What to do if you suffer a data leakage incident?
Background
With the surge in cyberattacks around the world and in Hong Kong, the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (“PCPD”) in the first half of 2023 (as of 29 June) has increased by more than 20% to 55 cases when compared to the second half of 2022. Against this background, the PCPD issued a new “Guidance on Data Breach Handling and Data Breach Notifications” (the “Guidance”) to assist organisations in preparing themselves in the event a data breach occurs. This article sets out the PCPD’s practical recommendations to help organisations handle data breaches so as to contain the damage and harm that follows from such incidents.
Overview of the Guidance
The PCPD reminds all that a data breach might infringe Data Protection Principle 4 of the Personal Data (Privacy) Ordinance (Cap 486) in relation to data security.
It sets out some common causes of data breaches in Hong Kong:
1. Cyberattacks
2. System misconfigurations
3. Loss of physical documents or portable devices
4. Improper/wrongful disposal of personal data
5. Inadvertent disclosure by email or by post
The PCPD recommends that companies should have a data breach response plan such that if there is a data breach, companies could follow the plan and make prompt responses to minimize and contain the impact of the breach:
Practical recommendations provided by the PCPD
Data breach response plan
The PCPD recommends that organizations should have a comprehensive data breach response plan to ensure quick response to and effective management of a data breach.
The PCPD recommends that the plan should cover the following non-exhaustive aspects:
1. A description of what constitutes a data breach – with examples and the criteria that trigger the implementation of the plan.
2. Internal incident notification procedure – who to contact and escalate the breach incident and devise a standard form to facilitate the reporting of the required information.
3. Clear definition of the roles and responsibilities of members of the dedicated breach response team – who would do what e.g. the IT department for identifying the location of potentially compromised data and taking remedial measures; customer service department can deal with issues of affected individuals and for providing updates to customers and stakeholders.
4. A contact list – with contact details of all breach response team members for easy contact and communication.
5. A risk assessment workflow to assess the likelihood and severity of the harm caused to the affected data subjects as a result of the breach.
6. A containment strategy for containing and remedying the breach.
7. A communication plan covering:
a. the criteria and threshold for determining whether the affected data subjects, regulatory authorities and other relevant parties should be notified;
b. the kind of information that must be provided;
c. the point of contact in the organisation responsible for liaising with the stakeholders; and
d. the methods of notification.
8. An investigation procedure for investigating the breach and reporting the results to the senior management.
9. A record-keeping policy to ensure that the incident is properly documented as the relevant records may be required by regulatory authorities or law enforcement agencies.
10. A post-incident review mechanism for identifying areas that require improvement to prevent future recurrence.
11. A training or drill plan to ensure that all relevant staff can follow the procedures properly when dealing with a data breach.
Handling a data breach
The PCPD recommends the following steps when handling a data breach:
1. Immediate gathering of essential information – as a starting point, the company (data user) shall promptly gather all relevant information of the data breach to assess the impact on data subjects and to identify appropriate mitigation measures.
2. Containing the data breach - After detecting the breach and conducting an initial assessment, the data user should immediately take steps to contain the breach as effectively as possible. Remedial actions to lessen the harm or damage that may be caused to the affected data subjects should be taken.
3. Assessing the risk of harm – once all essential information has been gathered, the company should then ensure that it understands the risks of harm that may be caused to the affected individuals, so that they can take steps to limit the impact.
4. Considering giving data breach notifications - When deciding whether to report a breach to the affected data subjects, the PCPD and other law enforcement agencies, the company should take into account the potential consequences of a breach for the affected individuals, how serious or substantial these are, and how likely they are to happen. The consequences of failing to give notification should also be duly considered.
5. Documenting the breach – The company should keep a comprehensive record of the incident, which should include all facts relating to the breach, ranging from details of the breach and its effects to the containment and remedial actions taken by the data user. Organisations that are required to comply with the laws and regulations of other jurisdictions should also consider whether there are any mandatory documentation requirements under those laws and regulations.
Best practices for organisations
Data breaches could have a devastating effect on a company’s operations and also affect others including the company’s customers and stakeholders. It is therefore important for a company to have prompt and effective responses to data breaches.
To achieve this objective, the company needs to establish a robust data breach response plan as recommended by the PCPD.
In order to have the appropriate response measures, including the consideration of involving law enforcement agencies, it is important for a company to assess the severity and potential risks associated with a data breach, including but not limited legal risks given that there could be subsequent claims by affected customers or individuals and possible investigations by law enforcement agencies or regulators.
If a company is regulated (e.g. Banks, insurance companies, licenced intermediaries regulated by the Securities and Futures Commission, etc.), even though there might not be any legal requirements on notification of a data breach incident, under the respective guidelines or code of conduct issued by the regulators, the regulators might have imposed a requirement for the regulated company to notify the regulator and/or the affected customers or stakeholders about the data breach incident within a certain timeframe from the time when the incident happened.
If a company chooses to notify affected individuals about the data breach incident, the notifications should be clear, concise, and provide relevant details about the breach, such as the types of data involved and the potential consequences. Additionally, companies should offer guidance on the steps individuals can take to mitigate risks, such as changing passwords or monitoring financial accounts.
Overall when a company considers assessing or investigating a data breach incident, particularly when involving any 3rd party service providers, the company should consider if lawyers should be instructed to give legal advice on the issues and for legal professional privilege protection on the results and reports of such investigation. Given that there might be complaints or claims from affected parties after a data breach incident with possible further probes by outsiders or law suits, it is important to seek legal advice under the protection of privilege before the company makes any important decisions or take any remedial actions.
For enquiries, please feel free to contact us at: |
|
E: technology@onc.hk T: (852) 2810 1212 19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong |
|
Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors. |
|
Published by ONC Lawyers © 2023 |
