Operators of essential infrastructure could face a HK$5 million (US$640,450) fine for failing to keep the security of their critical computer systems up to date under legislation proposed by Hong Kong authorities.
The Protection of Critical Infrastructure (Computer System) Bill covers critical infrastructures in eight sectors deemed crucial to the normal functioning of society – including energy, information technology, banking, communications, maritime, healthcare services, and land and air transport.
Operators of the infrastructure in these areas must formulate and carry out a computer system security management plan and submit it to a commissioner’s office to be created under the Security Bureau.
In the event of very serious security issues, the operators must notify the commissioner within two hours after they are made aware of the incident. In less serious cases, a report should be made within 24 hours, according to the bureau’s proposals.
Organisations that fail to do so or have not conducted a risk assessment as required could be fined up to HK$5 million, according to a document to be presented for discussion at next Tuesday’s Legislative Council security panel meeting.
But essential services provided by the government, such as water supply and drainage relief, are not covered by the proposed legislation and will be regulated in accordance with “the existing administrative approach without incorporating them into the proposed legislation”.
A month-long public consultation will be launched next month and the bureau hoped to put forward a bill by the end of this year.
In a Facebook post on Tuesday, security minister Chris Tang Ping-keung stressed that the bill aimed to regulate large-scale organisations.
“It involves no personal data and will have no impact on members of the public’s internet freedoms,” Tang wrote.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said the proposal was a step in the right direction.
“But the government needs to carefully define which companies operating critical infrastructure should be under regulation and define how bad is very bad in the event of an incident,” Fong said.
Citing the chaos at the airport on Sunday after a computer system glitch wiped flight information from digital screens, Fong said: “The Airport Authority could not fix it in a short time. Should they be fined HK$5 million then?”
The authority maintained the glitch did not affect airport operations, with arrivals and departures remaining largely normal.