In today's interconnected digital world, cybersecurity breaches have become all too common, posing significant legal and ethical challenges. When sensitive information is compromised, the consequences can be severe, both for individuals and organizations. Such was the case with the recent cyber security breach at Hong Kong's Cyberport, a leading technology hub in Hong Kong. The incident and its lacklustre reporting around it, raises significant concerns about data privacy, legal liabilities of the institutions collecting and using personal data, and the rights of affected individuals. In the following sections, we shall provide an analysis of the incident, its reporting, the legal implications for Cyberport, and the rights of those whose data was accessed illegally.
Author: Anna Lau, Partner
The scene of the crime
Cyberport is a creative digital community in Hong Kong with a cluster of technology and digital content tenants. Owned by the Hong Kong SAR government, it houses over 1,500 startups and technology firms focused on areas like fintech, AI, big data and smart living. Cyberport aims to drive Hong Kong's digital technology development through an ecosystem of collaborators including accelerators, investors, academia and industry partners.
Their self-proclaimed status as a ‘digital technology flagship’ makes their data incursion incident all the more out of place and unexpected.
The Incident and Its Reporting
The breach at Cyberport was discovered in mid-August 2023, but it was not publicly disclosed until September, nearly a month after the incursion. Reports in the media were already circulating a few days before the public disclosure, stating that a hacker group called Trigona was blackmailing Cyberport for the return of more than 400Gb of its data with the threat of publication if payment was not made. In the end, Cyberport did not pay the ransom, upon which the data was shared on the dark web.
According to the statement that was finally released by Cyberport, the data included “names and contact details of individuals, human-resources related data of employees, ex-employees and job applicants, and a small number of credit card records”.
While it is understandable that an organization might want to fully assess the extent of a data breach before making any public announcement, the inordinate delay and the absence of more details and follow-up publications has raised eyebrows, leading to questions about the transparency and timeliness of Cyberport's response.
Legal Implications for Cyberport
The legal implications for Cyberport as a data user are significant. Although Cyberport downplayed the significance of the data breach, stating that only a limited amount of personal data was unauthorizedly accessed by the hackers, the potential implications are far-reaching. There are two elements to consider: (1) whether Cyberport was negligent in their handling of sensitive data; and related to that, (2) depending on the nationalities of the individuals whose data was compromised, whether Cyberport violates any of the applicable data protection laws in the relevant jurisdictions of those individuals? Let’s look at these two elements one-by-one.
Cyberport’s potential violation of data protection laws
This incident constitutes a data breach as it involves not only actual breach of the security of personal data held by Cyberport but also exposes the personal data of the employees, ex-employees and even job seekers of the companies in Cyberport to the risk of unauthorised or accidental access, processing, erasure, loss or use. As such, Cyberport being the data user is without doubt under a duty to implement good data breach handling policy and practice for containing the damage caused by the breach and showing its accountability under the applicable data protection laws.
As of January 2023, over 120 jurisdictions have data privacy laws. These laws vary widely in their coverage and enforcement. Some countries have sectoral coverage with different industries having their own data privacy laws, while others have omnibus coverage with at least one national data protection law in addition to provincial or sectoral regulations.
Although understandably no details have been shared regarding the nationalities of individuals whose data was accessed without consent, it is very likely that there was contravention of the relevant data protection laws in Hong Kong and plausibly in Mainland China and the European Union as well.
Collection and processing of personal data in Hong Kong is governed by the Personal Data (Privacy) Ordinance (PDPO), which is a principle-based legislation that provides instructions and guidance in rather broad terms on the act or practice that should be or should not be engaged by the data users. Although contraventions of the Data Protection Principles as stipulated in Schedule 1 of the PDPO do not attract criminal liability, the Privacy Commissioner for Personal Data (“PCPD”) is entitled to issue enforcement notice against a data user who is liable for the contravention. Additionally, the aggrieved individuals may seek legal recourse and compensation of damage suffered for breach of privacy, negligence, and/or other torts, potentially exposing Cyberport to civil liabilities. What’s more, the delay in reporting could also potentially be seen as a contravention of the Data Protection Principle 4(1) and (2) and may attract investigation and enforcement notice from PCPD demanding immediate remedial steps be taken to minimise and contain the impact of the breach.
Compared to PDPO, the data protection laws in China and EU are rule-based for regulating the conduct of data users. Under Mainland China's Personal Information Protection Law (PIPL), if any mainland Chinese citizens have their data compromised, PIPL requires informing them and the cyberspace regulator within 72 hours. Serious breach or violations under PIPL can attract monetary penalties up to 50 million RMB or 5% of annual revenue. Assessing PIPL obligations and cooperating with Chinese authorities may emerge as a crucial issue given Hong Kong's close China ties. It is worth noting that in any normal circumstance, if personal information is transferred outside of China, the PIPL requires companies to provide individuals with specific information about the transfers and obtain separate consent. Companies must also adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL. For the purposes of PIPL, Hong Kong is seen as outside of China.
Last but not least, the EU General Data Protection Regulations (GDPR) is the most comprehensive one for personal data and privacy protection with new provisions and enhanced rights. One of the most prominent features is its extraterritorial jurisdiction covering activities that take place outside the EU. Indeed if the breach involves personal data of an EU citizen, Cyberport is mandated to produce specific documentation of what data was compromised, how it was processed in the first place, what security measures were in place and how the firm responded once the breach was discovered. Evidence will need to be presented on its data protection impact assessments, policies and training, encryption standards, and controls around access management and transfer of personal data. Weaknesses in any of these areas could draw harsh penalties under GDPR from EU regulators. Failure to comply with GDPR can result in significant fines, with the maximum penalty being up to 4% of a company's global annual turnover or €20 million, whichever is higher. Additionally, as with PIPL, organizations should be vigilant of GDPR’s requirement for a data controller to report a data breach within 72 hours of becoming aware of it under Article 33 of GDPR.
Has there been negligence on the side of Cyberport?
The delayed public reporting, the perception of minimal intrusion, and the potential violations of data privacy laws cast a shadow of doubt on Cyberport's management and compliance efforts. But, at the moment of writing, no updates have been published by the PCPD who initiated the investigation into this incident, hence there is no conclusion yet. Nonetheless, as stated by a Board Director of Cyberport, “the leaked data was stored in a shared drive, in which the data was not supposed to carry sensitive information”, which is far from optimal or good practice of personal data handling processes. At the time of writing, no updates were published from the Hong Kong Police Force, who are also investigating into the criminal elements of the incident.
Steps Individuals Can Take Against Cyberport
The loss of confidential personal data could lead to identity theft, financial fraud, reputational damage, and other adverse consequences for affected individuals. If an individual feels that Cyberport’s management was insufficient in this case, they have several options under data protection laws if they believe their personal data have been unlawfully processed.
For aggrieved customers and employees, it is advisable to directly demand full disclosure from Cyberport on what specific personal data elements were unauthorizedly or accidentally exposed or accessed. If those details are not provided satisfactorily, complaints can be filed with Hong Kong’s PCPD, which is empowered to investigate and issue enforcement notice as mentioned above.
Impacted individuals also have the right to access their personal data, and request rectification or erasure of inaccurate or outdated information under GDPR. They can also claim compensation for damage caused by the data controller or processor if they have contravened or are liable for the contravention of the applicable data protection law, including any distress they may have suffered.
To pursue legal action, individuals can seek legal advice with legal professionals well-versed in data protection and cyber security matters and file a lawsuit against the data controller or processor (e.g. Cyberport in this incident) in the appropriate court. The court will consider the specific circumstances of the breach, the nature and extent of the damages suffered by the individual, and the applicable legal framework to determine liability and award appropriate remedies, such as compensation or injunctive relief.
Priorities for data custodians: security & legal awareness
In summary, while portrayed as a minor incident, Cyberport's data breach has hallmarks of improper disclosure and carries significant legal risks and highlights the criticality of proactive measures, immediate reporting, and robust data protection protocols in today's digital landscape. A full and prompt accounting of compromised information is needed, along with evidence showing that its security protocols have met adequate standards and an urgent audit of their data breach response plans and public communications strategy. Adopting a posture of voluntary disclosure and cooperation will help contain the damages and mitigate penalties. Anything short can exacerbate mistrust and result in substantial penalties under relevant data protection laws, as well as potential tortious liability to other users of the Cyberport community.
For impacted individuals, lodging regulatory complaints and seeking legal counsel about litigation are advisable steps.
As we navigate through an increasingly digital world, organizations must prioritize data protection and adhere to international regulations to maintain user trust and avoid legal repercussions. As if to drive the point of urgency around cyber security home, within a timespan of two weeks, the Hong Kong Consumer Council reported a data breach and ransom situation, in quite a similar fashion as Cyberport.
There certainly is much work to do as we venture further with our ever more digital lives.
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
For specific advice about your situation, please contact:
+852 2388 3899