On 25 June 2024, the Government proposed to enact a new piece of cybersecurity legislation, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill, to enhance the protection of computer systems of critical infrastructures (CIs). On 2 July 2024, the proposed legislative framework was tabled to the Legislative Council Panel on Security for consultation. The proposed legislation would require CI operators to fulfill certain statutory obligations and take appropriate measures to strengthen the security of their critical computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks.

On 25 June 2024, the Government proposed to enact a new piece of cybersecurity legislation, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill, to enhance the protection of computer systems of critical infrastructures (CIs). On 2 July 2024, the proposed legislative framework was tabled to the Legislative Council Panel on Security for consultation. The proposed legislation would require CI operators to fulfill certain statutory obligations and take appropriate measures to strengthen the security of their critical computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks. It is proposed that a new Commissioner’s Office is to be established under the Government’s Security Bureau for the implementation of the proposed legislation.

On 10 April 2024, the Hong Kong Court of Final Appeal (CFA), Hong Kong’s highest court, delivered its judgment in Tam Sze Leung & Ors v Commissioner of Police [2024] HKCFA 8, affirming the validity of the ‘No Consent Regime’ (“Regime”) of the Hong Kong Police (“Police”). The Regime encompassed a practice of issuing “Letters of No Consent” (LNCs) to financial institutions for customer accounts that contain suspected proceeds of crime, thereby triggering informal freezes on these accounts.

On 10 April 2024, the Hong Kong Court of Final Appeal (CFA), Hong Kong’s highest court, delivered its judgment in Tam Sze Leung & Ors v Commissioner of Police [2024] HKCFA 8, affirming the validity of the ‘No Consent Regime’ (“Regime”) of the Hong Kong Police. The Regime encompassed a practice of issuing “Letters of No Consent” to financial institutions for customer accounts that contain suspected proceeds of crime, thereby triggering informal freezes on these accounts.

Cyber fraud continues to pose a significant threat to businesses and individuals in Hong Kong and elsewhere around the world. According to the official statistics for Hong Kong, 2022 saw a significant increase of deception cases of over 8,000 cases, over 70% of which were Internet-related. The Hong Kong Police has developed a ‘No Consent Regime’, which encompassed a practice of issuing so-called ‘Letters of No Consent’ to banks for accounts which contain suspected proceeds of crime, thereby triggering informal bank freezes on these accounts.

While Hong Kong has yet to enact specific legislation on cybercrime or cybersecurity, this will soon change with the announcement of the proposal to enact a new cybersecurity law during the Chief Executive’s 2021 Policy Address and the issuance of a consultation paper on “Cyber-dependent crimes and jurisdictional issues” by the Hong Kong Law Reform Commission.

Since finding that the Police’s use of a “No Consent Regime” (“Regime”) in freezing accounts that contain suspected proceeds of crime was unlawful and unconstitutional, the Hong Kong Court of First Instance has now handed down its decision on relief and costs in Tam Sze Leung & Ors v. Commissioner of Police [2022] HKCFI 772.
The Court declared that the Letters of No Consent (LNCs) in issue and the Regime “as operated” by the Police are: (i) ultra vires Sections 25 and 25A of the Organized and Serious Crimes Ordinance (OSCO) (Cap. 455); and (ii) incompatible with Articles 6 and 105 of the Basic Law, as the Regime as operated by the Police is not prescribed by law and is disproportionate

Cyber fraud remains a significant risk to businesses and individuals. In the 11 months to November 2021, over 500 phishing scams, worth more than HKD 1.4 billion in losses, were reported to the Hong Kong Police. The Police have been developing and will soon launch a free software to assist businesses in identifying phishing scams.

Cybersecurity from compliance to crisis – With the ever-increasing threat of ransomware and other cybercrime, we offer a bird’s eye view of cybersecurity strategy focused on addressing risks, keeping up with regulatory and compliance issues, and managing a cyber crisis.
In our Deciphering Data Webinar Series, we provide a global perspective of what’s keeping executives awake at night with the world’s threat actors becoming seemingly more sophisticated every day, and give practical guidance on how to address these risks and concerns and prepare companies for challenges ahead.

We have seen a noticeable increase in the prevalence and sophistication of cyber fraud incidents in recent years. This has led to a substantial rise in civil recovery actions, and as a result, we now have the benefit of key learnings from recent decisions by the Hong Kong Courts and other jurisdictions. This alert discusses some of the common themes and challenges victims of fraud may face in civil recovery actions, particularly in cases involving allegedly “innocent” recipients of tainted funds and competing victims pursuing recovery from the same finite pool of funds.