Does Hong Kong need a cybersecurity law?

By Dr Tianjian Zhang
Dr Tianjian Zhang
Assistant Professor
Department of Information Systems

Dr Tianjian Zhang is an Assistant Professor in the Department of Information Systems. His research interests are in cybersecurity, fintech, and technology diffusion.

Cybersecurity and data privacy are clearly on the minds of many, from ordinary citizens who think twice before sharing their personal information on LeaveHomeSafe app, to government officials who have been calling for a comprehensive cybersecurity law in the city. Currently, there is no stand-alone cybersecurity law in Hong Kong. What we do have is the Personal Data (Privacy) Ordinance, which was first introduced in 1996, but this does not cover all circumstances where personal data is compromised online. Given the legislative vacuum, the wealth of personal data in Hong Kong's financial sectors, and the city's ambition to become Asia's data hub, it seems that a cybersecurity law is long overdue. However, before rushing to pass a Hong Kong version of the General Data Protection Regulation (GDPR), there are several aspects that legislators need to consider.

What would a cybersecurity law look like?

First, what would a cybersecurity law in Hong Kong look like? If it is anything like the General Data Protection Regulation (GDPR) enacted by the EU in 2016, it would require companies to be transparent about the collection and processing of personal data, minimise both the amount of data and the time during which the data are stored in the company, ensure the security of the data, and be legally accountable in case of a data breach. California has recently adopted a version similar to the GDPR (California Consumer Privacy Act). But there is no similar federal level law in the US. The most comprehensive cybersecurity law in the US addresses the accountability of data controllers. From 2002 to 2018, all 50 states in the US passed a security breach notification law (SBNL), which requires companies to notify consumers in cases of data breaches. Even then, so far there has been no success in making the state-level SBNL into a federal-level law.

Security breach notification law or comprehensive cybersecurity law?

If Hong Kong were to embark on cybersecurity law, it appears some version of SBNL would face fewer legislative roadblocks than a comprehensive law like GDPR. Also, with the new National Security Law recently passed in the city, legislators would want to get a feel for public opinion before pursuing another broad legislative agenda. Given Hong Kong citizens' concern over personal privacy and the lack of trust in the government, a comprehensive cybersecurity law could be mistakenly viewed as an effort to monitor citizens, and look like an overreach by the local or even the central government. In contrast, a clear-cut SBNL which punishes companies in case of data breaches is much more straightforward and likely would be better received by the general public. More importantly, it would more quickly achieve the intended goal of protecting ordinary citizens.

How does a SBNL work?

Second, we need to understand whether and how cybersecurity law can be effective in Hong Kong. Past studies have shown that SBNL can indeed reduce identity theft (Romanosky et al. 2011). These mandatory data breach disclosure laws put a potential legal and financial burden on companies if they fail to protect consumers' private data. Apart from dipping in the stock price after publicly disclosing a data breach, companies' reputations would also suffer along with losses in sales growth (Kamiya et al. 2021). With data breaches becoming more costly under the law, SBNL pushes companies to boost their cybersecurity infrastructure and related practices in order to minimise these incidents. For SBNL to be effective in a city like Hong Kong, it needs to clearly stipulate the scope of the law. If a local company loses overseas' consumer data, or a foreign country loses data locally, should both incidents be reported in Hong Kong? Given the limited scope of the city compared to a vast state or countries in the EU, it is perhaps more important to clarify these details early on in a Hong Kong's version of SBNL.

What is the downside?

Third, legislators should also consider the unintended consequences of cybersecurity laws. Given the stringent nature of such laws, a well-intentioned legislation could slow down the digital transformation of the city. Past studies have shown that privacy laws aiming to protect patients' personal data have ended up reducing the adoption rate of electronic medical records, which subsequently increased the infant mortality rate (Miller and Tucker 2011). Recent studies suggest that cybersecurity laws decrease the level of IT adoption in firms (Wang et al. 2019). This is possibly due to two reasons. First, companies that wish to engage in digital infrastructure investment will need to invest more in cybersecurity, given the new regulation. If the cost-benefit analysis shows that a digital project has become less profitable, companies may choose to abandon it. Second, given the severe shortage in cybersecurity talents, companies may not be able to gather enough cybersecurity expertise for a digital project, even if it makes economic sense. If either of the two disincentives emerges, cybersecurity laws could diminish the growth of digital transformation. Given the potential negative effect on IT adoption rates, IT service providers would enjoy fewer business opportunities. Consequently, it would take a toll on the employment of IT service providers. A study by my co-authors and I finds that SBNL has a (short-term) negative effort on employment in large IT service providers (Zhang et al. 2019). While we are hopeful that cybersecurity laws will have long-term benefits to the digital economy, it is crucial to quantify the economic cost of the legislation.

Final thought

In a way, cybersecurity laws are like environmental protection laws — they protect the digital environment just as environmental laws protect the natural environment. In developing our economy, it is vital to ensure the quality of our air and water through mandatory protective legislation. In digital transformation, cybersecurity is ultimately necessary to ensure the healthy growth of the digital economy. It is worth noting that just as a Clean Air Act could diminish employment (Greenstone 2002), cybersecurity laws have been proven to have a similar downside. Given the clear trend in digitisation and data demand in Hong Kong, a cybersecurity law seems to be only a matter of time. We hope that by considering the type of cybersecurity law, its upsides and the downsides, legislators in Hong Kong can have a comprehensive picture when drawing a blueprint of the cybersecurity law of Hong Kong.