Join Paul Haswell, a partner at Howse Williams in Hong Kong, as he explores the transformative impact of technology on the legal profession in his new column for IHC Magazine. Paul offers insights into the challenges and opportunities for in-house and external counsel, providing thought-provoking perspectives on the future of law in the digital age.
Last month I had the great pleasure of speaking at a seminar in Hong Kong on the jurisdiction’s new cybersecurity law. The Protection of Critical Infrastructures (Computer Systems) Ordinance is a recently enacted law which comes into force at the beginning of next year. It was formulated, and passed, to put into place mechanisms to regulate the operation, management, and critically the security obligations applicable to any organisation responsible for a computer system in Hong Kong which has been specified to be a “critical infrastructure” (namely a system which, if it was to be disrupted or destroyed then that disruption could have a negative impact on life in Hong Kong).
Such systems will be designated by a newly appointed Commissioner of Critical Infrastructure and by appointed Designated Authorities, which initially will comprise the Hong Kong Monetary Authority and the Communications Authority. Organisations will be notified if they are deemed responsible for a critical infrastructure system and therefore subject to the law’s provisions, but the identity of critical infrastructure providers will not be made public in order to protect their security (although it should be possible to guess who at least a few of them are with a bit of common sense and given the identity of the first appointed Designated Authorities).
Fines for noncompliance with the law can be up to HK$5,000,000, which is lower than you might find in comparable jurisdictions but the highest to date in Hong Kong for an IT focused law.
At the seminar I spoke about how this legal development was much needed in Hong Kong. Whilst we already have a Hong Kong data protection law in the form of the Personal Data (Privacy) Ordinance, it is a long way away from the EU’s GDPR, Mainland China’s Personal Information Protection Law, and many other established data protection laws across Asia. The new Hong Kong law introduces requirements which have not been seen in Hong Kong law before, such as a mandatory legal obligation to conduct security drills and risk assessments, and to notify of a security incident within 12 hours of becoming aware of it.
My tech background means I’m a big supporter of cybersecurity and data protection laws; and in fact, I’ve been advocating that we need updated and revised data protection laws in Hong Kong for as long as I have lived here.
But the impact of the new in-housees that that cybersecurity becomes a major concern in Hong Kong not just for any organisation’s technology departments, but also for its staff and in house lawyers. Failing to properly prepare for and respond to a cyberattack could be a breach of the law. My concern however is that many organisations, in Hong Kong and unfortunately worldwide, are woefully equipped to deal with a cyberattack when it takes place.
A cyberattack, even an unsuccessful one, can be an organisation’s worst nightmare. The disruption it may have on business operations is one thing, but when one takes into consideration the possible financial loss, reputational damage, and the potential fines imposed by an applicable regulator if mistakes are made in the response to the attack, then the potential repercussions quickly become daunting.
If a cyberattack is successful, then the ramifications will typically be even worse. By way of an example, a major British retailer recently suffered a severe cyberattack which disrupted its online systems for months, resulted in the loss of customer personal data, left it with empty store shelves and caused estimated losses equivalent to a 30% hit to its profits. This was orchestrated via a social engineering attack on one of the company’s contractors, a threat vector often taken advantage of by cybercriminals. Needless to say, an attack on a clothing and food retailer is significant, but a similar attack on a power station, or airport, or hospital could have a truly catastrophic or potentially fatal result.
Having been personally involved as external counsel responsible for assisting in responding to data breaches and cyberattacks, working with a company’s legal team, IT department, Chief Information Officer and Chief Information Security Officer (if it has one), I’ve noticed that it is often the legal department which gets involved in the brunt of coordinating and responding to an attack. A general counsel can often be required to manage multiple roles in the response, and many businesses, especially smaller enterprises who may not have the resource to invest in major cybersecurity systems, may be woefully prepared to act when an attack, or heaven forbid a successful data breach takes place.
This means that in house counsel often has to take a lead role and coordinate not just their legal response but also oversee the IT team, manage public relations, possibly deal with law enforcement bodies and work with any cybersecurity experts they enlist either within or outside their organisation. In the case of a ransomware attack counsel might even find themselves negotiating with whoever was behind the cyberattack.
Doing this successfully requires training, experience but most often both. I remember my first engagement on a suspected data breach. It was exhilarating (especially for a nerdy technology lawyer such as myself!) but it was also intense, taking in not just legal issues but practical ones of identifying threat vectors, determining when to notify affected parties, considering how to manage IT teams, liaising with regulators, dealing with the attackers, managing the public response, and ultimately seeking to ensure it is not repeated. Complying with any cybersecurity law such as Hong Kong’s new Protection of Critical Infrastructures (Computer Systems) Ordinance will involve the same. The issue is that lawyers (whether in private practice or in-house) are not often trained to deal with cybersecurity challenges, and I fear this is especially true in jurisdictions outside of the US and Europe.
So, what to do? Well, it’s not actually that difficult to find technology experts willing to provide advice or give crash courses on breach response and cybersecurity, and there are many tech, data and cybersecurity firms who will provide training on breach response to organisations or carry out a simulated data breach or cybersecurity incident you can take part in. There are also plenty of lectures, seminars and events that you can attend to learn more about cybersecurity and breach response: your CIO or CISO if you have one will likely be able to point you in the right direction but if not, there are plenty of online resources too.
The thing is, partaking in these won’t just help you comply with data protection and cybersecurity laws and protect your organisation, but it will also make you less likely to fall victim to online scams and data breaches yourself. Given that Microsoft estimated last year that its users face 600 million cyberattacks per day, it would be time well spent.
Paul Haswell
Paul Haswell is a partner at Howse Williams in Hong Kong, specialising in Technology Transactions and Sourcing. With over 20 years of experience, he focuses on TMT matters, including data and cybersecurity, telecommunications, and emerging technologies like AI and blockchain. A tech enthusiast since childhood, Paul has handled major technology disputes and offers a blend of legal expertise and passion for innovation.
Outside of his legal work, Paul is a tech and law podcaster and a DJ. He co-hosts the “Sunday Escape” radio show on RTHK and the podcast “Crimes Against Pop.” A music lover with an extensive vinyl collection, Paul enjoys discovering and sharing new music. He’s also a sci-fi fan, particularly of “Doctor Who.”
