Background

Following a massive hacker attack at the end of the year 2015, VTech, a popular Hong Kong based manufacturer of children's toys, has suffered from a significant data breach which exposed 5 million customer records. As a result, parents as well as children's personal information, including names, ID and phone numbers, residential and email addresses were all released to the public. Data subjects other than Hong Kong residents were also affected. It was reported that the attorneys-general in the U.S. states of Connecticut and Illinois have announced plans to conduct their own investigation into this security breach, which implied that VTech's liability may be unprecedented.

Cyber attacks against all kinds of business are increasing and security experts have suggested that many companies in Hong Kong are ill-prepared against such attacks. According to a research conducted by PricewaterhouseCoopers Hong Kong in March 2016, the average number of detected cyber security breaches for China/Hong Kong companies from the year of 2014 to 2015 has increased by more than fivefold. Average total financial losses as a result of all security breaches detected by each China/Hong Kong company rose by more than 10%. Both breaches and financial losses are reported to be much higher than that of other countries in the world.

The Law on Cyber Security in Hong Kong

Under Hong Kong law, failure to properly secure personal data may result in the data user liable to a breach of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). The Privacy Commissioner may serve a notice of enforcement to direct the data user to remedy the breach and avoid re-occurrence of the same. Contravention of the enforcement notice is a criminal offence which would attract a maximum fine of HK$50,000.00 and imprisonment for 2 years. If the breach continues after the conviction, the data user is liable to a further daily fine of HK$1,000.00. As for civil liability, a data subject may start civil proceedings in Court for damages (including injury to feelings) suffered as a result of a contravention of the PDPO. The Privacy Commissioner has wide powers under the PDPO to assist any person entitled to bring a tortious claim by providing advice or assistance, arranging for representation, or providing any other assistance the Commissioner considers appropriate.

Benefits of Cyber Insurance

The recent surge of cyber security breaches would therefore foreseeably stimulate the demand for cyber insurance in Hong Kong. Cyber insurance may provide coverage not only for the legal costs of defending both criminal and civil litigations caused by the breach, but also the costs for engaging IT experts to determine the scope of breach, business interruption losses, cyber extortion losses, credit monitoring expenses and the costs of remedying reputational damage. Cyber insurance may also improve cyber security of the data user, since a certain level of security may be required by insurers as a precondition of coverage.

Conclusion

The increase in cyber attacks demonstrates the expanding market of cyber insurance. If insurers are slow in reacting, they run a risk of missing the rare market opportunity to secure high margins in a soft market. However, insurers should also be cautious about the potential liability they are taking when insuring such risks. Bearing in mind that cyber insurance is still evolving and that the pace and sophistication of cyber attacks are growing rapidly, in order to better protect their interests, it would be beneficial for insurers to partner with technology companies to develop an effective risk evaluation and pricing process and to seek proper legal advice, particularly in the area of policy-drafting and compliance with the PDPO. Of course, insurers should also pay extra attention to their own cyber security, since companies which cannot protect themselves cannot expect their clients to put their trust in them.