The Privacy Commissioner for Personal Data reminds organisations to review and implement appropriate data security measures amidst more data breaches.

On 13 February 2023, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) published an article titled “Guidance on Data Security – Heightened Importance of Data Security Amid Increased Cyberthreats”. The article discusses the increasing trend of cyberattack incidents, identifies common vulnerabilities based on data incidents the PCPD has investigated, and sets out practical guidance for data security measures.

Trends in Data Breach Incidents

The article explores recent trends in cyberattacks and data breach incidents, as well as some common causes of data breaches. The PCPD identified that:

• cyberattack incidents, including ransomware attacks, comprised almost 30% of the reported data breaches in Hong Kong in 2021 and 2022;
• phishing and unpatched vulnerabilities most commonly cause data breaches in Hong Kong; and
• in three out of four PCPD investigation reports, one of the major causes of data breaches was the data user’s failure to identify a known unpatched security vulnerability and take reasonably practicable steps to safeguard its server or database, which left a loophole for unauthorised access. The fourth investigation report found that passwords leaked to hackers through phishing attacks was a possible cause.

As the above trends result from data breach incidents and investigations that the PCPD has handled, the PCPD will likely increasingly scrutinise such security risks when monitoring and assessing organisations’ data security practices and compliance with the PDPO.

Data Security Requirements Under the PDPO

The article reminds companies and other organisations of the general data security requirements under the Data Protection Principle (DPP) 4(1) of Schedule 1 of to the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), which requires data users to take all practicable steps to protect any personal data it holds, against unauthorised or accidental access, processing, erasure, loss, or use, having particular regard to a range of factors including the type of data involved, the physical location of the data stored, implemented access controls, and implemented security measures in storage equipment and during transmission.

Whilst DPP 4(1) explicitly mandates the security of personal data, the PDPO’s other provisions also focus on data security, for example:

• DPP 1 (which sets out the principle of data minimisation): The lesser the volume of data a data user processes, the lower the exposure to security risks.
• DPP 2(2) (which requires data users not to keep personal data any longer than necessary to fulfil the purpose): Timely deletion of personal data that is no longer needed can help reduce the risk of data breaches.
• DPP 2(3) and 4(2) (which requires data users to adopt contractual or other means when engaging data processors): Adopting contractual (or other) means ensures that contractors are subject to appropriate data security and data retention obligations.

Recommendations for Data Security Measures

In light of these trends, the PCPD draws attention to its guidance note from August 2022, titled “Guidance Note on Data Security Measures for Information and Communications Technology” (Guidance Note). The Guidance Note provides practical recommendations for complying with the data security requirements under the PDPO by highlighting some specific data security measures that organisations can adopt.

The recommendations cover the following six key areas for data users in Hong Kong to facilitate compliance with the relevant requirements under the PDPO:

1. Data governance and organisational measures: Organisations should devise clear policies and procedures on data governance and data security. They should optimise deployment of manpower responsible for data governance (such as appointing suitable leaders to bear responsibility for personal data security).
2. Risk assessments: Organisations should conduct riskassessments on data security for new systems and applications before launch and periodically thereafter. They should regularly report their assessment results to senior management and promptly address identified security risks.
3. Technical and operational security measures: Organisations should implement adequate and effective security measures to safeguard information and communication systems and personal data. The PCPD provides a list of non-exhaustive recommendations, based on eight broad categories of measures.
4. Data processor management: Before organisations engage contractors as data processors (such as cloud services and data analytics services), they should implement contractual or other means, and conduct assessments, to safeguard the security of personal data they transfer to such contractors.
5. Remedial actions in the event of data security incidents: After the occurrence of a data security incident, organisations may take several types of remedial actions to reduce any harm to the affected data subject (e.g., immediately stopping the affected ICT systems, ceasing access rights, and notifying the affected individuals and/or the PCPD).
6. Monitoring, evaluation and improvement: Organisations may commission an independent task force (such as an audit team) to monitor compliance with the data security policy and ensure improvement from non-compliance.

Please also refer to this Latham blog post for more details on the Guidance Note and the PCPD’s specific practical recommendations in the seven areas.

Conclusion

The increased data security incidents in Hong Kong and the PCPD’s continued guidance on this front mean that the PCPD will remain committed in monitoring and supervising compliance with the PDPO’s data security requirements. As the PCPD cautions that data security will take centre stage in the years to come, the article reminds organisations to implement and review their data governance and security policies, procedures, and practices.