As data breaches and cyber-attacks continue to surge and attackers become more sophisticated, a comprehensive data breach response plan and robust data security measures are becoming increasingly important.

In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a revised Guidance on Breach Handling and Data Breach Notifications (the Guidance). The Guidance Note contains practical guidance and recommendations for complying with the Personal Data (Privacy) Ordinance (PDPO) to help data users prepare for and handle data breaches, prevent recurrence of data breaches and mitigate the loss and damage caused to the data subjects involved.

While failure to follow the Guidance does not in itself constitute a breach of the PDPO, organisations are generally advised to follow the Guidance and ensure that their breach notification mechanism is up to date. In the event of an investigation or complaint, the PCPD may assess compliance with the PDPO based on the recommendations set out in the Guidance, and organisations that do not follow them may find it more difficult to demonstrate compliance.

Breach notification in Hong Kong is currently not required by law, although the Guidance should be taken into consideration when determining whether to notify the PCPD or individuals of a data breach. However, the occurrence of a data breach may lead to the findings that an organisation has contravened the PDPO, in particular Data Protection Principles (DPPs). The relevant DPPs are 4(1) and/or 4(2).

  • DPP 4(1) requires a data user to take “all practicable steps” to ensure that any personal data held by it is protected against unauthorised or accidental access, processing, erasure, loss or use, having regard to a number of factors such as data type, potential harm, data storage location and measures taken to secure data transmission.
  • DPP 4(2) requires a data user, when engaging a data processor, to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor.

Revised trigger for data breach notifications

The revised Guidance provides that data users should, in general, notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach:

  • particularly if the data breach is likely to result in a real risk of harm to the affected data subjects; and
  • regardless of the progress of any internal investigation.

The trigger for data breach notifications is slightly different from that in the previous version, under which data users were required to consider notifications where data subjects could be identified and a real risk of harm was reasonably foreseeable.

Data breach response plan

The Guidance contains guidance for preparing a data breach response plan to respond to and manage a data breach. The recommendations are for the plan to cover the identified aspects (the following list is non-exhaustive):

  • a description of what constitutes a data breach;
  • an initial notification procedure with a standard reporting form for escalation;
  • the roles, responsibilities and contact details of the members of a breach response team;
  • a risk assessment workflow to assess the likelihood and severity of the harm caused to the affected data subjects;
  • a containment strategy to contain and remedy the breach;
  • a communication plan that includes the criteria and threshold for, as well as the content and methods of the notifications to the regulators, affected data subjects and other parties;
  • an investigative procedure with results reported to the senior management;
  • a record-keeping policy to properly document the records of the breach;
  • a post-incident review mechanism to identify areas of improvement, and
  • a training plan to ensure all relevant staff can properly follow the procedures.

Additional measures when containing a data breach

The revised Guidance also contains more measures for data users to consider when containing the data breach. These include:

  • shutting down or isolating the compromised/breached system/server;
  • checking whether other systems containing personal data are affected;
  • disabling system functions that may be relevant to the breach;
  • fixing any bugs or errors that may have caused the breach;
  • alerting banks or credit card companies; and
  • requesting internet companies to remove any relevant cached links.

Documenting a data breach

The previous version of the Guidance recommended a data breach handling process which included the steps of (1) immediate gathering of essential information; (2) containing the data breach; (3) assessing the risk of harm; and (4) considering giving data breach notifications.

There is now a further step: (5) documenting the breach. This new step requires a comprehensive record of the data breach incident covering all facts of the breach to facilitate a post-breach review and improvements to personal data handling practices. This indicates that this will be an expectation of the PCPD and may be requested in the course of an investigation.

Conclusion

The PCPD also launched an online data breach notification form which contains guided questions for comprehensive and effective report of data breach incidents and an annexure on recommended immediate remedial measures and preventive measures for each type of data breach incidents.

The revisions to the Guidance and the notification form reflect a heavier focus by the PCPD on (a) the preparation for and management of a data breach; (b) data users’ understanding of the risks to the affected data subjects; and (c) the remedial actions that an organisation can take. These changes are another example of the continuing expansion of the scope of data breach response into internal controls, communications and technical measures. As data breaches have become even more frequent and more likely to pose a direct and serious risk to both organisations and individuals, there is a need for organisations to implement the measures in a coordinated manner to comply with the existing requirements under the PDPO.

The PCPD is also working with the Hong Kong government to amend the PDPO. The proposed amendments, which were outlined in a briefing to the legislature, include the establishment of a mandatory data breach notification regime and the introduction of administrative fines. We will continue to monitor the discussions and proposals for legislative amendments and provide further updates.

To be in the best position when a data breach incident occurs or the legal and regulatory requirements further develop, organisations should challenge themselves about their existing breach response protocol, consider whether the existing measures are adequate and compliant with the latest technological and regulatory developments and how they can continue to be improved.