News
News //
Submitted by // K Bowers, Partner / Solicitor Advocate
29 June 2017


Cybersecurity update: SFC to set minimum standards

Introduction

The Securities and Futures Commission ("SFC") recently announced a Consultation Paper on Proposals to Reduce and Mitigate Hacking Risks Associated with Internet Trading ("Consultation"). Announced on 9 May 2017, the Consultation will run until 7 July 2017. The SFC aims to conclude the Consultation and publish the finalised proposals in September/October 2017. The finalised proposals will become effective 6 months after publication.

Proposed measures in the Consultation

The SFC introduced two main proposals in the Consultation. Firstly, the SFC has proposed to amend the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission ("Code of Conduct"). Secondly, it has proposed to issue a new cybersecurity guideline ("Guideline") under s. 399(1) of the Securities and Futures Ordinance ("SFO").

Changes to the Code of Conduct

Paragraph 18 and Schedule 7 are the main provisions in the Code of Conduct which apply to licensed or registered persons who conduct electronic trading of securities and futures contracts ("Internet Brokers"). Currently, Paragraph 18 and Schedule 7 only apply to securities and futures contracts that are listed or traded on an exchange. The SFC is proposing to widen the definition in Paragraph 18 and Schedule 7 to include securities that are not listed or traded on an exchange. For example, this would include electronically traded authorised unit trusts and mutual funds.

Additionally, the SFC is also proposing to change Paragraph 18.2(f) of the Code of Conduct. Paragraph 18.2(f) currently defines "internet trading" as "an arrangement where order instructions are sent to a licensed or registered person through its internet-based trading facility". The SFC wants to amend this paragraph by adding the line "an internet-based trading facility may be accessed through a computer, mobile device or other electronic device", which will mean that any internet brokering service accessible from any of these devices should fall within the scope of Paragraph 18 and Schedule 7.

Proposed Guideline

In the Consultation, the SFC has proposed to issue a new Guideline under s. 399(1) of the SFO. The Guideline will set out a list of cybersecurity measures which will act as baseline requirements that Internet Brokers will be expected to comply with, including the following:-

1. Using two-factor authentication ("2FA") to identify clients

Schedule 7 of the Code of Conduct currently requires Internet Brokers to implement reliable methods of authenticating or validating the identity and authority of its users. Whilst the use of a password at login is sufficient under the current rules, the proposed Guideline will impose a tougher standard by recommending 2FA as a baseline for identifying and authenticating clients. In essence, 2FA means using any combination of a password, a hardware or software token, or biometric data to authenticate the identity of a user accessing the system.

2. Using security controls to help prevent unauthorised intrusion and cyber-attacks

In the Consultation, the SFC has noted that most Internet Brokers already have some security controls to prevent hacking or cyber-attacks. The SFC wants to codify these security control practices through the Guideline by recommending Internet Brokers to:-

• deploy a secure network infrastructure through proper network segmentation;

• implement and update anti-virus and anti-malware solutions in a timely manner to detect malicious applications and malware on critical servers and workstations;

• implement monitoring and surveillance mechanisms such as IP logging, and

• establish physical security policies and procedures to prevent unauthorised physical access to the facilities hosting the internet trading system.

3. Limiting remote access to internal network on a need-to-have basis

The Guideline recommends restricting remote access of internal networks to a need-to-have basis, as remote access exposes internal networks to the risk of cyber-attacks. Security controls should also be implemented over remote access from external networks.

4. Data encryption

Under the Guideline, the SFC specifies that client login passwords stored on systems should be encrypted using a strong encryption algorithm. In addition, Internet Brokers should use end-to-end encryption for transmitting sensitive data, such as client login credentials and trade data, during transmission between internal networks and client devices.

5. Roles and responsibilities of cybersecurity management

Under the Guideline, Internet Brokers will be required to establish an appropriate cybersecurity risk management framework at the board or senior management level. Responsible officer(s) or executive officer(s) responsible for the overall management and supervision of the internet trading system should define a cybersecurity risk management framework and set out key roles and responsibilities. These responsibilities may be delegated to a designated committee or operational unit, but the overall accountability remains with the responsible officer(s) or executive officer(s).

6. Backup and contingency planning

The Guideline will require Internet Brokers to make all reasonable efforts to ensure that their business continuity plan and crisis management procedures cover possible cyber-attack scenarios, such as DDoS
1 and total loss of business records and client data resulting from cyber-attacks (e.g. ransomware).

7. Third-party service providers

The Guideline also recommends Internet Brokers with outsourced internet trading activities to enter into a formal service-level agreement with their service providers. The agreement should specify the terms of service and the responsibilities of the providers. Internet Brokers should ensure the services provided by the third-party service provider comply with all the relevant requirements.

Effect of the proposed measures

The Consultation proposals are expected to be finalized in a few months' time. Whilst changes are expected, the majority of the proposals are uncontroversial and it is expected that most of the proposals will be included in the final Guideline.

In anticipation of the upcoming changes, Internet Brokers should review their cybersecurity policies and ensure they will be able to comply with the new requirements. Internet Brokers using cloud or outsourced services should also consider whether their existing service providers will be able to meet the new requirements.

As highlighted in our Financial Services Law Alert - May 2017, cyber-attacks are becoming more prevalent, and recent headlines have shown that cyberattacks can cause major losses and disruption. The SFC Consultation presents a good opportunity for organizations to evaluate their cybersecurity measures and patch up any existing vulnerabilities.

1 Distributed Denial of Service ("DDos") is the intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers.


About Us

Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.

Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; banking; financial services/corporate regulatory and compliance.

As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.

Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice.  Please contact pr@hwbhk.com if you have any questions about the article.

› read more
› minimize
Events //
Submitted by // H Rogers, COO
29 June 2017

 

 

Kevin Bowers and Charles Lankester speak at PR360 Asia 2017 on public relations, litigation and the new social media reality.

When crisis strikes, who are you going to call? Exploring the synergy (and tension) between maximizing public relations and protecting legal interest.

HWB Partner Kevin Bowers was recently invited as a guest speaker at the PR360 Asia conference, an event which brought together leaders in the global communications industry to discuss strategies for crisis and disaster management.

Kevin was invited to share his experience advising clients during emergencies and disasters along with guest speaker Charles Lankester, EVP of Ruder Finn's Global Reputation & Risk Management Practice. The panel, moderated by Peter Shadbolt, Editor of "The Corporate Treasurer" (Haymarket Media Group), discussed the role of communications in today's litigious world, and ways of balancing public relations with protecting legal interest.

Speaking on the panel, Kevin and Charles offered insight into crisis management from both a legal and public relations perspective. They talked about best practice in crisis management, and highlighted recent examples where initial public responses by companies in crisis were too legalistic and robotic. The responses consequently failed to sway deteriorating public opinion.

Recent headlines such as the United Airlines incident went viral on social media, showing just how quickly public opinion can form. Recognising this, Kevin and Charles emphasised the need for an even-handed approach when resolving issues with a high degree of public attention. They also emphasised the importance of simultaneously protecting both the client's legal position and public image.

During the discussion, Charles and Kevin also talked about their experience in dealing with unexpected situations. They talked about the "unknown unknown", an event so unpredictable that it cannot be anticipated based on past experience. In relation to this, Charles also talked about the "Barbra Streisand Effect", where attempts to suppress information can have the unexpected (and undesired) effect of publicizing the information more widely. Finally, the panel also spoke about ways of using an emergency to come out ahead, and methods of using past experiences to help mitigate future disasters.


About Us

Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.

Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; and financial services/corporate regulatory and compliance.

As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.

Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice.  Please contact pr@hwbhk.com if you have any questions about the article.

› read more
› minimize
News //
Submitted by // K Bowers, Partner / Solicitor Advocate; P Yeung, Senior Associate
28 June 2017

 

Complying with data access requests: Is it permissible to charge employees for access to their personal data?

Pursuant to the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), an employee (or former employee) can ask that his/her employer provide him/her with copies of any personal data which relates (directly or indirectly) to them. This is known as a "data access request" ("DAR").

DARs can be made in respect of any personal data where it would be practicable for the employee's identity to be directly or indirectly ascertained. This may include personnel files, disciplinary records, interview notes, appraisals and performance reports, etc. An employer who receives a DAR from an employee must comply with the request (or inform the employee in writing the reasons for its refusal or inability to comply with the request) within 40 calendar days of receiving the DAR.

In complying with the DAR, an employer can impose a fee for supplying the requested personal data or decline to supply such data unless and until the employee has paid the imposed fee. This does not mean, however, that the employer has an unrestricted discretion to impose DAR fees. Any imposed fee must not be "excessive" and should be "directly related to and necessary" for the compliance of the DAR.

Direct and necessary costs

According to the Privacy Commissioner for Personal Data, "direct and necessary costs" does not bear the same meaning as "reasonable costs". Furthermore, not all costs which are actually incurred by an employer in complying with the DAR will constitute direct and necessary costs. For instance, administrative overheads should not fall under the umbrella of direct and necessary costs. The question for the employer is whether it is possible to comply with each item requested under the employee's DAR without incurring costs for that particular item. If the employer can supply an item without incurring costs, it should not charge a fee for any costs incurred for providing that particular item.

If an employer decides to seek legal advice on its obligations to comply with a DAR, it is arguable that the costs of seeking such legal advice were reasonable. However, such costs should not be imposed as a fee on the employee as the legal advice was not a necessary cost for complying with the DAR. Rather, the legal advice was obtained for the benefit of the employer only. Similarly, although redaction costs are generally allowed, the employer should not charge a fee for any redactions made to the requested personal data, which are exempted from disclosure under any relevant legislation. This is because such costs are incurred for the protection of the employer's interests and are not directly related to and necessary for compliance with the DAR.

Excessive costs

The costs of complying with DARs should be minimal unless the DARs are wide-ranging or complicated (i.e. covering an extensive time period, involving a massive trove of documents, requiring convoluted searches, etc.). Where costs are incurred beyond what should have been incurred as a result of an extraordinary situation created by the employer, such costs are deemed to be excessive and should not be borne by the employee. In a 2011 case, an employer incurred exorbitant costs in order to recover personal data from a laptop which it had caused to crash. Since the recovery costs would not have been incurred under normal circumstances, it was held that a corresponding fee based on such costs would be excessive.

What fees are permissible?

The employer may take into account the direct labour necessary for complying with a DAR, including costs such as time spent by its employees to find, retrieve and reproduce the requested personal data. The chargeable labour costs should be calculated at the employees' hourly rate (including fringe benefits and salary) multiplied by the number of hours spent on the matter. As a general rule, an employer should not assign managerial level employees to perform administrative tasks for the purposes of handling DARs as this task allocation will unnecessarily raise labour costs. However, an employer may charge for the costs of technical assistance which is essential for complying with the DARs (e.g. technical assistance for duplicating video footage). Alternatively, an employer may wish to charge a "flat-rate fee" for complying with all DARs. This is permissible to the extent that the flat-rate fee imposed is lower than the direct and necessary costs for compliance with the DAR.

The costs of photocopying the documents containing the requested data are also direct and necessary costs. Generally speaking, the photocopying charge imposed at HK$1 per page will not be considered excessive.

It is important for an employer to bear in mind that the right to impose a DAR fee should not be exercised for the purpose of deterring employees from making DARs. An employer who fails to comply with a DAR without a reasonable explanation commits an offence which could result in a fine of up to HK$10,000. Where an employee believes that they have been charged excessively for compliance with their DARs, he/she may lodge a complaint with the Privacy Commissioner's Office. Ultimately, the burden rests on the employer to justify the imposed fee and how it relates to the costs incurred.


About Us

Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.

Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; and financial services/corporate regulatory and compliance.

As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.

Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice.  Please contact pr@hwbhk.com if you have any questions about the article.

› read more
› minimize
News //
Submitted by // K Bowers, Partner / Solicitor Advocate
28 June 2017


USE IT OR LOSE IT!

Not so easy to claim possession over rooftops that are not reasonably useful to anyone

Introduction

This case concerned an application for judgment in default of the Defendant giving notice of an intention to defend a Court action. The relief claimed by the Plaintiff was that it had acquired the ''possessory title'' of the rooftop (''Rooftop'') of a factory building (''Building'') by way of adverse possession. The Plaintiff was the registered owner of several units on the top floor of the Building. The Defendant was the registered owner of the Rooftop (among other parts) of the Building, who could not be found in the course of the proceedings.

Plaintiff's Application

The Rooftop in question was essentially a ''concrete slab'' with no proper fencing or other means of protection to prevent people or objects from falling off its edges. The Court held that there was no sound basis for suggesting that the Rooftop was reasonably safe for ordinary daily activities usually associated with properly fenced-off rooftops, such as parties, or other gatherings.

There were also pipes on the surface of the Rooftop, and the Plaintiff did not dispute that they were for the common use of the occupiers of the Building.

In support of its application, the Plaintiff relied upon the following as its conduct of excluding others from the Rooftop and in support of its claim for adverse possession:-
(1) hanging a plastic chain along the edges of the Rooftop with notices stating "Danger Do Not Come Close";
(2) installing air-conditioner units on the Rooftop;
(3) spending a substantial amount of money to replace the water-proofing layer (''Water-Proofing Layer'') on the surface of the Rooftop; and
(4) locking the only entrance to the Rooftop.

Previous Authority

The Court cited the previous Court of Final Appeal (''CFA'') decision in Incorporated Owners of San Po Kong Mansion v Shine Empire Ltd (2007), a case in which the appellant also sought adverse possession of the rooftop of a building. The appellant's alleged acts of possession in this CFA case included holding gatherings for residents, allowing other residents to use the roof for drying clothes, and installing a central antenna for television aerials. The appellant was unsuccessful in the lower courts, and the CFA also dismissed the appellant's appeal.

The main reason for the dismissal of the appeal was that the alleged acts of possession ''…plainly do not constitute or demonstrate the necessary factual possession or requisite intention to possess''. The CFA also added that the rooftop in question must have been reasonably safe for carrying out the alleged acts of possession, and that the erection of a central antenna by the appellant was ''…no more than an individual act of minor trespass to the parapet walls'' which did not amount to an act of possession.

Decision

The Court ruled that the Plaintiff's alleged acts of possession in this case were even more ''obscure'' than that of the appellant in Incorporated Owners of San Po Kong Mansion v Shine Empire Ltd, in circumstances where the physical condition of the Rooftop was not designed or built in a way which would render it reasonably useful to anyone, except for the building manager, who could visit the Rooftop from time-to-time for the repair and maintenance of common facilities (such as the pipes and the Water-Proofing Layer). Consequently, the Plaintiff failed to persuade the Court that its alleged acts of possession of the Rooftop should amount to adverse possession.

Identification of the part of the property subject to a claim for adverse possession

The Court also observed another flaw in the Plaintiff's submission in relation to the Water-Proofing Layer on the Rooftop. The Plaintiff submitted that:-
(1) it had spent a substantial amount of money to repair the Water-Proofing Layer; and
(2) the building manager was ''permitted'' to access the Rooftop to perform repair and maintenance.

The Court questioned whether the conduct at (1) and (2) above concerned the same part of the Rooftop, as the obligation of a building manager to repair is usually limited to the common parts of a building. Therefore, the Court doubted whether the Water-Proofing Layer was a common part, or a part of the Building which was actually owned by an individual co-owner. If the two types of conduct concerned different parts, then the Plaintiff's claim for adverse possession (even if successfully established) did not extend beyond the part not owned by the Defendant. In this regard, the Court held that the Plaintiff had failed to properly identify the property it claimed to adversely possess, which in itself was a good ground for refusing the relief sought.

Comment

This case demonstrates that the physical condition of a building is important to the Court's decision in a case in which adverse possession is claimed. If the physical condition of a rooftop (in this case) suggests that it is not built or designed in a way which would make it reasonably useful to anyone, it will be difficult to persuade the Court to accept acts sufficient to establish actual possession, or the requisite intention to possess. The case also demonstrates that it is important to precisely identify the property allegedly adversely possessed, and that failure to do so should be a good ground for refusing an application for adverse possession.

 

About Us

Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.

Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; banking; financial services/corporate regulatory and compliance.

As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.

› read more
› minimize