Hong Kong should speed up reforms to its data protection law aimed at punishing companies for data breaches, a cybersecurity expert and a politician said, after a spate of data leaks exposed the personal information of hundreds of thousands of residents.

The calls came on Thursday, a day after the city’s data protection authority launched an investigation into a possible data theft at the local branch of the international aid organization Oxfam, potentially affecting more than 470,000 people.

“I believe the data protection law is currently being amended. I hope it can be implemented as soon as possible,” Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said in a radio broadcast.

“Without punishment, companies will only suffer reputational damage. … If the fines are very high, companies will invest more in cybersecurity.”

Data Protection Commissioner Ada Chung Lai-ling said in February that she was discussing with the government an amendment to the Personal Information Protection (Data Protection) Ordinance, which would also include the power of authorities to impose administrative penalties.

She added that the Office of the Personal Data Commissioner is considering making reporting of data leaks mandatory and requiring data users to develop a data retention policy.

Fong said the change to the city’s data protection law is modelled on the EU’s General Data Protection Regulation, which provides a clear framework based on a company’s global turnover and can have a chilling effect.

According to the regulation, “particularly serious violations” can be punished with a fine of up to 20 million euros (22 million US dollars) or up to four percent of the total worldwide turnover of the previous financial year.

The IT expert said the recent increase in data breaches has made it clear that companies need to view cybersecurity as a recurring expense and intensify training for their employees.

Oxfam Hong Kong, the latest organization to be included in the list, was the victim of a cyberattack last month that potentially compromised the personal information of over 470,000 people, including names, addresses, email addresses, mobile phone numbers, ID numbers and payment information.

Fong, who also sits on the charity’s council, said the regulator’s investigation was ongoing but the charity had put in place normal digital security measures such as firewalls.

In the same radio program, MP Elizabeth Quat called the change in the law “necessary” and agreed that an administrative penalty could raise companies’ awareness of personal data protection.

She added that it was important that the change regulate companies’ policies on storing personal data.

“We should work to establish rules on how long the data can be kept and when it must be deleted, as well as the standard procedures to follow when deleting the data,” Quat said. “If we don’t enshrine them in law, organizations will never do it.”

In a response to the Washington Post, the office said it was conducting a comprehensive review of the regulation and was developing concrete proposals for legislative changes that would be in line with international developments in the area of ​​data protection.

“(We) study in detail the relevant laws of other jurisdictions, taking into account the actual situation in Hong Kong, to put forward workable proposals for legislative changes,” a spokesman said.

“(We) will consult the government and the Legislative Council on the proposed way forward.”

Several large public bodies and private organizations have been the target of large-scale cyberattacks in recent years, in which hackers stole personal information and demanded large sums of money.

Earlier this month, the Data Protection Authority announced that the personal data of 37,840 people had been compromised in a data breach at the Hong Kong Ballet last year.

The regulator also investigated an incident at the Hong Kong Laureate Forum Council in which the names, email addresses and other information of more than 8,000 people were affected.

ImagineX Management Co Limited, a brand management and distribution company, was also the target of a cyberattack in May that compromised the data of over 127,000 members and employees.