A Growing Trend and a Call to Action
JENNIFER WU
Hong Kong has witnessed a recent surge in cyber security breaches, with both private and public sectors falling prey to cyberattacks. According to the Office of the Privacy Commissioner for Personal Data (“PCPD”) in Hong Kong, there was a more than 20% increase in reported data breaches in the first half of 2023 compared to the second half of 2022. These breaches have had a profound impact on businesses and individuals, from disrupting business operations to compromising sensitive personal data including credit card details, login credentials and, more severely, medical records. The consequences of these breaches extend beyond financial losses, affecting trust and reputation in the long run.
Acknowledging the magnitude and impact of these breaches, the PCPD has taken a more proactive approach to combat the issue. The PCPD is actively investigating and reporting breaches of data privacy and issuing comprehensive guidelines to help organisations improve their data management and security practices. This article aims to shed light on the cyber security risks, recent enforcement actions taken by the PCPD, and the recommended measures to prevent data breaches.
An Insight Into A Recent Investigation
The PCPD’s investigation into the unauthorised access to credit data in the TE Credit Reference System (“System”) is one example of the impact of data breaches and the remedial measures that could have helped prevent the incident.
The complainant discovered that their credit records in the System had been accessed without their knowledge and consent by several other money lending companies. The System was developed and operated by Softmedia Technology Company Limited (“Softmedia”). Around 680 money lending companies used the TE Credit Reference System, which contained the credit data of about 180,000 borrowers.
The PCPD’s investigation report found that Softmedia had failed to put in place adequate security measures to protect the personal data of its customers in three particular aspects:
1. Unauthorised Access to the Credit Data –Softmedia allowed participating money lending companies unlimited access to borrowers’ credit data without limiting the number of times they could access it or regularly monitoring their use. Additionally, Softmedia relied on money lending companies to declare whether they obtained borrowers’ consent and authorisation to access their credit data, and this System allowed some companies to gain unrestrained access. This is in contravention of Data Protection Principle (“DPP”) 4(1) in Schedule 1 to the Personal Data (Privacy) Ordinance which requires a data user to take all practicable steps to ensure that any personal data it holds is protected against unauthorised or accidental access, processing, erasure, loss, or use.
2. Weak password management – The System had weak password requirements and no restrictions on password changes, which could potentially lead to unauthorised access to the system by employees and render the security function of the password useless. This is likewise a contravention of DPP 4(1).
3. Prolonged retention of the credit records of borrowers who had completed their repayments for more than five years – The System retains credit data indefinitely, including account repayment data showing material default, in violation of the Code of Practice on Consumer Credit Data and DPP 2(2), which provides that all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfilment of the purpose (including any directly related purpose) for which the data is or is to be used.
Softmedia was served an Enforcement Notice to take remedial actions, including: deleting all credit data in the System in respect of which five years or more have lapsed from the date of the final settlement of the loan; imposing restrictions on the number of times money lending companies can access the System; formulating and implementing a strong password management policy; and imposing other security measures.
The PCPD has further provided some recommendations to operators of credit reference databases, for example to: implement a personal data privacy management programme; appoint data protection officer(s) and an independent compliance auditor; and adopt strict penalties for contravention.
This investigation highlights the importance of ensuring that personal data is protected and that companies take effective measures to prevent unauthorised access to sensitive information. Companies must stay alert to potential risks and take steps to prevent data breaches, or risk facing enforcement action.
Guidance On Data Breach Handling
In response to the rising tide of cyber security breaches, the Commissioner recently revised the “Guidance on Data Breach Handling and Data Breach Notifications” (“Guidance”) in June 2023. It provides organisations with a thorough understanding of what constitutes a data breach and lays out a clear action plan to follow when one occurs.
The Guidance recommends that a comprehensive data breach response plan should outline the procedures to be followed when a data breach occurs and formulate strategies to handle the incident. The plan is recommended to cover a description of what constitutes a data breach, an internal incident notification procedure, designation of the rules and responsibilities of members of the breach response team and their contact details, a risk assessment workflow, a containment strategy, a communication plan, an investigation procedure, a record-keeping policy, a post-incident review mechanism, and a training or drill plan.
Upon the occurrence of a data breach, data users are recommended to take the following key steps: (1) identifying and verifying the breach; (2) containing the breach and taking steps to minimise damage; (3) assessing the risks associated with the breach; (4) reporting the breach to the PCPD and the affected individuals, if necessary; and (5) reviewing the incident and implementing measures to prevent future breaches.
While data breach notifications in Hong Kong are not mandatory under the current legislative regime, the PCPD highly encourages data users to give such notifications timely to the affected data subjects, the PCPD, law enforcement agencies and other relevant parties when a data breach has occurred. This will allow appropriate measures to be taken to mitigate any potential harm or damage and to demonstrate the data users’ commitment to data privacy.
Previously, a data user wishing to make a data breach notification would need to submit a paper form to the PCPD. To facilitate reporting and handling of data breaches, the PCPD has launched an e-Data Breach Notification Form, which can be accessed at their website. This digital tool enables organisations to grasp the details of data breach incidents more comprehensively and effectively and report data breach incidents to the Commissioner in a more convenient manner. The key information required to complete the form includes basic information about the data user, particulars of the breach, and an assessment of the breach and remedial actions taken.
Conclusion And Takeaways
As cyber threats continue to evolve and grow, it is more crucial than ever for organisations to stay ahead of potential security breaches. The PCPD’s proactive stance –investigating breaches, issuing enforcement actions, and providing practical guidance goes toward fostering a safer data environment in Hong Kong.
To protect your company from cyber threats, corporations should regularly review their processes, stay alert to potential data breaches and invest in robust data security infrastructures, and follow the PCPD’s guidance on data breach handling and notifications. Care needs to be taken in assessing whether to promptly report incidents to the regulator or individuals and companies should involve legal to make these decisions. Companies can minimise the risks and impact of data breaches and maintain the trust and confidence of their customers when handled appropriately.
Jennifer Wu, TMT Partner, Pinsent Masons
Jennifer is a partner at Pinsent Masons and a senior technology and data specialist working in the technology, media and telecommunications (TMT) team in Hong Kong. She leads the commercial and TMT disputes practice and also manages the Hong Kong TMT and data team.