Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Crime and Security >  Security aspects of e-business (Hong Kong)

Security aspects of e-business (Hong Kong law)

This guide is based on Hong Kong law. There is an equivalent UK guide.

Overview

The perceived lack of security on the internet is seen as the major obstacle to the uptake of e-business. Various applications have been developed to provide consumers and businesses with the comfort they require. Legislation is being introduced with a similar aim. This guide gives a brief overview of the subject.

Security products and services

There are three main security issues relevant to doing business on-line:

  • Verifying the identity of the person you are doing business with.
  • Ensuring that messages you send and receive have not been tampered with.
  • Obtaining evidence of the date, time and place at which a contract was made.

These three issues are addressed by a variety of means including:

Encryption

The process of encryption underpins most of the security products that are on the market. The encryption process encodes a message using an encryption algorithm so that only the sender and intended recipients can access it. The encryption algorithm uses a key. At the receiving end, the key is used to decode the message to the original data.

Traditionally, encryption uses a secret key which both the sender and receiver use. However, transmitting the secret key to the recipient is not secure. Instead, public key cryptography is now used in secure internet communication. Each recipient has a secret private key, and a public key that is published. The sender looks up the recipient's public key and uses it to encrypt the message, and the recipient uses the private key to decrypt the message. You can find out more about encryption by reading our Encryption and Digital Signatures guide.

Encryption not only protects the content of the message; the use of an encrypted digital signature also provides evidence of the sender and of the integrity of the message.

Digital signatures

These are primarily intended to serve the same purpose as ink-on-paper signatures - to allow the recipient of a document to confirm the sender's identity (although they also serve to show that a document has not been tampered with). They are authenticated by means of digital certificates. A digital certificate is simply the owner's public key, which a certificate authority has digitally signed.

Certification authorities

Certification authorities (CAs) are independent third parties which issue a digital certificate to an individual after verifying that a public key belongs to that individual. The process of certification varies depending on the certificate authority and the level of certification. The more rigorous the CA's identity-checking procedures, the more reliable the certificates which it issues.

Other security products

There are various products on the market which attempt to address security concerns. Some offer a greater level of security than others. By way of example, the SET (secure electronic transactions) Protocol offers a form of guarantee against credit card fraud. The system consists of a cardholder interface resident on the customer's PC, an electronic till at the retail level, and a payment mechanism located on the bank's server which processes the encrypted transaction messages.

In contrast, SSL (secure sockets layer) technology merely enables two devices to communicate privately but does not offer a guarantee against credit card fraud. However, many consider that the cost benefits of this technology outweigh any security risks and it is widely used in e-commerce projects.

Legislation on electronic signatures

The Electronic Transactions Ordinance ("ETO") which was enacted in January 2000 provides for the legal recognition of digital signatures (where a rule of law requires signatures), provided that a recognised digital certificate supports the digital signature. A recognised certificate is one that is issued by a recognised certification authority ("CA") registered with the Government. CAs are independent trusted third parties who verify the identity of users of digital signatures. CAs are not required by the ETO to register, but there is a voluntary scheme of registration with the Government, administered by the Director of Information Technology Services ("Director").

Recognised CAs are governed by the ETO and the Code of Practice ("Code") issued by the Director. The ETO provides rules relating to the licensing of CAs, and their revocation, suspension and renewal. The Code specifies the standards and procedures that recognised CAs have to comply with in carrying out their functions. Further, recognised CAs are required to publish a certification practice statement which is a document setting out the practices, policies and procedures that such CA adopts in issuing, withdrawing, renewing and publishing of its certificates.

Provided that a recognised CA has complied with the Code and the provisions of the ETO, it is entitled to certain statutory exclusions and limitation of liabilities in certain prescribed circumstances provided by the ETO. Recognised certificates are also given the benefit of certain evidential presumptions under the ETO.

Other laws and guidelines relevant to security

Data protection

The Personal Data (Privacy) Ordinance sets out six principles which data users must follow in relation to the data which they hold. You can find these and more information about the Ordinance in our Data Protection guide. In terms of security, the 4th data protection principle is the most relevant.

Pursuant to the 4th data protection principle, a data user must take all practicable steps to ensure that all personal data it holds (including data in a form in which access to or processing of the data is not practicable) is protected against unauthorised or accidental access, processing, erasure or other use, having particular regard to certain considerations, such as the harm that might result from unauthorised processing and the nature of the data to be protected.

BS 7799 - Code of Practice for Information Security Management

This code of practice, issued by the British Standards Institution, lays down recommendations and guidance for identifying the range of controls needed for most situations where information systems are used in industry and commerce. A number of controls are highlighted as guiding principles, providing a good starting point for implementing information security. They are based either on essential legislative requirements or considered to be common best practice.

Controls considered to be essential to an organisation from a legislative point of view include:

  • intellectual property rights;
  • safeguarding of organisational records;
  • data protection and privacy of personal information.

Controls considered to be common best practice for information security include:

  • information security policy document;
  • allocation of information security responsibilities;
  • information security education and training;
  • reporting security incidents;
  • business continuity management.

Any questions? Please contact peter.bullock@pinsentmasons.com / +852 2521 5621 or one of our other contacts.

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.