Hong Kong’s security chief has sought to reassure US businesses that a bill seeking to improve cybersecurity around critical infrastructures will not infringe on their privacy, arguing authorities “were not interested” in such companies’ operational or personal data.
Secretary for Security Chris Tang Ping-keung said that all but one of the 53 submissions received for the Protection of Critical Infrastructure (Computer System) Bill’s one-month consultation period, which wrapped up earlier this week, had been in support of the proposed legislation.
The one submission that had opposed the bill came from a UK-based human rights organisation, he told a radio programme on Saturday.
Under the proposal, operators of essential infrastructures spanning eight sectors face a HK$5 million (US$640,200) fine if they fail to keep the security of their critical computer systems up to date.
The eight sectors are energy, information technology, banking, communications, maritime, healthcare services, and land and air transport.
Operators in those industries must formulate a computer system security management plan and submit it to a commissioner’s office that will be created under the Security Bureau.
Tang on Saturday touched on a submission from the American Chamber of Commerce in Hong Kong, which urged the government to ensure the new office’s investigative powers were “specific and narrowly scoped”.
“Firstly, we only target critical essential infrastructures, which are large-scale, and it has no impact on American small and medium-sized enterprises or individuals,” he said.
“We are not interested in the personal information and the operational details of the operators of such infrastructures. Our interest is only in keeping your system secure … If anyone tells you that the aim of our bill is to monitor your information or obtain your personal information, they are trying to deceive or scare you.”
The US commerce chamber submitted its paper to the bureau near the end of the consultation period, calling on authorities to consider removing information technology from the list of sectors since it differed greatly from the other seven.
“By using a broad and vague term such as ‘information technology’, it may inadvertently capture a large array of technology companies and lose the focus on regulating organisations who control critical infrastructures and computer systems and should be the ones responsible for implementing the cybersecurity requirements under the proposed legislation,” it said.
The business group also urged the government to make it clear that the proposed legislation should only apply to critical infrastructures and vital computer systems located in Hong Kong.
Any extraterritorial effect would be “disproportionate” and could lead to high compliance costs that would deter multinational companies from operating and investing in the city, it said.
But Tang said the information technology sector was covered under similar regulations in countries such as the United States, Australia and Singapore.
Information technology was essential in daily life and authorities could be left unable to achieve the legislative intent of the bill if the industry was not covered, he added.
Tang also dismissed the business group’s suggestion that authorities further consult the public about the proposed legislation.
In the event of very serious security issues, the bill will require operators to notify the new office within two hours of the former becoming aware of an incident. In less serious cases, a report should be made within 24 hours.
Organisations that fail to do so or have not conducted a risk assessment as required are set to be fined up to HK$5 million.
Tang earlier said the government would not make public a list of companies set to fall under the bill, in a bid to shield them from becoming potential terrorist targets.
The government aims to forward the proposal to lawmakers by the end of the year.
