MENU

Macau’s reputation as a region with a high safety index and low incidence of violent crime plays a vital role in attracting investments, businesses, and tourism, thereby promoting the development and vitality of the local economy.

Despite this traditionally safe environment, the region faces a growing challenge in the digital domain, with a continuous increase in cyberattacks and online fraud attempts—such as phishing threats, ransomware, or data breaches.

According to the balance report presented by the Secretary for Security in February 2024, local authorities initiated 992 criminal investigations related to cybercrimes in 2024. Data from the same office reveals that cyberattacks on critical infrastructure operators (“OICs“) have tripled since 2020, reaching an average of 6,400 attacks per day during 2024.

With the Cybersecurity Law (Law No. 13/2019) coming into effect in December 2019, lawmakers focused on protecting critical infrastructures through a structured and preventive approach. Here are included entities such as gaming concessionaires responsible for operating casinos, as well as organizations managing and maintaining essential services and infrastructures for society’s and the local economy’s functioning—namely health, energy, financial institutions, communications, and governmental departments—whose disruption could threaten social well-being, security, and public order.

The requirements outlined in Law No. 13/2019 include adherence to strategic guidelines and mandatory technical standards issued by the Cybersecurity Incident Alert and Response Center (“CARIC“), the implementation of specific measures in response to severe incidents, and data monitoring to prevent and combat cyber threats. The purpose of the law is to establish robust security processes and mechanisms for networks, systems, and data, ensuring these critical infrastructures’ resilience against cyberattacks. In this context, OICs are required to implement an effective normative and operational framework capable of ensuring cybersecurity in their activities through close collaboration between regulators and respective operators.

To comply with legal provisions, regular inspections and sanctions are planned, which can include fines ranging from 50,000 MOP to 5,000,000 MOP, as well as additional penalties such as deprivation of the right to participate in public procurement processes or direct acquisitions of goods or services, and deprivation of the right to subsidies or governmental benefits.

On the other hand, small and medium-sized enterprises (“SMEs“) are particularly vulnerable to cyber threats, as they often lack security policies that match the sophistication of attacks designed by hackers. Due to a widespread lack of knowledge about current cybercrime practices and the new tools used by hackers (using advanced generative artificial intelligence tools and software—GenerativeAI—to deceive consumers), combined with insufficient investment in cybersecurity policies and lack of specific training for employees, SMEs lack effective tools and measures to protect their businesses. This weakness can result in data breaches, compensation payments, and loss of clientele.

In this regard, it is important to recall the regulations in force in Macau concerning personal data protection. The Personal Data Protection Act (“PDPA“), published in Official Bulletin No. 8/2005, governs the protection of personal data, meaning information of any nature that allows someone to be identified. Within a business context, such data can include personally identifiable information (name, date of birth, residence, or phone contact), financial data (bank details, salary, and payment history), health data (information on medical absences and leaves), or customer data (purchase and transaction history; product and service preferences; feedback and complaints).

The PDPA does not foresee an automatic statutory duty to report security incidents to an authority or those affected. However, data controllers have implicit obligations and responsibilities that arise from the general principles of the law, namely:

1. Data Security Guarantee (Article 15)
The data controller must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. In the event of a breach, the controller must assess and mitigate damages, ensuring ongoing compliance with this duty.

2. Transparency and Good Faith (Article 5)
The PDPA requires that data processing is carried out transparently and in accordance with the principle of good faith. If a breach compromises data subjects’ rights, the controller has an ethical (and potentially legal) responsibility to inform the affected individuals, particularly if their rights, freedoms, or guarantees are impacted.

3. Notification to the GPDP in Certain Cases
Although there is no general obligation to report breaches, the data controller must notify the Office for Personal Data Protection (“GPDP“) beforehand about personal data processing (Article 21) and, in specific situations (such as data interconnection or sensitive processing), seek its authorization (Article 22). If a breach reveals deficiencies in previously declared security measures, the GPDP may investigate and require corrections under penalty of administrative sanctions.

4. Sanctions for Non-Compliance
Failure to comply with security obligations can result in administrative fines ranging from 2,000 MOP$ to 100,000 MOP$ (depending on whether the responsible party is an individual or a corporate entity) or, in serious cases involving unauthorized access or data destruction, criminal penalties (Articles 33 and following).

In cases of cyberattacks, SMEs that lack effective cybersecurity policies are particularly exposed, facing impacts and consequences that can severely compromise their operational continuity and sustainability. These risks manifest notably in the following dimensions:

1. Financial Consequences
The absence of robust cybersecurity measures exposes SMEs to direct financial losses from attacks such as ransomware, phishing, or unauthorized system access. Such incidents may involve ransom payments, data and system recovery costs, as well as expenses for hiring incident response specialists. Additionally, administrative fines (ranging between 2,000 MOP$ and 100,000 MOP$, as per Article 33) may be imposed for breaches of security duties (Article 15) if the GPDP determines negligence in protecting personal data.

2. Economic Consequences
From an economic standpoint, interruptions caused by cyberattacks can result in halted commercial activities, loss of contracts, or delays in delivering goods and services, affecting the SME’s competitiveness in the market. In Macau, where economic vitality largely depends on the trust of investors and tourists, failure to maintain operational continuity can lead to a significant reduction in revenue and, in extreme cases, bankruptcy.

3. Reputational Consequences
The reputation of an SME can be affected by a data breach exposing sensitive customer information. Loss of trust from consumers, business partners, and suppliers can lead to an erosion of the client base and exclusion from business opportunities. In a market like Macau, characterized by a close-knit economy and high interdependence among local players, the reputational damage can be particularly harmful and often difficult to reverse.

4. Social Consequences
The exposure of personal data of customers or employees due to the absence of cybersecurity policies can generate widespread distrust within the community, affecting interpersonal and commercial relationships that sustain the local business fabric. Furthermore, individuals victimized by data breaches may file lawsuits or complaints with the GPDP, amplifying the negative social impact and creating a perception of insecurity associated with the SME.

5. Legal and Operational Consequences
In addition to administrative sanctions under the PDPA, negligence in implementing security measures can constitute an administrative offence or crime, leading to criminal liability in cases of unauthorized access or data destruction (Articles 34 and following). Operationally, a lack of preparedness for incident response can prolong downtime, increase remediation costs, and hinder compliance with contractual obligations, especially in highly regulated sectors or those with specific compliance requirements.

Although the PDPA does not establish a general obligation to notify third parties or the GPDP of data breaches, Article 14 grants data subjects the right to compensation for damages suffered as a result of unlawful processing or any act that violates legal provisions on data protection. Thus, aggrieved third parties—such as customers, business partners, or others whose confidential information (e.g., personal, financial, or contractual data) was exposed due to a cybersecurity failure (e.g., lack of appropriate technical and organizational measures to ensure the security of personal data against loss, destruction, alteration, or unauthorized access under Article 15)—and who seek redress, can take legal action against SMEs under Article 14 of the PDPA.

Additionally, Macau’s Civil Code (Articles 477 and following) establishes non-contractual liability for culpable acts or omissions, enabling the reparation of direct damages (e.g., financial losses) or indirect damages (e.g., moral damages) caused by failure to exercise due diligence in protecting sensitive data. In cases where a data breach results from the absence of cybersecurity policies, third parties may claim that the SME acted negligently by failing to adopt necessary measures to protect confidential information, especially if such measures were reasonably expected in an increasingly digitalized context.

In sum, protection against digital threats requires companies to adopt structured, preventive, and proactive measures, starting with the continuous monitoring of the company’s global activities, with real-time notifications and alerts to quickly detect incidents in cyberspace. This vigilance should be complemented by employee training and the development of cybersecurity policies, as well as the acquisition of defence tools—such as specific technologies to prevent and mitigate cyber risks.

This protection can be enhanced by hiring a Cybersecurity Desk Service, which ensures permanent access to a specialized response team capable of intervening quickly and effectively to contain the damage from an incident. This minimizes operational and financial impacts, prevents the loss of customers and revenue, and ensures compliance with the applicable regulatory framework.

In the face of emerging challenges and continuous threats in the digital domain, the lack of effective cybersecurity policies places SMEs and OICs in a position of extreme vulnerability, subjecting them to consequences that resonate across multiple dimensions. Considering the growing sophistication of cyberattacks, the proactive adoption of preventive measures goes beyond mere prudence—it becomes an urgent requirement to safeguard business interests, ensure compliance with legal obligations, and maintain the trust of clients and partners.

In a context of increasing exposure of information and the digitization of business models, cybersecurity stands as a fundamental pillar to guarantee the resilience and sustainability of organizations in the contemporary era.

Paulo Rowett, Legal Counsel
rowett@ccadvog.com