Is Your Organisation Ready to Respond to a Data Breach?

Every organisation is likely to be processing personal data from their customers or their employees, and privacy concerns are becoming a high priority for consumers and businesses – maintaining customer and employee confidence in data management and privacy is critical. Regularly revisiting data privacy procedures and policies should be an important part of your organisation’s practices, especially if your business has experienced a lot of changes since your initial privacy policy was implemented.

The Office of the Privacy Commissioner for Personal Data (“PCPD”) issued an updated “Guidance on Data Breach Handling and Data Breach Notifications” (the “Guidance”) in June 2023. The revised Guidance offers more comprehensive and practical insights to organisations on how to effectively handle data breaches and mitigate the harm that may be caused to affected data subjects – a year on, how prepared is your organisation?

Q1: What should be done before a data breach?

Having a Data Breach Response Plan

The Guidance recommends organisations and businesses to formulate a comprehensive data breach response plan. The plan should specify the procedures to adopt in the event of a data breach, and the strategies for mitigating its impact. The plan should cover and include:

• A description of what amounts to a data breach and the criteria that trigger the response plan;
• An internal incident notification and escalation mechanism for reporting breaches;
• Allocation of roles and responsibilities of the breach response team; the team may consist of the data protection officer, members of the IT department, customer service department, risk management department, and HR department;
• A contact list of all members of the breach response team;
• A risk assessment workflow, an investigation procedure, and a containment strategy;
• Communication plans for notifying affected data subjects, regulatory authorities, and relevant stakeholders;
• Training or a drill plan to ensure relevant employees follow proper procedures when handling breaches;
• A record-keeping policy as records may be required by regulatory or law enforcement authorities; and
• A post-incident review procedure.

Such plan may be referenced or summarised in the employee handbook – this would inform employees how the organisation / business handles such data breaches ensuring them of how data privacy is protected.

Q2: A data breach occurs,what steps are recommended?

The Guidance recommends five steps that organisations should take in the event of a data breach:

1. Immediately gather essential data breach information

This includes “when, where, how and why” the breach occurred, the personal data involved (whether regarding customers and/or employees), and its likely impact for considering the mitigation and escalation measures.

2. Contain the data breach through remedial measures

Containment measures should immediately be put in place after detecting the breach and conducting an initial assessment. IT Department (if applicable) should immediately inform senior management. The appropriate measures to be taken would depend on what categories of personal data are involved, and how severe the breach was.

3. Assess the risk of harm to affected individuals

Non-exhaustive factors for organisations to consider include:

a. the category and sensitivity of the leaked personal data;

b. the risk of identity theft or fraud;

c. the duration and extent of the breach; and

d. the effectiveness of mitigation measures by the organisation/business or affected individuals.

An internal investigation should be conducted to ascertain the above.

4. Consider issuing data breach notifications

Depending on the severity of the data breach, organisations are recommended to notify affected data subjects (customers or employees), the PCPD and other relevant law enforcement or regulators of a suspected or actual data breach as soon as practicable after being aware of the breach, especially if there is a likelihood of an inherent risk of harm resulting from the breach. Organisations should also consider other local and foreign regulatory reporting obligations that may be imposed (if applicable).

5. Document the breach

A detailed record of the breach helps organisations/businesses learn from the incident and promote post-breach reviews for improvements in data handling so as to minimise the risk of reoccurrence.

Q3: Is there any new cybersecurity legislation to be implemented in the near future?

Yes – new cybersecurity legislation to enhance the protection of computer systems of critical infrastructures (known as “CIs”) was proposed by the Hong Kong Government on 25 June 2024. The legislation is titled “The Protection of Critical Infrastructure (Computer System) Bill” (the “Bill”):

• The proposed legislation will seek to regulate large organisations and businesses responsible for critical services, requiring them to secure their critical computer systems, but does not extend to personal data and business information in these systems.
• A new Commissioner’s Office will be created under the Security Bureau of Hong Kong.
• The Commissioner’s Office will designate critical infrastructure operators (“CIOs”) and the legislation will only apply to them.
• New short incident reporting timelines will be imposed on CIOs:
  • (i) within two hours after becoming aware of a serious computer system security incident (including incidents that lead to a large-scale leakage of personal data and other data); and
  • (ii) within 24 hours after becoming aware of the other computer system security incidents.
• The Commissioner’s Office will have extensive powers to investigate computer system security incidents and offences.
• Financial penalties will be imposed on organisations only (not individuals) in the range of HK$500,000 to HK$5 million and daily fines of HK$50,000 or HK$100,000 for persistent offences.
• CIOs will be held responsible for non-compliance caused by their third-party service providers, further emphasising the importance of vendor oversight.
• The Bill will likely be introduced to the Legislative Council of Hong Kong by the end of 2024.

Q4: Is there a checklist for organisations to adopt whilst reviewing their data privacy policies?

Certainly – the following questions should provide organisations/businesses on areas to review when considering their data privacy procedures and policies:

1. What types of personal data does your organisation hold?

• Categorise the data subjects – is this employee data or customer data?
• Consider the type of personal data that the organisation collects – names and addresses, phone numbers, purchasing history, online browsing history, video or audio recordings.
• Does the organisation collect sensitive personal data such as ID cards, date of birth, credit card information, or information on racial or ethnic background, political opinions or sexual orientation.

2. Why does your organisation hold this personal data?

• Why do they collect and retain this data? Is it for human resources, marketing or product development or improvement of operations?
• What does the organisation do with the personal data?
• Do they really need each of the type of information collected?
• Does the organisation use all of the personal data they collect and is this collection fully justified?

3. How does your organisation collect the personal data?

• Does the organisation collect directly from individuals or third parties?
• What methods do they use to collect personal data?
• Are the data subjects aware of their privacy policy?
• Does the organisation document the consent or opt-in procedure made by individuals?

4. How does your organisation store personal data?

• Where does the organisation store the personal data?
• Can they track how and when they collected the data?
• How secure is the personal data?
• Do they use encryption or passwords to protect such personal data?

5. What does the organisation do with the personal data?

• How does the organisation process it? Do they share the personal data with any third parties and, if so, why is this the case?
• Does the organisation transfer personal data outside of Hong Kong and, if so, where do you transfer to? It is very common for multinational organisations to share employee or customer data with global headquarters or other parts of the business outside of Hong Kong. Some organisations may share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China. Such activities could be subject to China’s cross-border data transfer requirements.

6. Who controls the personal data?

• Is the organisation the controller or processor of the personal data?
• Who can access the personal data?
• What safeguarding mechanisms does the organisation have in place with their external processors?

7. How long do you keep the personal data for?

• Organisations should check their retention periods. What is their process or policy for deleting personal data?
• Can the organisation justify the length of time they retain the personal data?

Q5. How do you see the way  forward?

With the increasing cybersecurity risks, it is of paramount importance for organisations to prepare for the contingencies of data breaches by implementing comprehensive data breach response plans, and planning for the steps to be adopted when handling data breach incidents. To mitigate harm and formulate more effective prevention strategies, organisations are also highly recommended to notify the PCPD and affected parties upon being aware of a data breach, and to review the incident and relevant data handling practices within their organisation.