Bring Home the Data? New Hong Kong Data Privacy Guidelines for BYOD Policies

On Aug. 31, the Hong Kong Privacy Commissioner (PC) issued a new Information Leaflet to highlight the personal data privacy risks that employers need to address when developing a Bring-Your-Own-Device (BYOD) practice. This new Information Leaflet has been issued against the backdrop of increasing cybersecurity concerns, particularly in the financial industry.

Cybersecurity Risks

BYOD practices are not new. They are now almost common place, to the point where they are now taken for granted. It is at such times that risks are overlooked in the rush to “be like everyone else” and have a BYOD practice in place. BYOD practices introduce new vulnerabilities to a company’s cybersecurity. As BYOD policies allow employees to use their own personal devices (e.g. tablets, laptops, smart phones, etc) for employment related activities, companies have less control on how their employees access and use personal data belonging to the company (e.g. customer data). Unlike organisation-owned devices, personal devices are generally more vulnerable to cyberattacks or to accidental data leaks.

It is no surprise that the financial industry, which has been the most active with regard to cybersecurity, has also taken the lead in relation to BYOD practices, due to the sensitive nature of personal data handled by banks and the significant consequences that may be suffered if data is stolen, lost or misused. Since at least 2014, the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) have been actively requiring financial institutions to step up their risk management and cybersecurity measures. In October 2014, the HKMA issued a revised Circular on Customer Data Protection, which removed restrictions on BYOD policies for financial institutions, but required them to comply with the Recommended Standards of Bring Your Own Devices for Work by Bank Staff in Hong Kong issued by the Hong Kong Association of Banks. In parallel, on Oct. 6, 2014, the PC also issued a Guidance Note on the Proper Handling of Customers’ Personal Data for the Banking Industry. Gabriela Kennedy, Sara Or and Karen Lee, Banking On Your Personal Data: Recent Guidance Issued to Banks, Mayer Brown JSM (Dec. 23, 2014).

One of the more recent developments in the financial industry was HKMA’s announcement on May 18 of the launch of a new cybersecurity fortification initiative (CFI). The CFI aims to enhance the cybersecurity of Hong Kong’s financial industry through:

(a) the introduction of a cybersecurity risk assessment framework;

(b) making appropriate training available to ensure a steady supply of qualified cybersecurity professionals; and

(c) setting up a cybersecurity intelligence platform for financial institutions to share information to enhance collaboration.

Bring Home the Data? New Hong Kong Data Privacy Guidelines for BYOD Policies