
The Office of the Privacy Commissioner for Personal Data (PCPD) announced on 1 December 2015 that it has commenced an investigation on a data breach incident of VTech Holdings Limited (VTech), a Hong Kong stock exchange listed supplier of children’s learning products that is based in Hong Kong. The scope of the data breach is unclear, but it is likely that data subjects other than Hong Kong residents are affected. It was reported that the attorneys-general in the US states of Connecticut and Illinois have also announced plans to conduct their own investigation into this security breach.
About five million customer accounts, including the profiles of more than 200,000 children, were hacked from VTech’s Learning Lodge app store database on 14 November 2015. Personal data breached includes customers’ names, email addresses, passwords, download history, as well the names, gender and birth dates of children who use the Learning Lodge site to download apps, games and electronic books. VTech discovered the breach on 24 November 2015.
The PCPD reiterates in its announcement that data users should notify the PCPD as a good practice for proper handling of such incidents, which is consistent with its recommendation in its 2010 published Guidance Note titled “Data Breach Handling and the Giving of Breach Notifications”. The Guidance Note provides good policies and practices to assist data users in handling data breaches and mitigate the loss and damage that may be caused to the data subjects concerned. PCPD has commenced its investigation against VTech.
Under Hong Kong law, if there is a non-compliance with data protection principles in the Personal Data (Privacy) Ordinance (PDPO), including potentially the failure to properly secure personal data, the PCPD may serve an enforcement notice to direct the data user to remedy the contravention and avoid re-occurrence of data breach. Contravention of an enforcement notice is an offence which would attract a maximum fine of HKD50,000 (approximately USD6,500) and imprisonment for 2 years. If the offence continues after the conviction, the data user is liable to a daily penalty of HKD1,000 (approximately USD130).
In the wake of this current incident, there have been calls from the public to amend the law to implement stiffer penalties on those who fail to comply.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.