SFC Disciplinary Action – Customer/Personal Data
On 20 September 2018, the Securities and Futures Commission (“SFC”) banned an individual named Ngo Wing Chun from re-entering the industry for 12 months (the “Decision”) for having taken the personal data of approximately 995 customers from his employer and emailed it to his personal email. The evidence showed that none of the information had been disclosed to any third parties.
The incident was originally reported by Mr Ngo's employer to the Hong Kong Monetary Authority (“HKMA”), which then referred the case to the SFC for further investigation. The SFC found that Mr Ngo was in breach of his employer’s internal policies, the Personal Data (Privacy) Ordinance (Cap. 486) (“PD(P)O”), and the Code of Conduct for Persons Licensed by or Registered with the SFC (“Code of Conduct”).
In the wake of several large-scale scandals such as the Facebook-Cambridge Analytica data scandal, there has been a growing global focus on the need for stronger data protection regimes, most notably with the 2018 implementation of the General Data Protection Regulation ("GDPR") in the European Union.
While the GDPR's sanctions regime is far harsher than that available under the PD(P)O, industry regulators in Hong Kong, such as the HKMA and the SFC, have recently shown a growing interest in data protection. In 2010, the SFC issued a circular to licensed corporations on “Compliance with the PD(P)O”, recommending that corporations have internal controls in place to ensure compliance. In 2014, the HKMA revised its circular on “Customer Data Protection”. In 2016, the SFC issued a further circular on “Cybersecurity”.
The SFC has wide powers to take disciplinary action against licensed persons and registered institutions (ss.194-197, Securities and Futures Ordinance (Cap.571) (“SFO”)); it has shown no hesitation in exercising these powers to enforce Hong Kong’s data protection laws, as demonstrated by this Decision, which follows other similar Decisions made in January 2018 and May 2016. A key factor in each of these Decisions is that the SFC is keen to send a deterrent message to the market, in each case banning the offending individual from re-entering the industry for between 6 and 12 months.
While no enforcement action has so far been taken by the SFC against regulated institutions for data breaches or other cybersecurity failings, such institutions should take heed of the SFC's clear readiness to use its powers to enforce the PD(P)O. As seen from the 2010 Circular, the SFC expects institutions to have adequate internal policies, controls and practices to ensure compliance. A serious breach of the PD(P)O could lead to an institution being de-registered under the SFO for a lack of internal controls. Institutions should therefore carefully review and test their existing policies and practices to minimise the risk of serious consequences.