New cybersecurity bill, with HK$5M penalties for infrastructure operators, to be discussed by lawmakers
Hong Kong Free Press
A bill to regulate operators of Hong Kong’s infrastructure and monitor the security of their computer systems will be discussed by lawmakers next Wednesday, with up to HK$5 million proposed as a penalty.
The Protection of Critical Infrastructures (Computer Systems) Bill was gazetted on Friday. It will be submitted to the Legislative Council (LegCo) for a first and second reading next Wednesday.
The bill stipulates the legal obligations of critical infrastructure operators (CIOs) in the realm of cybersecurity, such as requiring them to conduct regular security audits, provide contingency plans in the event of cybersecurity incidents and report such incidents to the authorities.
It also empowers the government to collect critical computer system designs and operational details from CIOs, to investigate cybersecurity incidents, and to enter the premises of CIOs if court warrants are granted.
The government proposed that any CIOs that violate the bill will be fined up to HK$5 million, and if the offence continues, a further fine of HK$100,000 per day will be imposed.
According to the bill, critical infrastructure refer to facilities providing services in the sector of energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunication and television services.
Any other infrastructure for which damage or data leakage will hinder the provision of “critical societal or economic activities in Hong Kong” is also regulated by the bill.
For any other cases where the offenders are not CIOs, a fine up to HK$ 500,000 will be imposed. The bill does not propose imprisonment as penalty.
A government spokesperson said on Wednesday that the bill aims to regulate large organisations.
“Small and medium enterprises and the general public will not be regulated, ” the spokesperson said, “[The bill] is to safeguard the security of the computer systems that are critical to the core functions of the critical infrastructure, and in no way target personal data and trade secrets.”
Gov’t departments excluded
However, the bill will not hold accountable the critical infrastructure operated by government departments, such as water supply, immigration control and tax services.
When asked by legislators in July why the bill does not regulate government departments, security chief Chris Tang said there has been internal guidelines of cybersecurity for the government to follow.
Tang said that it will not make sense for the government to fine itself, and that the civil servants follow a code of conduct which imposes stricter ethical standards than those required of employees in the private sector, Ming Pao reported.
Tang added that the government will not release the list of CIOs regulated by the bill in order to prevent those organisations from becoming targets of potential attacks.
Support HKFP | Policies & Ethics | Error/typo? | Contact Us | Newsletter | Transparency & Annual Report | Apps
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
HKFP has an impartial stance, transparent funding, and balanced coverage guided by an Ethics Code and Corrections Policy.
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.
Support HKFP | Policies & Ethics | Error/typo? | Contact Us | Newsletter | Transparency & Annual Report | Apps
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
HKFP has an impartial stance, transparent funding, and balanced coverage guided by an Ethics Code and Corrections Policy.
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.