IT firms involved in computer security obliged to provide information

Stacy Shi

The government is empowered to request information from critical infrastructure operators involved in computer security incidents or crime investigations under the Protection of Critical Infrastructures (Computer Systems) Bill, said Permanent Secretary for Security Patrick Li Pak-chuen.

During a Bills Committee meeting yesterday, Li said authorities would develop relevant codes of practice to outline instances involving "reasonable grounds to suspect."

His comments came in response to concerns raised by Democratic Alliance for the Betterment and Progress of Hong Kong lawmaker Elizabeth Quat Pei-fan regarding the scope of requested information.

She questioned whether this would encompass sensitive details, such as personal data or commercial confidentiality, as well as the handling of cross-border data.

In response, Li clarified that the government possesses the authority to require information from operators and may exercise that power under a magistrate's warrant.

"The legislation is not targeting commercial confidentiality or personal data and the authorities will adhere to this principle during enforcement," Li said.

Quat also expressed concerns about the obligations of outsourced service providers to supply the necessary information in cases related to national security. She worried about potential loopholes if these providers refused to comply due to geopolitical factors.

Li assured that, while operators may outsource their work, they cannot outsource their responsibilities.

To address these concerns, authorities proposed monitoring outsourced service providers through contractual means and will outline these requirements in the forthcoming code of practice.

The code will mandate that operators establish a physical office to facilitate follow-up, Li said.

stacy.shi@singtaonewscorp.com