Case Study and Best Practices for Avoiding Data Breaches under Hong Kong Personal Data Laws

Online data breaches are the current and future enforcement priority for Hong Kong’s regulator of personal data laws as an April 2020 report confirms.  This report echoes previously proposed amendments to Hong Kong main personal data legislation published earlier in 2020 which also target better security of personal data from online breaches.  This article summarises the key aspects of the regulator’s enforcement priorities and provides an overview of best practices for companies to keep personal data secure and minimise the risk of data breaches and hence regulatory enforcement.

  1. The Report and Proposed Legislative Amendments

In April 2020, Hong Kong’s main data privacy regulator, the Office of the Privacy Commissioner for Personal Data (the “Commissioner”), issued a report on the Commissioner’s work in 2019 (the “Report”). The Report provides a broad overview of the work and activities of the Commissioner and highlights a few areas of particular focus for 2019 and the enforcement going forward.  One of these areas is online data breaches such as the hacking of servers resulting in the loss of large volume of personal data or the unauthorised access of personal data stored online.  The Report reinforces the proposed amendments to the Personal Data (Privacy) Ordinance ("PDPO") published in a review paper (20 January 2020) for discussion in the Legislative Council (“LegCo”) (the “Paper”).  This Paper specifically names the heightened risks to personal data due to online data breaches which form the basis of some of the suggested changes to the PDPO (see below section “Proposed Amendments”).

  1. Enforcement Focus

The enforcement actions from 2019 that the Commissioner highlights in the Report deal mainly with large-scale data breaches.  The Commissioner noted that the number of data breach incidents increased by 8% to 139 cases in 2019 compared to 2018 (129 cases).  The Report further suggests that this relatively low number of reported cases and the relevant increase in cases could be much higher.  That is because the PDPO in its current form does not require a company to report a data breach which means there is likely a large number of unreported cases that escaped the Commissioner’s scrutiny. 

The proposed amendments to the PDPO as communicated by the Hong Kong government in early 2020 already identified the absence of mandatory breach notifications as a loophole that affects the Commissioner’s ability to properly police the safeguarding of personal data and the effective remediation of data breaches.  The proposed amendments to the PDPO therefore include the introduction of a mandatory reporting requirement for data breaches. 

Airline Case

One of the enforcement actions highlighted in the Report cases concerns a large-scale data breach that received considerable media attention and involves a well-known Hong Kong-based airline (see Data Breach Incident Investigation Report R19 – 15281 (6 June 2019) of the Office of the Privacy Commissioner for Personal Data (“PCPD”)).  The case dealt with a number of aspects all of which play a crucial role in the proposed amendments to the PDPO:  data security, data retention and mandatory reporting requirements (see below section on “Proposed Amendments”).

In this case, a data breach led to the leakage of personal data belonging to 9.4 million of the airline’s passengers, including details such as the passengers’ names, flight numbers, email addresses, airline membership numbers, addresses, phone numbers, passport and ID numbers, and a small number of credit card numbers.  According to the Commissioner’s investigations, this incident happened due to perpetrators being able to exploit a vulnerability in the airline’s internet facing server which enabled hackers to bypass authentication and gain administrative access to install malware. This malware then harvested user account credentials which were eventually used to access IT systems and the passengers’ personal data stored with the airline.  Despite the severity of the incident and the volume of affected personal data, the airline only notified the Commissioner of the incident after completing a 7-month internal investigation.

This case raised three issues: 1) what are the appropriate standards to safeguard personal data under the PDPO’s Data Protection Principle 4 (DPP 4); 2) did the airline contravene data retention requirements under DPP 2; and 3) did the airline properly report and remedy the data breach.

In its investigation into the incident, the Commissioner assessed whether the airline had undertaken reasonable and practicable steps as required under DPP 4 to safeguard the personal data of its passengers as stored on its computer systems.   For the particular case, the Commissioner noted that the particular server vulnerability that enabled the perpetrators’ initial access to the airline’s computer systems had already been widely published and should therefore have been known to the airline.  The Commissioner also noted that the airline had been involved in a previous case of data breaches only a couple of years before the most recent incident.  On that basis the Commissioner found that the airline had not undertaken all reasonable steps to reduce risks of further data breaches.  The Commissioner also found that the software used to safeguard the airline’s computer systems was outdated and scans to detect malware or intrusions were conducted not frequently enough (apparently only once a year) to be effective. In addition, the Commissioner found that the airline failed to consistently apply multi-factor authentication to remote access of its IT system and failed to encrypt database backup files, thus exposing personal data contained in such backup files to attackers.

In its assessment of whether a contravention of the PDPO occurred, the Commissioner confirmed that such evaluation requires a case-by-case analysis.  DPP 4 does not impose an absolute duty on companies to secure personal data.  Rather, the steps to secure personal data depend (inter alia) on “the volume, kind and sensitivity of data, the harm and damage that could result from the data breach, corporate governance and organisational measures, and technical policies, operations, controls and other security measures of the reasonable quality and standard expected of an organisation”.  For this case, the Commissioner found that the airline did not take all reasonably practical steps to protect personal data against unauthorised access and therefore contravened DDP 4 (1) of the PDPO.

As part of its investigation, the Commissioner found that the airline had retained various passengers’ ID card numbers for a period of up to 13 years.  These ID numbers which were collected for identity verification purposes did in fact no longer serve any purpose as the airline had revised its application forms.  Currently the PDPO does not set out fixed requirements for data retention, but it nevertheless requires under DPP 2 that personal data should not be kept longer than necessary for the fulfillment of the purpose that the data is to be used for.  The Commissioner found no justifiable reasons for the ID numbers being retained after they no longer served a purpose, which was considered a contravention of DPP 2 (2) of the PDPO.

The Commissioner found that the airline did not timely notify the affected passengers of the breach once detected (as it only did so after completing a 7-month internal investigation).  Such notification would have enabled the passengers to minimise the negative impact or risks arising from the data breach. Given the absence of a reporting requirement under the PDPO in its current form, the airline’s failure to timely notify the affected passengers did not constitute a contravention of the PDPO.

For the same data breach, the airline was fined £500,000 in the U.K. by the Information Commissioner’s Office.  The Commissioner in Hong Kong noted that, unlike the U.K. authority, it has no power to fine a party in breach under the PDPO in its current form.  Instead, the Commissioner i) carried out investigations and published a report; and ii) took actions to follow up on any remedial and corrective measures taken and reviewed the extent to which instructions set out in the enforcement notice were followed and implemented. The Commissioner further noted that the proposed amendments to the PDPO included a series of changes to enhance the deterrent effect of the Hong Kong legal regime, including vesting in the Commissioner the power to impose administrative fines and raising the existing level of the relevant fines prescribed by the PDPO.

Telecommunication Company Case

Another prominent 2019 case summarised in the Report turned on the issues of data retention and data security, and highlighted how these two issues are closely connected in a data breach:  A well- known Hong Kong-based telecommunication company reported a data breach incident which led to unauthorised access to the personal data of 380,000 customers (see PCPD Investigation Report R19 – 5759 (21 February 2019)). More specifically, perpetrators were able to access the company’s IT systems and the personal data of the company’s former customers.  This data had been retained in the IT systems after a data migration despite it no longer being needed as it pertained to former customers.  Had this data been deleted in a timely manner, the company’s exposure in the data breach would likely have been minimised.  Further factors giving rise to the data breach included the lack of encryption for the personal data stored on the IT systems and insufficient application of a multi-factor authentication procedure for remote system access.

Similar to its findings for the airline case, the Commissioner concluded that 1) the telecommunication company had failed to take “all practicable steps” under DPP 4 (1) to secure the personal data it stored and keep proper control over its IT systems; and 2) that personal data stored in its systems was kept for an excessive period of time in contravention of DPP 2 (2).

Credit Agency case

Finally, the Commissioner highlighted another data breach case from 2019 (see PCPD Data Breach Incident Investigation Report R19 – 17497 (9 December 2019) in the Report in which third parties were able to get through the online access procedures of a credit agency and obtain credit reports for public figures.  When assessing the measures taken by the credit agency to secure personal data, the Commissioner found that the level of security ought to be commensurate with the volume and sensitivity of the stored data, and the negative impact of unauthorised or accidental access to such data.  This confirms the principles set out by the Commissioner in the airline case, namely that an evaluation of data security usually is a case-by-case analysis, and depends on the particular setup and risk profile of each organisation.  In this case, a two-factor authentication for online access was not properly implemented. As such, third parties were able to circumvent password input by (inter alia) relying on answers to security questions which could easily be guessed.  The Commissioner assessed that the credit agency therefore did not take all practicable steps to secure personal data from unauthorised access and contravened DPP 4 (1) PDPO.

The three example cases that the Commissioner referred to in its Report demonstrate various similarities and common risks, many of which can be found in other cases of large-scale online data breaches:

  • Companies store large quantities of sensitive personal data on their systems that is attractive to potential perpetrators;
  • The systems and, in particular, remote access to such systems may not be properly secured;
  • The complexity of IT systems and various places where personal data is stored may make monitoring more difficult and impact on the ability to timely detect and remedy data breaches;
  • Personal data that may no longer be required is kept for longer than is necessary; and
  • No proper protocol for data breach notifications is in place.

The proposed amendments to the PDPO target some of these risks with specific changes to the existing legislation.

  1. Proposed Amendments to the PDPO

The proposed amendments communicated by the Hong Kong government in early 2020 aim to address several loopholes in the PDPO, including mandatory breach notifications, data retention periods and the application of the PDPO to third-party service providers (such as data hosting or processing providers).

Mandatory Breach Notification

The proposed amendments suggest that the PDPO include a mandatory reporting requirement to inform the persons from whom personal data was collected as well as the Commissioner of any data breach affecting the relevant personal data (see paragraphs 4 and 5 of the Paper). If a certain notification threshold is reached, likely to be based on the amount and sensitivity of the data affected by the breach, then a notification would have to be made upon the company that collected the data becoming aware of the breach.  The notification then would have to be made within a yet to be determined time frame (likely to be as soon as practicable and, under all circumstances, in not more than five business days).

This amendment would enable the Commissioner to track data breaches and monitor companies’ responses to such breaches.  Under the proposed amendments, such notification requirement would also apply to third-party providers of data hosting and processing, if a breach occurred at their end.

Data Retention Period

The proposed amendments also include a requirement for companies to specify a data retention period for the personal data they collect (see paragraph 8 of the Paper).  At present, the requirement under the PDPO to refrain from keeping personal data for longer than required is vague. This makes it difficult for the Commissioner to assess whether a company may have in fact contravened this requirement in any but the clearest cases, such as the above-mentioned airline case and the telecommunication company case.  If companies are required to formulate clear data retention periods, the Commissioner will be able to assess and review data retention practices adopted by companies against such defined periods and policies. Such changes would also affect a company's engagement of third-party providers for online storage etc., as they would have to ensure that their defined data retention periods are also applied by the third parties they engage to handle or store personal data (see DPP 2(3)).

Third-Party Providers

In relation to third-party providers which are increasingly used by companies for hosting or processing personal data, the proposed amendments would extend the PDPO’s current coverage to such service providers for hosting and processing of (personal) data.  Presently, the PDPO only covers those companies that collect personal data for their own use.  Such companies are required to safeguard personal data they collect and put in place contractual safeguards if they outsource the hosting and processing of such data to third-party service providers.  In the event of a data breach, the liability then rests with the companies, not the service provider, and the Commissioner currently has limited power to review conduct of such service providers under the PDPO.  The proposed amendments to the PDPO include requirements for service providers to independently ensure that personal data stored or processed by them is kept secure and data retention policies are followed (see paragraph 15 of the Paper).  In addition, under the proposed amendments, service providers would also have to report data breaches to the Commissioner, thereby further enhancing the Commissioner’s ability to track data breaches and monitor companies’ responses to such breaches.

The Lack of the Commissioner’s Power to Fine

As mentioned in the discussion on the airline case, the Commissioner is not empowered to impose fines under the PDPO as it currently stands. Therefore, as part of the proposed amendments to the PDPO in order to enhance the deterrent effect of enforcement action taken by the Commissioner, two changes are proposed in this regard: i) to empower the Commissioner to impose administrative fines; and ii) to increase the level of the relevant criminal fines under the PDPO.  There currently is no specific suggestions what amounts for administrative or criminal fines should be included in an amendment to the PDPO.  The proposed amendments did, however, provide reference to the substantive administrative fines available in the EU under the GDPR and the possible link between such fines and the annual revenue of the company that failed to safeguard the personal data.   As such, any update to the fines available under the PDPO could therefore be significant.

  1. Best Practices

The cases set out in the Report and the proposed amendments to the PDPO demonstrate that the Commissioner’s enforcement focus for 2020 and beyond will be on data breaches.  In order to minimise not only the risks of data breaches but also potential enforcement, companies have to assess how they comply with the relevant rules set out in the PDPO and guidance provided by the past enforcement cases.

The cases highlighted by the Commissioner for 2019 have made clear that, in assessing a company’s compliance with the applicable laws, the Commissioner adopts a case-by-case approach.  As such, no template exists for what a company has to implement, in terms of server settings, firewalls etc., to avoid regulatory scrutiny.  That being said, the Commissioner has confirmed that its case-by-case analysis is based on whether the measures taken to secure personal data are “commensurate with the risks to the organisation as well as the harm to the individual” (see paragraph 93 of the Data Breach Incident Investigation Report R19 – 17497 (9 December 2019)).

As such, when assessing the sufficiency of safety measures in place to secure personal data, a company should conduct a general risk assessment including, inter alia, the following factors:

  • Intake of personal data: how is personal data collected and for what purpose;
  • Place for storage of personal data:  in which places of the system is personal data stored, how many places within the system store personal data, and how are these systems separated;
  • Data inventory: which kind of personal data is kept on the systems, what volume does such personal data amount to and for how long is it stored;
  • Sensitivity: how sensitive is the personal data that is stored, and should different standards apply for securing sensitive data;
  • Third-party providers: which (if any) third-party providers are used to host and process the company’s (personal) data;
  • Access:  who has access to personal data, whether to have different levels of access, and how is such access secured;
  • Deletion: what is the process for deletion of personal data after it is no longer required.

In terms of specific measures, the cases highlighted by the Commissioner offer some guidance on what would constitute reasonable steps to secure personal data under the PDPO:

  • Follow news updates and publications about virus, malware and system vulnerabilities closely to conduct timely updates of relevant systems and software, and run targeted scans to check for such vulnerabilities – in the airline case, one cause of the data breach was a vulnerability that was known since 2007 but not properly picked up and remedied by IT staff, and therefore enabled the data breach at the airline almost a decade later.
  • Conduct robust and regular controls and scans of relevant systems and personal data kept – in the airline case, scans conducted annually were found to be both too infrequent and potentially not sufficiently thorough as they failed to detect a known vulnerability;  in the telecommunication company case, an unencrypted database of customer personal data that was inactive was still kept on the company’s systems due to an oversight when such database could have been deleted;
  • Implement sufficiently secure authentication requirements such as two/multi-factor authentication for all system access and make sure that such authentication cannot be easily circumvented – in the airline case, it was found that not all remote access to the IT systems required multi-factor authentication; in the credit agency case, while two-factor authentication was implemented, it could be circumvented as users could proceed  despite a wrong entry and rectify such entry by knowledge-based authentication questions which were easy to solve; in the case of the telecommunication company, two-factor authentication was not required and passwords for administrative access to relevant IT systems had not been changed for over three months.
  • Encrypt data to provide for added security – in the airline case, some personal data was included in backup files without encryption which enabled unauthorised access to such data.
  • Learn from prior incidents and keep adequate risk awareness – in the airline case, vulnerabilities in the system were present and scans were run infrequently despite a prior data breach having occurred just a couple of years before.
  • Ensure an adequate data retention policy with defined retention periods is in place to avoid personal data being kept for longer than necessary – in the airline case, data that was no longer used was kept in the system for over a decade; similarly, the telecommunication company kept data of former users after they had terminated their relationship with the company – in light of the proposed amendments to the PDPO which would require a defined document retention period, companies should make sure that such policies exist and are properly implemented.
  • Adequate and timely breach notifications – while currently voluntary, breach notification may become mandatory once the proposed amendments to the PDPO are enacted; as such, companies can plan ahead to implement a requirement for timely notification to both the Commissioner and the affected customers to prepare for such change in the legislation – in the airline case, affected passengers were only informed of the breach months after it was first detected, which was found not timely enough for minimising potential risks of the data breach.

Counsel, Fangda Partners Hong Kong

Counsel, Fangda Partners Hong Kong

Associate, Fangda Partners Hong Kong