Looking at jurisdictions with both longstanding and emerging cyber crime and data privacy laws, we see why arriving late to the party can sometimes be an advantage.
By Chris Thomson
When technology enabled for download of music and more recently with regards to 3D printing, IP legislation had to catch up with innovation. Technology has struck again – a ‘Usual Suspect’ if you will – this time forcing law to accommodate for modernisation in relation to cyber crime and data privacy.
The topic has been tackled already in both the EU and US as well in as numerous jurisdictions throughout Asia, and though starting late may be seen as a disadvantage, jurisdictions like Myanmar can view those whose technological status already demands legislation as case studies, whilst their own laws and cyber industry progress simultaneously.
On the approaches already taken in both the EU and the US, as well as that of developing Asia, Jonathan Fairtlough, Managing Director at Kroll, noted that “In the US, piracy violations are punished by lawsuit, either regulatory action or private class action. Breach notification laws provide the impetus for protection, as the costs of failure to protect data can be substantial. Privacy is enforced by lawsuit, punished by cost. The US approch requires notice, which has raised the security level of US companies and US data, but also raised their costs.
“In the EU, regulation and fines are the primary protectors, with individual actions rare. Regulatory actions such as the ‘right to be forgotten’ are examples of this approach to privacy – a desire by the government to shape the way in which the data can be collected and used. This type of approach can blur the lines between the company and the regulator. Take an example: Google. Since the right to be forgotten has been implemented, Google has become a de facto privacy arbiter – its process to remove data is used to decide hundreds of thousands of mini privacy claims.
“Asia is still developing its response to privacy. Regulatory action is common, with limited individual rights of action. In Singapore and Hong Kong, regulators must be notified early. This can have a significant effect in Asia because of the reputation effect. The benefit Asia has is that it can learn from other jurisdictions’ approaches. As this issue will grow over the next 10 years, though, a more robust legal framework regarding it is inevitable. I expect that an almost global notification requirement will slowly come in, driven by US, EU and Australia.”
Giving his overall thoughts, Yang Xun, Of Counsel in Simmons & Simmons’ Shanghai office remarked “Obviously, the EU leads the data protection legislations. The well accepted data protection principles, being information, consent, necessity and security, arise from the EU Data Protection Directive. The newly promulgated EU Data Protection Regulation, which harmonises data protection legislations in European countries and further strengthens the protection especially in the area of implementing data protection policies, created a model for other jurisdictions to learn from.”
On this, he noted that Hong Kong and Singapore follow the EU model closely, which “pays more attention to personal privacy, whilst the US pays more attention to national security and federal power, of which the US Patriot Act is a good example”.
“Similar to the US, China has a strong central government and historically, China pays less attention to privacy but much more to ‘social order’. As a result, even in the data protection law, we can see a strong ‘footprint’ of government interference. For example, telecommunications service providers are required to verify users’ real identity before providing the relevant services so that if the user misuses the telecoms service to infringe others’ privacy, the government (or court) can step in (proactively or upon initiation of litigations) to stop the infringement. For another example, telecoms business operators have the duty to report to the government of significant data leakage, which is still a controversial issue in the EU”, Xun said.Speaking on perhaps Asia’s least developed jurisdiction in terms of privacy law: Myanmar, Kowit Somwaiya, Managing Partner at LawPlus, noted that at this time, it’s impossible to say when Myanmar’s technology and legislation will catch up to that of the rest of the world.
Somwaiya also stated that Myanmar’s recent regime change will lead to growth in the country’s IT sector, and that “In the five decades of military rule that Myanmar endured, there was no right of privacy and data protection in the country”. He continued “The 2008 Constitution of Myanmar provides certain privacy protection to be in line with political reform. Section 357 of the Constitution of the Republic of the Union of Myanmar reads: “The Union shall protect the privacy and security of home, property, correspondence and other communications of citizens under the law subject to the provisions of this Constitution”.”
Conversely, “South Korea maintains some of the strictest data privacy and protection regulations in the world”, as was pointed out by Nicholas Park, Co-managing Partner at Lee International IP & Law Group, who continued “I believe this stems from the fact that there are many high-tech Korean companies including Samsung, LG, Naver, SK and Daum-Kakao that are actively involved in industries involving data privacy such as Internet of Things (IoT), the Internet, social media, video games and entertainment”.
Giving further background on South Korea’s approach to this topic, Wonil Kim, Partner at Yoon & Yang remarked “The primary source of the law governing personal information protection in South Korea is the Personal Information Protection Act (PIPA) which has been implemented since 2011. The PIPA sets out the ground rules which apply generally to personal information protection. In addition to the PIPA, there also exist specific laws that govern personal information protection in certain sectors and industries. For instance, the Promotion of Information and Communications Network Utilisation and Information Protection Act (Communications Network Act) includes personal information protection provisions applicable in relation to telecommunications services; the Use and Protection of Credit Information Act contains provisions to protect personal information in the context of financial services; and the Medical Services Act governs personal information protection in healthcare sectors.”Speaking from a different perspective, Ronald Yu, GC at Gilkron (and Lecturer, Faculty of Law, The University of Hong Kong) said “All companies should work to prevent hacks and it is a modern GC’s duty to be knowledgeable about the basic principles of data security; doing otherwise in the Internet age is tantamount to sticking your head in the sand.
“But in doing so, one must not become too mired in the technical details – not only because technical worries are often ephemeral in that today’s technical headache is often soon replaced by newer threats – but because IT hacks can occur without technological wizardry through ‘social engineering’ and because one must keep the bigger picture in mind.
“Obviously one solution to preventing Internet-based hacks is to take one’s systems completely offline, but that is impractical in today’s world. And one could try to build an absolutely bulletproof system by spending extraordinary sums. The solution is to find a happy middle ground – a system that offers effective protection without bankrupting the company.”
A jurisdiction that has notably succeeded recently with regards to cyber security is Vietnam, where a bank recently foiled a US$1 million cyber heist. Months prior, in February, hackers successfully stole US$81 million from Bangladesh Bank at the New York Federal Reserve using fraudulent messages – the same method that failed in this case. Most of the money that was stolen from Bangladesh Bank is still missing.
Giving his thoughts, Sesto E. Vecchi, Vietnam-based Partner at Russin & Vecchi noted “Data privacy…requires awareness and visible commitment up and down the management chain so that staff realise that care is important. It may mean: electronically mandated change of individual passwords, say, every three months; outside review of electronic security; or presentations in-house on how to protect data, recognise scams etc.”
The difference between the two, as Vecchi pointed out, was the ability of staff to recognise scams. But even big companies in established jurisdictions are by no means immune to hacks, as was reported on May 12, 2016, when TalkTalk – a telecommunications provider in England – saw its profits halve when compared to those of the previous year thanks mainly to a cyber attack which cost the company ₤42 million.Myanmar’s telecommunications sector too recently experienced something similar: “There have been a few recent examples of hacks in Myanmar which have resulted in reputation risk. A recent high profile case (now dismissed) involved an employee of a mobule phone operator company giving unauthorised access to communications data to a friend who then accessed a customer’s call log. The employee was fired and the company pressed charges against him with the regional police.” said Somwaiya.
Giving his advice, Xun agreed with Benjamin Franklin’s view that “An ounce of prevention is worth a pound of cure”, stating that “With the increasingly wide use of and the increasing reliance on information technology in business, cyber security becomes more and more important. In my view, having a well-developed plan in advance is more more important than actions after a cyber security accident occurs.”
Deliberating more specifically, and demonstrating similarities between the Chinese approach and that of South Korea, Xun went on to say “In the finance sector, under the laws of major Asia jurisdictions such as mainland China, Hong Kong and Singapore, banks and other financial institutions are required to adopt and implement an information security policy and contingency policy.
“In other business sectors, although it is not a statutory requirement to have a prevention plan, a well-prepared and strictly observed prevention plan is still highly advisable. This is because a company which plans in advance and plans well will unlikely suffer from cyber security accidents and even if a cyber security accident happens, it is more ready to stop and remedy the losses from the accident.“Moreover, it is important to note that a prevention plan or a cyber security policy needs to be localised and adapted to fit the business. For example, the policy may need to reflect the proper use of WeChat in China and reflect the necessity to use proxy servers to visit overseas websites. We have come across a number of policies prepared by the headquarters in a foreign country and in a foreign language. These policies are not helpful for protecting cyber security and for preventing accidents because employees may have difficulties understanding the policies and these policies are difficult to implement in practice.”
Also discussing prevention plans, Kroll’s Managing Director Richard Dailly stressed that “There is no question that having preventative systems in place is almost certainly going to be many, many times less expensive than waiting for a crisis to emerge. The damage caused by an attack, even if it is not directly linked to actual theft or fraud, could have a devastating effect on a company’s reputation, and of course, reputation is directly linked to the value of the company. The cost of an attack is going to include investigators, lawyers, PR consultants, potentially engineers and security advisers, just as an initial crisis response. Ensuring that all a company’s confidential material is secure, and handled properly, therefore is critical. This may not just be a question of systems and software, but given that many attacks are socially engineered, staff need to be aware that how they behave and what they put in the public domain, for instance on social media, may inadvertently give an attacker a helping hand.”
Giving similar thoughts, Yu explained “With regards to compliance issues, if a company has a good policy of IT governance, then it is less likely to have data privacy issues if good data privacy policies are integrated into its overall framework of IT governance and it studiously adheres to as well as periodically reviews and improves on these policies”.
On privacy, Dailly’s colleague Fairtlough concluded that “Privacy is an essential part of a modern digital economy. Privacy is not a luxury, nor a selfish right to keep secrets. Rather, it is a protection that allows for free choice. Freedom to choose is what drives modern markets and economies. The freedom to browse, to read, to try something new has created the modern digital economy. The ability of the market to innovate can be disrupted when people are afraid to use technology for fear of being monitored, of having what they privately share and view being used against them.“Yet the act of using the Internet gives up much of what was traditionally private. Much of what we get ‘for free’ is paid for with data about our use habits. We exchange data about our reading choices, browsing history, our interests in exchange for access to free applications and content. We have become accustomed to entertainment on demand from multiple sources. We pay for this with some of our privacy. We give up privacy by using technology.”
Xun too weighed in on the issue of privacy: “Privacy issues involving employee personal data often appears when the company is investing a breach of information security policy or investing a possible compliance breach. Especially, we have been instructed to assist in investigations when the company requested for inspection of employees’ personal device and the employee declined the request on a personal privacy ground.”
He went on to later state “it is important to prepare and adapt a company’s policies to fit for the local business. From a substantive aspect, the company policy must be prepared by taking into account specific local issues. From a procedural aspect, the company should consider consulting employees during the preparation and adaptation of company policy because employees who work on the frontier have the first-hand information about the issues they expect the company policy to address.”
Xun also believes “it is advisable to give employees some training about the company policies. Training is not just reading the policies to the employees. Life examples are more effective to facilitate employees to understand the policies and to bring the policies into life. It is also advisable to encourage employees to speak out their questions and concerns about the implementation policy, for example, how to manage customers’ requests on transferring business information on WeChat platform and how to distinguish reasonable hospitality from bribery. Employees are more willing to accept and follow the policies when their questions and concerns are adequately addressed.”
All of this advice should be noted not just by those currently overcoming these hurdles, but also by those in jurisdictions like Myanmar where “currently there are no separate privacy laws”, yet Somwaiya feels it is prudent to inform that “In practice, the private sector and the government are transitioning from storing information in filing cabinets to electronic databases, Myanmar companies may be finding that data protection requirements are now necessary if they are involved in the cross-border exchange of commerce and data.“Although the constitution declares that privacy will be protected under the law, currently there are no separate privacy laws in Myanmar. There is no legal framework on data protection or data privacy.
“A new company entering the Myanmar market should invest time and money to: understand contextual risks in the context of Myanmar’s history and the government practice; use the company procedures to plug gaps in the Myanmar legal framework; develop and implement appropriate policies and procedures to safeguard data privacy; and ensure that its terms and conditions or privacy policies are publically available.”
On data privacy in China, Xun explained “The public privacy awareness is improving. In response to such improvement, China has published and begun to implement a series of data protection legislations since 2013. Now, generally speaking, personal data is protected in both commercial and employment scenarios.
“However, implementation is a big problem in China…historically, China does not have a tradition of respecting privacy. There are a lot of data leakages and, although the government penalised a lot of companies for non-compliance of data protection rules, at this stage, it focusses on enforcing the data protection requirements against serious breaches, such as wilful disclosure of personal data and careless management of data risks (especially during the process of data transfer or commissioned collection or processing of personal data).
“China’s government has brought the data protection issue onto a national security level. This, on one hand, reflects the government’s attention on protecting personal data; and on the other, suggests that the government shift the focus more onto public interest in terms of data protection. We speculate that the government will impose restrictions on cross-border data transfer and issue rules on processing personal data, especially in the finance business sector.”
Not only does teaching about compliance help avoid problems arising, but, as Park noted, Generally, companies that have established and implemented up-to-date and effective data privacy and protection programmes are much better positioned not only to prevent possible incidents, but to recover from any accidents that may occur. In the event of an incident, based on our experience, courts also generally tend to show leniency on companies that can prove that they have proactively established and maintained compliance programmes.”Park went on to say “We generally recommend that companies handling sensitive data including personal information or financial information designate a person or team of persons as a data privacy and protection manager or team. By working with a law firm, the manager or team can keep up-to-date on the relevant regulations and implement the best programme for their organisation including education for relevant staff and security.”
As a result, companies should heed Kim’s warning that “With the introduction and advancement of new technologies, personal information will be collected, provided or otherwise processed more extensively. Accordingly, infringement of personal information will also likely increase and grow in scale.” However, he also points out that “Taking into account the market potential of big data, over-regulation should be avoided lest it should bring chilling effects and impede growth in relevant industries”.
In Dailly’s mind, “Tone from the top is the most important issue. Companies need to take a zero tolerance attitude towards compliance and anti-corruption issues. Online training is invaluable for companies, who are spread around the globe, but it is also important that compliance and risk executives, and GCs, are on hand, in businesses operating in emerging markets. They need to be seen. But to get local cooperation and compliance, it is equally important that a local voice believes in, and buys in to educating local and non-legal staff with the tone from the top mantra. So, for instance, an effective compliance regime in an emerging market has to partially rely on the buy in from trusted local staff on the ground.”
According to Yu, “Companies must regularly back up their data and stay abreast of the latest threats and not just on their servers but also mobile and other devices that connect to their systems. Investments in good data secutiry are good investments because good IT safely not only protects users but also a company’s valuable IP – or to put it another way, if you think data security is expensive, consider the cost of a loss of trade secrets and pending patent applications.”