Hong Kong - Preparing for a Data Breach Incident

Hong Kong has seen a drastic surge in cyberattacks in recent years. In order to help organisations better prepare to respond to these attacks and manage the ensuing harm, the Office of the Privacy Commissioner for Personal Data (the “Privacy Commissioner”) revised its Guidance on Data Breach Handling and Data Breach Notifications (the “Guidance”) providing enhanced practical guidelines for managing personal data breaches.

When compared to the previous 2019 updates, the current revision puts heavier emphasis on data breach management, particularly, on considerations organisations should take into account when making a data breach notification. 

Making Sense of the Revised Guidance

The Guidance has been revised for the purpose of providing a more comprehensive framework for data breach prevention, response, and remedy, and it features a step-by-step guide.

The Guidance provides the definition of “data breach”, which is a term that is not defined in the Personal Data (Privacy) Ordinance (Cap. 486). “Data breach” means “a suspected or actual breach of the security of personal data held by a data user, which exposes the personal data subject(s) to the risk of unauthorised or accidental access, processing, erasure, loss or use”. The Privacy Commissioner also gives illustrative examples of data breaches, such as access by an unauthorised third party to personal data as a result of hacking and leakage of data caused by file-sharing software installed on a computer. 

Date Breach Response Plan

Recognising the importance of having a robust response plan in place, the Privacy Commissioner sets out a list of recommended aspects to be addressed in a response plan to ensure there are strategies to identify, contain, assess, and manage the breach. These measures include, but are not limited to, an internal incident notification procedure, a dedicated breach response team, a risk assessment workflow, a containment strategy, and an investigation procedure.

Handling Data Breaches

More importantly, the Guidance focuses on the proper management of data breaches. A five-step approach is recommended, with detailed expectations set out for data breach notification and documentation:

1. Immediate gathering of essential information: The Privacy Commissioner expects prompt gathering of all relevant information of the data breach for assessment of impacts on data subjects and the identification of mitigation measures. Relevant information includes when, where, and why the breach occurred, how the breach was detected, what and how much personal data was impacted, as well as what harm was caused to the affected individuals.

2. Containing data breach: While gathering information about the data breach, organisations should at the same time take steps to contain the breach. Containment measures recommended by the Privacy Commissioner include, but are not limited to, isolating the compromised system, and applying patches to fix security vulnerabilities.

3. Assessing the risk of harm: Organisations are required to understand whether real risk of harm will be caused to the impacted individuals. Threats to personal safety, identity theft, financial loss, damage to reputation or relationships, and loss of business or employment opportunities are the possible harm organisations should consider when conducting risk profile assessment. 

4. Considering giving data breach notifications: The Privacy Commissioner expects organisations to notify the relevant regulator(s), other law enforcement agencies and the impacted individuals “as soon as practicable after becoming aware of the data breach”. Immediacy of notifications is very much emphasised, such that notifications should be carried out “regardless of the progress of any internal investigation”. Organisations should provide as much information as they can in the initial notification and submit relevant details when further developments come to light. Essentially, all information should be submitted to the regulator and law enforcement agencies “without delay”, and this covers any notification to overseas regulatory authorities being made within the statutory time limit, in accordance with the relevant requirements.

Alongside traditional notification channels (such as post, email and fax), the Privacy Commissioner suggests that public announcements (through newspapers, websites, or social media platforms) can be a reasonable approach when direct data breach notification is not practicable and when a large number of individuals are impacted. The Privacy Commissioner also introduces an online notification channel on its website. The online form provides organisations with a fill-in-the-blanks format and options.

These make reporting data breaches easier and more convenient for organisations while allowing the Privacy Commissioner to have an understanding of the data breach incident with sufficient details of the incident so as to effectively provide recommendations to impacted individuals and organisations before completing its investigation into the incident.

5. Documenting the breach: Organisations are required to have a comprehensive record of the data breach. This is to facilitate a post-breach review, to improve personal data handling practices, and to identify strategies to prevent future recurrence. Essentially, the Privacy Commissioner expects organisations to address their cybersecurity insufficiencies or inadequacies by also learning from their mistakes.

Comment

At present, the formulation of a data breach response plan and the notification of a data breach remain voluntary measures that business in Hong Kong may opt to undertake. Nonetheless, this revised Guidance emphasises the importance of prevention, preparation for, and handling of data breach incidents. The Guidance will no doubt be a valuable tool to assist organisations prepare more thoroughly their response to a data breach incident and get ready for the proposed forthcoming statutory notification obligations.