Businesses in Hong Kong may soon need to account for cybercrimes laws when establishing their ICT security frameworks.

The Law Reform Commission has published a consultation on Cyber-Dependent Crimes and Jurisdictional Issues. In the consultation paper published, they have proposed that a new law focusing on cybercrime be created. Aspects of this proposed new law include:

(a) introducing a new offence of unauthorised access to program or data, subject to a statutory defence of reasonable excuse. This would be broader than the existing offence under the Telecommunications Ordinance of unauthorised access to a computer by "telecommunications";

(b) introducing a new offence of unauthorised interception, disclosure or use of computer data carried out for a dishonest or criminal purpose. This offence would apply generally to all forms of data, including metadata, data in transit and data momentarily at rest during transmission. This would be broader than the offence under the Telecommunications Ordinance of intercepting or discovering the contents of a message by any person who damages, removes or interferes with a "telecommunications installation";

(c) transposing existing provisions regarding "misuse of a computer" under the Crimes Ordinance to provide for two offences relating to illegal interference of computer data or system. In relation to illegal interference of system specifically, the Law Reform Commission proposes to clarify the scope of "misuse of computer" to amongst others, incorporate notions such as impairing the operation of any computer (in line with the offence in other jurisdictions);

(d) introducing a provision which corresponds to existing cybercrime provisions under the Crimes Ordinance relating to possessing anything with intent to destroy or damage property. The Law Reform Commission has proposed that the relevant elements of this offence will be made out so long as the primary use of the device or data is for committing an offence. This is regardless whether or not the device can be used for any legitimate purpose;

(e) providing for aggravated offences in the new law. An example of an aggravated offence includes one where a perpetrator intends to use the device or data to commit an offence;

(f) providing for statutory defences of reasonable excuse in the new law, as there can be various legitimate reasons for a person or entity to require devices or data that can be used to commit a crime;

(g) providing for extra-territorial application of the new law, as Hong Kong courts should have jurisdiction where there is a Hong Kong connection; and

(h) providing a wide range of penalties due to the severity of harm caused by cybercrime. In particular, the Law Reform Commission has proposed that each of the five proposed cyber-dependent offences has two maximum sentences, one applicable to summary convictions (two years' imprisonment) and the other to convictions on indictment (14 years' imprisonment).

The consultation period on this proposed law will end on 19 October 2022. Businesses are welcomed to provide their views, comments, and suggestions on the proposed law, including

(a) whether there should be any specific defence or exemption for unauthorised access for cybersecurity purposes;

(b) whether there should be exemptions from criminal liability for interception and use of data (including metadata) in favour of any professions and businesses;

(c) whether the proposed offence of illegal interference of computer system should provide for lawful excuses for both cybersecurity professionals and non-security professionals; and

(d) whether there should be a defence or exemption for the offence of knowingly making available or possessing computer data that can only be used to perform a cyber-attack.