INTRODUCTION
Hong Kong has witnessed a recent surge in cyber security breaches, with both private and public sectors falling prey to cyber attacks. According to the Office of the Privacy Commissioner for Personal Data (“PCPD”) in Hong Kong, there was a more than 20% increase in reported data breaches in the first half of 2023 compared to the second half of 2022. These breaches have had a profound impact on businesses and individuals, from disrupting business operations to compromising sensitive personal data including credit card details, login credentials, and more severely medical records. The consequences of these breaches extend beyond financial losses, affecting trust and reputation in the long run.
Acknowledging the magnitude and impact of these breaches, the PCPD has taken a more proactive approach to combat the issue. PCPD is actively investigating and reporting breaches of data privacy and issuing comprehensive guidelines to help organizations improve their data management and security practices. This article aims to shed light on the cyber security risks, recent enforcement actions taken by the PCPD, and the recommended measures to prevent data breaches.
PCPD INVESTIGATION – RANSOMWARE ATTACK
The Hong Kong Institute of Bankers (“HKIB”) experienced a data breach incident when six servers containing personal data (“Servers”) were attacked by ransomware and maliciously encrypted. The hacker threatened to upload the files in the Servers to the internet and demanded a ransom to unlock the encrypted files. Over 13,000 members and about 100,000 non-members were affected, with personal data including names, identity card numbers, and credit card numbers being compromised.
The PCPD initiated an investigation into the incident, reviewing the security measures implemented by HKIB and the actions taken following the breach. The PCPD’s investigation report found that there were three apparent deficiencies in risk awareness about data security and in the personal data security measures of HKIB:
- Inadequacies in Management of Data Security – HKIB did not stipulate any risk management mechanism for data security and did not request service providers to act in accordance with such a mechanism. This reflected a lack of effective monitoring of the data security measures of its service providers, thus allowing the hacker to successfully intrude into the system and encrypt the Servers.
- Deficiencies in Information System Management – The PCPD investigated the security measures of HKIB’s information system, such as the regular penetration test, antivirus software, data loss prevention system etc., and considered that the personal data security management was unsatisfactory. HKIB lacked stringent measures to regulate staff behaviour and review system settings timely so that the security of the information system was ineffective in addressing risks and threats.
- Prolonged Implementation of Multi-factor Authentication – HKIB’s firewall manufacturer discovered the potential risk where attackers could bypass security restrictions and recommended HKIB to enable multi-factor authentication. However, HKIB did not adopt such recommendation which led to the eventual ransomware attack.
For the reasons above, the PCPD concluded that HKIB had not taken all practicable steps to ensure that the personal data was properly protected, thereby contravening DPP 4(1) concerning the security of personal data.
HKIB was served an Enforcement Notice to take remedial actions and prevent recurrence of the contravention, including engaging an independent data security expert to conduct thorough reviews of HKIB’s system security, revising system security policy to require regular vulnerability scans and specifying patch management requirements etc. HKIB was also required to provide documentary proof within two months showing compliance with the Enforcement Notice.
The PCPD has further provided some recommendations to organisations that handle personal data with the use of information and communication technology. These include staying vigilant against hacker attacks, establishing a personal data privacy management program, appointing a dedicated data protection officer, enhancing information system management, conducting data backups conscientiously, and properly monitoring service providers.
The investigation emphasizes that a robust data security system is crucial for good data governance, and highlights the importance of timely patch management and the need for organizations to comply with data security requirements.
GUIDANCE ON DATA BREACH HANDLING
In response to the rising tide of cyber security breaches, the Commissioner recently revised the “Guidance on Data Breach Handling and Data Breach Notifications” (“Guidance”) in June 2023. It provides organizations with a thorough understanding of what constitutes a data breach and lays out a clear action plan to follow when one occurs.
The Guidance recommends that a comprehensive data breach response plan should outline the procedures to be followed when a data breach occurs and formulate strategies to handle the incident. The plan is recommended to cover a description of what constitutes a data breach, an internal incident notification procedure, designation of the rules and responsibilities of members of the breach response team and their contact details, a risk assessment workflow, a containment strategy, a communication plan, an investigation procedure, a record-keeping policy, a post-incident review mechanism, and a training or drill plan.
Upon the occurrence of a data breach, data users are recommended to take the following key steps: (1) identifying and verifying the breach; (2) containing the breach and taking steps to minimize damage; (3) assessing the risks associated with the breach; (4) reporting the breach to the PCPD and the affected individuals, if necessary; and (5) reviewing the incident and implementing measures to prevent future breaches.
While data breach notifications in Hong Kong is not mandatory under the current legislative regime, the PCPD highly encourage data users to give such notifications timely to the affected data subjects, PCPD, law enforcement agencies and other relevant parties when a data breach has occurred. This will allow appropriate measures to be taken to mitigate any potential harm or damage and to demonstrate the data users’ commitment to data privacy.
Previously, a data user wishing to make a data breach notification would need to submit a paper form to PCPD. To facilitate reporting and handling of data breaches, the PCPD has launched an e-Data Breach Notification Form. This digital tool enables organizations to grasp the details of data breach incidents more comprehensively and effectively and report data breach incidents to the Commissioner in a more convenient manner. The key information required to complete the form includes basic information about the data user, particulars of the breach, and an assessment of the breach and remedial actions taken. Pinsent Masons Hong Kong can help with notifications to the PCPD.
CONCLUSION AND TAKEAWAYS
As cyber threats continue to evolve and grow, it is more crucial than ever for organizations to stay ahead of potential security breaches. The PCPD's proactive stance – investigating breaches, issuing enforcement actions, and providing practical guidance goes towards fostering a safer data environment in Hong Kong.
To protect your company from cyber threats, corporations should regularly review their processes, stay alert to potential data breaches and invest in robust data security infrastructures, and follow the PCPD's guidance on data breach handling and notifications. Care needs to be taken in assessing whether to promptly report incidents to the regulator or individual. Companies can minimise the risks and impact of data breaches and maintain the trust and confidence of their customers when handled appropriately.
Article provided by INPLP member: Jennifer Wu (Pinsent Masons LLP, Hong Kong)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)