I.                    Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders.  While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions.  The Asia-Pacific region typifies such a lack of uniformity.  At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 

75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months.  Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined.  Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009.  See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).  Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program.  Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies.   

In order to simplify the situation, the Asia Pacific Privacy Authorities (APPA), the principal forum for privacy in the Asia-Pacific region, has expressed a desire to unify local privacy laws.  APPA convenes twice a year and discusses permanent agenda items such as privacy and security, cross-jurisdictional law enforcement in the Pacific Rim, privacy legislation amendments, cryptography, and personal data privacy.  Local delegations include members from Australia, New Zealand, Hong Kong, and Korea, among others.  Notwithstanding, until a consistent approach to privacy law is adopted, conflicts in laws and governing regimes will combine to frustrate both policyholders and their insurers in light of the confusion created by the current divergence in governing approaches.  We discuss herein the laws and information privacy regulations of three specific Asia-Pacific jurisdictions: Australia, Hong Kong, and Singapore, which exemplify the inconsistency of Asian-Pacific privacy laws.   

To read the remainder of this paper, please contact me at rbortnick@cozen.com. I will be traveling out of the country until 8 October, so please excuse any delay in my responding. A special thank you to my colleague Matt Klebanoff, who was instrumental in helping with the research and preparation of this paper. It would not have been written without his tremendous support.

Next to come: Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

   Send article as PDF