Hong Kong’s regulator of personal data confirmed in an April 2020 report that online data breaches are the current and future enforcement priority. This report followed proposed changes to the relevant laws which also target personal data risks arising from online data breaches. Going forward, it is therefore important for companies to pay greater attention to how they collect, handle and store personal data as changes to the law and enforcement demonstrate a commitment from the regulator and the legislature to keep up with the rapid technological development and meet public expectations towards data privacy protection.
The recent change of legislative and enforcement focus was first announced in a review paper dated 20 January 2020 setting out proposed amendments to the Personal Data (Privacy) Ordinance ("PDPO"). Among several proposed changes to the PDPO, the greatest impact upon businesses were a mandatory data breach notification system; the requirement to set clear data retention periods; direct regulation of providers of online data hosting and processing services (so-called “data processors”); and increased penalties plus the potential adoption of administrative fines for breaches of the PDPO. These proposed amendments also have an important bearing on online data storage as commonly used by companies that handle voluminous (personal) data of their clients, suppliers, customers and employees on a regular basis.
Following the proposed amendments, the Office of the Privacy Commissioner for Personal Data (the “Commissioner”) issued the said April 2020 report which highlighted, as a major enforcement focus, online data breaches such as the hacking of servers or the unauthorised access to personal data stored online resulting in the loss of large volumes of such data. The report highlighted a number of 2019 enforcement actions, from which the main shortcomings in data management were in line with the focus of the proposed amendments to the PDPO.
As part of these enforcement actions, the report highlighted an online data breach involving a local airline that led to the leakage of personal data belonging to 9.4 million of the airline’s passengers, including details such as the passengers’ names, email addresses, airline membership numbers, ID and some credit card data. The perpetrators in this case were able to bypass security controls, install malware and eventually access personal data due to various shortcomings in the airline’s data security systems. It was found that the systems were inadequately secured against a known vulnerability; security scans were conducted infrequently (annually) and insufficient to detect breaches and vulnerabilities; remote logins were not properly secured; and obsolete personal data was still being kept instead of being properly deleted. The Commissioner confirmed that while there is no absolute duty to secure personal data under the PDPO, measures taken to secure personal data have to be assessed on a case-by-case basis taking into account (inter alia) the volume, nature and sensitivity of data, and the damage that would follow a data breach. Finally, the airline only reported the breach 7 months after it had first learned of the breach – while not a contravention under the current law (which does not include a mandatory notification requirement), the Commissioner assessed that possible harm to the affected passengers could have been minimised with more timely notification.
Another case the Commissioner highlighted in his report involved a local telecommunications company where a data breach resulted in the leakage of personal data of 380,000 customers. The Commissioner again highlighted a number of shortcomings, such as the lack of data encryption which enabled the data breach, the absence of multi-factor authentication for remote system access (as in the airline case) and the unnecessary retention of obsolete personal data (pertaining to former customers).
The proposed changes to the PDPO as well as the enforcement actions highlighted in the report demonstrate that the Commissioner as well as the legislature in Hong Kong are currently focusing on strengthening Hong Kong’s personal data regime and enforcement of data breaches, with a view to enhancing protection for personal data, particularly those stored online. In anticipation of legislative amendments taking effect in the near future, companies should ensure that they critically assess what types of personal data they collect, how such data is stored and the potential risks arising from online breaches.
To help with such assessment, the proposed amendments to the PDPO and the recent enforcement actions provide some guidance:
- software and hardware should be kept up-to-date and known vulnerabilities eliminated;
- effective and periodic checks of computer and server systems should be conducted to timely detect data breaches/vulnerabilities;
- personal data should be encrypted where possible;
- remote access has to be properly secured;
- personal data should be timely deleted if no longer required; and
- a procedure for timely breach notifications should be implemented.
– Howard Chan, Counsel,
– Fabian Roday, Counsel,
– Jeffrey Tong, Associate,
Fangda Partners Hong Kong
Editorial Note: This is a summary of the article “Case Study and Best Practices for Avoiding Data Breaches under Hong Kong Personal Data Laws” which was circulated via Hong Kong Lawyer eNewsletter and posted on Hong Kong Lawyer website in July 2020.