Source: Hong Kong 01

01 Review Editor Room

The government attaches great importance to security.The National Security Law is strictly implemented, and social security and even online public opinion are closely monitoring.However, many Hong Kong people have recently felt unsafe.

—The is said to the network (not) security.

In August, Digital Port was stolen more than 400GB of information by hackers. A large number of staff and former employees' personal information was made public on the dark network, including ID numbers, resumes, salary, etc.

In September, the computer system of the Consumer Council was attacked. The personal information of the leak may include the ID number, address, date of birth, and resume of employees, former employees, and job seekers.Waiting for the day.

It is not difficult to imagine that the affected person will naturally worry that personal data such as ID numbers will be used, such as borrowing.It is said that the "affected person" has actually diluted the problem. Innocence must face risks and live in anxiety, saying that they are "victims" is correct.

Who is the victim?

Although the digital port indicates that it will provide "may be affected" to provide a free supervision service responsible for the professional security consultant, some personal information has been publicly expressed to Hong Kong 01, questioning how the digital port can monitor or help helpThe victim.The former employee has left for seven years, and it is also doubtful why Digital Port has always preserved his personal information for many years.

As for the Consumer Council, although it is said that they will contact potential affected people as soon as possible, some citizens who have found the Consumer Council criticize the information provided by the general question and answer.On the account password, checking any suspicious activities, and requesting credit cards, etc., it is impossible to release the worries of personal information such as ID card numbers and address.

Employees, former employees, and job seekers are victims, and hackers are the victims. So what is the nature of data leakage?Some institutions only retain the personal information of job seekers for 12 months, but some retain 24 months. Is there any need?Some institutions adopt a high -level network security system, but some may not be the case. Once they are attacked by hackers, is there no responsibility?After the information is leaked, in addition to notifying the receiving guests, is it responsible for providing more effective technical and legal support?

In terms of information security and network security, the industry generally views ISO/IEC 27001 as the basic standard, but as of last year, only 243 certifications obtained in Hong Kong last year, not only far less10 % less than Singapore.The ISO/IEC 27001 has been updated to the 2022 edition last year. How many institutions and enterprises in Hong Kong have improved their security levels, which is even more doubtful.

Law requires backward situation

In terms of law, Hong Kong currently relies on the crime of "dishonesty using computers" in Article 161 of Personal Data (Privacy) Regulations and Criminal Crime Regulations to ensure personal data and network security.Although the former was revised in 2021 and listed the "starting" behavior as criminal crimes, it was generally no strict legal responsibility for the data management. It was not easy for civil lawsuits and claims after the data was leaked.The latter is even more unsuccessful. It is aimed at using other people's computers instead of network invasion itself, and it is not suitable for using personal computers.

In contrast, the Mainland has implemented the Personal Information Protection Law in the previous year, and the compulsory personal information processor has adopted necessary measures to ensure the security of the data. The preservation period should be the shortest time for the purpose of achieving the purpose of the treatment.The Data Protection Act revised in the United Kingdom in 2018 includes a number of criminal responsibilities. After the EU, after the GMA regulations, the Cyber Resiliation Act was drafted last year.Essence

The previous government mentioned that it was planned to establish a network security responsibility of key infrastructure operators, and to conduct public consultation on legislative suggestions at the end of last year.However, in July of this year, Sun Dong, the director of the Innovation Technology and Industry Bureau, still only stated that the government was planning to be legislative framework, and later he would consult the public about preliminary legislative suggestions.

Public transportation, power, finance and other key infrastructure is of course important, but in addition, companies such as universities, medical management bureaus, accumulation bureaus, and even Octopus also have a lot of personal information.In the age of big data, personal data is illegal, and the protection of institutions and enterprises must reach a higher level, and greater support responsibilities must be fulfilled afterwards.Two hackers incidents of the digital port and the Consumer Council have proven that legislative protection of personal data and network security is urgent.

Employees, former employees and job seekers of the two institutions are uneasy. They are worried about being stolen personal identity, and it is not impossible for some institutions to be invaded by hackers and leaks of data.In other words, the next one may be killed in Hong Kong.