investigative powers to request any “relevant information” if it suspected an offence.
Both the city’s authorities and opposition-free legislature have dismissed the criticism, saying that other jurisdictions, including the US, the UK, and the European Union, have similar laws.
Personal data outside scope
Tang told lawmakers on Wednesday that the law would only cover computer systems at large organisations, giving assurance that it “absolutely does not target personal data or commercial secrets.”
He added, “Government departments will also fall outside the scope of the law.”
The Fire Services Department, Registration & Electoral Office, Electrical and Mechanical Services Department, Cyberport, the Consumer Council and the Companies Registry are among the governmental and statutory bodies that have recently suffered data leaks.
Tang said that operators of critical infrastructure systems, be they in-house or outsourced, would fall under the scope of the new cybersecurity regulations, adding that the law had no extraterritorial effect, but could extend to overseas servers linked to a Hong Kong operator.
Failing to maintain cybersecurity safeguards will result in a HK$5 million fine. Operators must also submit risk assessments conducted at least once a year to the Security Bureau and report cybersecurity incidents within 12 hours.
Responding to technology and innovation sector lawmaker Duncan Chiu’s question as to whether the list of operators would be disclosed, Tang said the list of companies falling under the remit of the law would not be publicised to prevent them from becoming targets.
Permanent Secretary for Security Patrick Li told NowTV on Wednesday that more than a hundred critical infrastructure operators would be regulated by the law, reiterating that the list would not be publicly available.
The bill was initially introduced last summer amid a spate of cybersecurity incidents that affected universities, NGOs, and hospitals.
The city’s privacy watchdog also said last November that 70 per cent of Hong Kong companies had experienced some form of cyberattack in the past year.
