The names of companies behind critical computer systems to be covered under a proposed cybersecurity legislation will not be publicised to prevent them from being targeted, Hong Kong’s security minister has said.
Authorities last week proposed a bill to fine critical computer system operators up to HK$5 million for lapses in cybersecurity.
The Protection of Critical Infrastructure (Computer System) Bill is expected to cover eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, communications and broadcasting, and healthcare services.
See also: Hong Kong urged to improve accountability after two more gov’t data breaches
Essential services provided by the government, meanwhile, are regulated by a separate set of existing guidelines.
The Security Bureau will launch a month-long public consultation this month, and aims to introduce the bill to the legislature by the end of the year.
Targets
Speaking at the Legislative Council on Tuesday, Secretary for Security Chris Tang said that the industries to be covered under the legislation have, in principle, supported enacting legislation, and unanimously agreed that safeguarding the security of computer systems was a common responsibility.
But the names of companies to be covered by the legislation could not be named, he said. “If we name them, there is a concern that those organisations could become targets of terror attacks.”
“This is an international standard,” he said, adding that the bureau had referred to other jurisdictions’ legislative directions to formulate a model suitable for the city.
Only large-scale organisations would be covered under the legislation, while small and medium-sized enterprises and individuals would not be affected, he added.
Tang also added that the law aimed to urge operators to enhance the security of their computer systems rather than penalise them, hence the fine, which could range from HK$500,000 to HK$5 million.
“However, if an individual is involved in an offence under the existing Criminal Ordinance, such as making false statements or exercising false documents, the person concerned may be held liable for criminal offences,” he said.
Several official bodies, including government departments, have seen potential data breaches in recent months. Last month, personal data of over 20,000 staff and students at the Chinese University of Hong Kong (CUHK) was stolen after a server at one of the institution’s schools was hacked.
Tang said he expected a commissioner’s office in charge of the legislation to be made up of 40 to 50 people from government bodies including the Office of the Government Chief Information Officer and the police force’s Cyber Security and Technology Crime Bureau.
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
