The HKSAR government's proposal to enact new cybersecurity legislation and the Consultation Paper's five new proposed cybercrime offences ("New Cybercrime Offences") signify a shift towards adopting a strategy of enhanced protection from both criminal and regulatory perspectives. Such developments in the cyberspace stem from Hong Kong's duty under Article 9 of the National Security Law to take necessary measures to strengthen regulation over matters concerning national security (including the internet) and the potential criminal exploitation of the rapid developments in information technology, computer and computer data.
The introduction of the New Cybercrime Offences will provide the law enforcement agencies, and hence entities/individuals impacted by cybercrimes, with enhanced tools to pursue the perpetrators. A key takeaway is the possible extra-territorial application of the New Cybercrime Offences. Under the Consultation Paper, the HKLRC suggests that the nature of cybercrime justifies the extra-territorial application of Hong Kong law. It recommends that Hong Kong courts should have jurisdiction where there is a nexus to Hong Kong (e.g., where the victim is from Hong Kong or where damages are incurred in Hong Kong). See further details on this below.
Another key point to note is the government's proposal to enact specific cybersecurity legislation in Hong Kong, given the increasingly important role cybersecurity and data security play in upholding national security. The proposed cybersecurity legislation is expected to introduce new cybersecurity compliance requirements on CIIs.
Five proposed cybercrime offences
On 20 July 2022, the HKLRC released the Consultation Paper proposing the New Cybercrime Offences, which aim to rein in cybercrime with tougher penalties of up to life imprisonment. This is the first of three papers dealing with cybercrimes to be published by the HKLRC, with this paper focusing on cyber-dependent crimes (i.e., crimes that can be committed only through the use of information and communications technology devices, where the devices are both the tool for committing the crime and the target of the crime). The Consultation Paper conducts a comprehensive comparison of the cybercrime laws in seven other jurisdictions, namely Australia, Canada, England and Wales, Mainland China, New Zealand, Singapore and the USA. The New Cybercrime Offences are derived mainly from existing legislation and aim to update the controversial antiquated laws and plug any loopholes.
Currently, Hong Kong does not have any specific offence applicable to cybercrime. Different offences are scattered over various ordinances, including the following:
- s. 25 (a) Telecommunications Ordinance: Any person (not being a telecommunications officer, or a person who, though not a telecommunications officer, has official duties in connection with a telecommunications service) who wilfully secretes, detains or delays a message intended for delivery to some other person.
- s. 27 Telecommunications Ordinance: Damaging, removing or interfering with a telecommunications installation with intent to: (a) prevent or obstruct the transmission or delivery of a message; or (b) intercept or discover the contents of a message (this does not include metadata).
- s. 27A Telecommunications Ordinance: Gaining unauthorized access to a computer by means of telecommunication.
- s. 59 and 60 Crimes Ordinance: Destroying or damaging property, or intending to destroy or damage property, without lawful excuse, including misusing any computer program or data held in a computer.
- s. 161 Crimes Ordinance: Gaining unauthorized access to a computer with: (i) intent to commit an offence; (ii) dishonest intent to deceive; (iii) a view to dishonest gain for himself or another; or (iv) a dishonest intent to cause loss to another.
The New Cybercrime Offences are as follows:
- Illegal access to program or data.
- Illegal interception of computer data.
- Illegal interference of computer data.
- Illegal interference of computer system.
- Making available or possessing a device or data for committing a crime.
The New Cybercrime Offences, except for illegal interception of computer data, come in an aggravated form if further criminal activities or a high degree of severity is involved.
Other recommendations by the HKLRC include the following:
- Possible extra-territorial application of the proposed offences ̶ The HKLRC recommends that Hong Kong courts should have jurisdiction so long as the crime in question has a local connection, including where: (i) the act or omission occurs in Hong Kong; (ii) the victim is a Hong Kong permanent resident, ordinarily resides in Hong Kong, or is a company carrying on business in Hong Kong; (iii) the target program or data is in Hong Kong; or (iv) the perpetrator's act has caused or may cause serious damage to Hong Kong (e.g., its infrastructure) or has threatened or may threaten the security of Hong Kong. For the summary offence of illegal access to programs or data, the HKLRC is of the view that the Hong Kong courts should only have jurisdiction where the act constitutes a crime in the jurisdiction where it was performed.
- Increase in limitation period ̶ The HKLRC is of the view that the current limitation period under s. 26 of the Magistrates Ordinance (Cap. 227) (i.e., six months) is too short in relation to summary proceedings for the New Cybercrime Offences. It recommends that this be extended to two years from the discovery of any act or omission or other events, the proof of which is required for conviction of the offence.
- Increased maximum sentences ̶ The maximum sentence under most of the New Cybercrime Offences is 14 years, as opposed to the present range of two to 10 years' imprisonment for existing offences. Offences of a less serious nature may be dealt with summarily with a jail term of two years or less. However, for the offences of illegal interference of computer data and illegal interference of a computer system, where the act is so grave that it endangers the lives of others, a sentence of life imprisonment may be imposed.
The HKLRC has also requested submissions to a series of questions relating to whether there should be defenses and exemptions to the proposed New Cybercrime Offences and the appropriate scope of such exemptions. Responses are due on 19 October 2022.
Sample cyberattacks: CEO fraud and ransomware
Organizations and companies are facing a rising wave of cyberattacks, with CEO fraud and ransomware attacks being two of the most common types.
CEO fraud is a sophisticated email scam where the attacker sends out phishing/spoofing emails impersonating a company's CEO or some other executive to trick employees into transferring money or providing confidential company information. In a typical CEO fraud scam, the scammer would usually get a good working understanding of the company's hierarchy and its money, trade and logistical movement patterns. The scammer would then gain access to the CEO's or the executive's email account, send emails to employees requesting money, and then slip into the payment flow to intercept payments from the employees. Under the New Cybercrime Offences, such a scam would constitute offences of illegal access to programs or data, illegal interception of computer data, and illegal interference of computer data.
Ransomware is a form of malware designed to deny an organization access to their files by encrypting such files and demanding a ransom payment to regain access. Under the New Cybercrime Offences, ransomware would be considered an offence of making available or possessing a device or data for committing a crime.
The HKSAR government announced in its 2021 Policy Address that it is undertaking preparatory work for the enactment of cybersecurity legislation in Hong Kong to clearly define the cybersecurity responsibilities of CII operators and strengthen the protection of the operation and data of Hong Kong's network systems and CII systems. Examples of CII include water, electricity, coal supply, communication networks, transport services and financial institutions.
The HKSAR government intends to consult the Panel on Security in the Legislative Council on the introduction of cybersecurity legislation and to launch a public consultation exercise on this legislative proposal by the end of 2022.
The details of the legislative proposal are not yet available. In terms of the overall legislative framework, the government has indicated that in preparing for the impending cybersecurity legislation, it will refer to relevant legislation around the world and will focus on seven areas:
- Establishing a preventive management regime for critical infrastructures.
- Devising a cybersecurity plan.
- Regularly conducting security assessments.
- Putting in place a comprehensive incident response plan.
- Conducting frequent drills.
- Prompt notification mechanism.
These broad areas will likely translate into compliance obligations for CII operators under the cybersecurity legislation.
The local cybersecurity legislation may potentially adopt the concept of "critical information infrastructure operators" which is adopted by the PRC's national Cybersecurity Law, who are subject to heightened security measures such as undergoing national security review when purchasing network products and services that may impact national security, and storing personal information and critical data within the territory. If the proposed Hong Kong cybersecurity legislation does mirror the PRC Cybersecurity Law, CII operators will be subject to an additional set of legal requirements, such as the creation, improvement and maintenance of internal cybersecurity systems; self-assessment regarding the sensitivity of data collected; and formal application for data transfers. CII operators may need to undertake a significant exercise to ensure compliance with the new legislation.
We are expecting further updates and guidance around cybersecurity and cybercrime legislation. Responses to the Consultation Paper are due on 19 October 2022. Watch this space for updates to the proposed regimes.