Asia IP

Hong Kong businesses, no matter big or small, often do not take cyber protection seriously because of a lack of awareness as to the risks to their data, says Paul Haswell, a partner in the Hong Kong office of Pinsent Masons. Haswell spoke recently to Asia IP to share his views on the value of cyber protection.

Haswell says that the lack of awareness may derive from the lack of sophistication in terms of how valuable personal data is to others; the cost of adequate data security may also prevent sufficient spending to be well prepared. As a result, Hong Kong companies often do not realize they are targets.

“On the street in Hong Kong, it is not uncommon to see people accepting free gifts in return for Facebook ‘likes’ or their personal data,” Haswell said. “Essentially, people are willing to give away their personal data without realizing its value. They should be questioning what they are sharing, what are the data will be used for and how to stop the data being used.”

One of Hong Kong’s most notorious usages of personal data came to light in 2010, when the issuer of the Octopus Card, which is widely used in Hong Kong to pay for public transportation and small purchases at convenience stores and supermarkets, acknowledged that it had made HK$44 million (US$5.68 million) over 41/2 years by selling the data. Octopus sold the data of 1.97 million customers to six partners in the Octopus Rewards scheme.

“China remains a key originator of cyberattacks,” Haswell says, “and Hong Kong is as likely to be a target as the US or Europe. So far, Hong Kong has not had any high profile public data breaches, but it must only be a matter of time. Singapore, on the other hand, is more savvy when it comes to data protection. Singapore is more aware of the risks, and currently benefits from a more protective data protection law.”

Although laws vary from country to country, and some countries have more restrictive or protectionist laws, Haswell says when talking about how companies are affected, there is no country that is completely safe.

For companies with less money to spend on data protection, Haswell suggests they rearrange their budget in order to invest in security to make themselves a much more difficult target.

In terms of enforcement, Haswell believes there are very limited options for companies do. “If I were a bank, and you as an individual stole $35 million worth of customer contacts, what can I do? Enforcement is hard because, firstly, can you identify the perpetrator? Even if the hacker is identified, what can you do? It will be too late to recover the data, so the only other option it to start legal action. But can the attacker really compensate your loss, assuming you can even sue them?”

In this area, Haswell says, the law is not necessarily helpful. “It protects the person whose data was lost to a limited extent, and is not necessarily on your company’s side if it lost that data. Thus, preparation is the best defense.”