Hong Kong should speed up reforms to its data protection law aimed at punishing companies for data breaches, a cybersecurity expert and a politician said, after a spate of data leaks exposed the personal information of hundreds of thousands of residents.

The calls came on Thursday, a day after the city’s data protection authority launched an investigation into a possible data theft at the local branch of the international aid organization Oxfam, potentially affecting more than 470,000 people.

“I believe the data protection law is currently being amended. I hope it can be implemented as soon as possible,” Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said in a radio broadcast.

“Without punishment, companies will only suffer reputational damage. … If the fines are very high, companies will invest more in cybersecurity.”

Data protection commissioner Ada Chung Lai-ling said in February that she was discussing with the government an amendment to the Personal Information Protection (Data Protection) Ordinance, which would include empowering authorities to impose administrative penalties.

She added that the Office of the Personal Data Commissioner is considering making reporting of data leaks mandatory and requiring data users to develop a data retention policy.

Fong said the change to the city’s data protection law is aligned with the EU’s General Data Protection Regulation.

He pointed out that the European regulation provides a good framework based on a company’s worldwide turnover and can have a deterrent effect.

According to the regulation, “particularly serious violations” can be punished with a fine of up to 20 million euros (22 million US dollars) or up to four percent of the total worldwide turnover of the previous financial year.

The IT expert said the recent increase in data breaches has made it clear that companies should view cybersecurity as a recurring expense and increase training for their employees.

Oxfam Hong Kong, the latest organization to be added to the list, was the victim of a cyberattack last month that potentially compromised the personal information of more than 470,000 people. The compromised personal information could include names, addresses, email addresses, mobile phone numbers, Hong Kong ID card numbers and payment information.

Fong, who also sits on the charity’s council, said the regulator’s investigation was ongoing but the charity had put in place normal digital security measures such as firewalls.

In the same radio program, MP Elizabeth Quat called the change in the law “necessary” and agreed that an administrative penalty could raise companies’ awareness of personal data protection.

She added that it was important that the change regulate companies’ policies on storing personal data.

“We should work to establish rules on how long the data can be kept and when it must be deleted, as well as the standard procedures to be followed when deleting the data,” Quat said.

“If we don’t include them in the law, the organizations never will.”

Several large public bodies and private organizations have been the target of large-scale cyberattacks in recent years, in which hackers stole personal information and demanded large sums of money.

Earlier this month, the Data Protection Authority announced that the personal data of 37,840 people had been compromised in a data breach at the Hong Kong Ballet last year.

The regulator also investigated an incident at the Hong Kong Laureate Forum Council in which the names, email addresses and other information of more than 8,000 people were affected.

ImagineX Management Co. Limited, a brand management and distribution company, was also the target of a cyberattack in May that compromised the data of over 127,000 members and employees.