In today's digital landscape, we have seen a significant increase in the number of organisations being targeted by threat actors over the years. In 2024 alone, the Privacy Commissioner for Personal Data of Hong Kong ("PCPD") received 203 data breach notifications from organisations, marking a rise of nearly 30% compared to 157 notifications made in 2023.
Given the voluntary notification regime in Hong Kong, these figures are only limited to the notifications made voluntarily by organisations to the PCPD, and there may be other unreported data breach incidents which are not known to the public. The PCPD has proposed for a reform to make the notification regime mandatory in Hong Kong by amending the Personal Data (Privacy) Ordinance (Cap. 486 of the laws of Hong Kong) ("PDPO") – while discussions are underway, we see that the PCPD has been adopting a stricter enforcement approach in launching investigations against organisations which have reported their data breach incidents to ensure that they have taken adequate means in protecting their organistaions' data security in compliance with its obligations under the PDPO.
We have advised a range of organisations on data compliance health checks from a preventative perspective, and also on navigating data breach incidents from a containment and remedial perspective, including assisting them with responding to PCPD's inquiries and investigations. Organisations should be reminded to regularly review its data compliance framework and ensure compliance with the best practices set out under PCPD's Guidance on Data Breach Handling and Data Breach Notifications (the "PCPD Guidance")
Pre-breach: Develop a robust data breach response plan
As good practice, organisations should proactively put in place a comprehensive response plan to ensure that they can quickly respond to and effectively manage a data breach in the event of such occurrence – this is particularly important as prompt response in the event of a breach may allow for better containment of its impact. The PCPD Guidance provides for several measures which organisations are recommended to adopt in order to stay prepared – we have included some key points below:
1. Providing a description of what constitutes a data breach: Ensuring that employees are familiar with the description of a data breach and common examples tailored to the nature and industry of the organisation, and the specific threshold that triggers actioning of the data breach response plan.
2. Forming a response team: Assembling a designated response team with members including its data protection officer, IT experts, public relations advisors and other key professionals, while ensuring a clear designation of the roles and responsibilities of different team members.
3. Developing an internal notification procedure: Developing a process to internally report and escalate data breach incidents to senior management and the response team. In doing so, organisations can also consider developing a standard escalation form to ensure that key details are reported and properly documented.
4. Developing a risk assessment workflow: Developing a risk assessment workflow to evaluate the potential harm to affected data subjects to guide mitigation efforts.
5. Setting out a clear communication plan: Setting out a clear criteria for notifying and responding to enquiries from affected data subjects and regulatory authorities (including the PCPD, the police and other relevant industry regulatory authorities such as the Securities and Futures Commission and the Hong Kong Monetary Authority), detailing the information to be shared and the methods of communication.
6. Carrying out internal investigations and reporting: Establishing procedures to look into and investigate data breach incidents, and report such findings internally to senior management.
7. Providing training and drills: Regularly training employees to ensure that they can effectively adopt the practices as part of the procedures in the event of a data breach.
Please note that these steps are by no means exhaustive, and organisations should tailor their response plans to address specific industry risks and operational needs.
Notification obligations: Whether to report and if so, when?
As mentioned, unlike other jurisdictions like the UK, EU or the PRC, there are currently no mandatory notification obligations to the PCPD or to data subjects under Hong Kong law. As a matter of good practice, however, organisations which are considered data users under the PDPO should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the breach is likely to result in a real risk of harm to those affected.
As best practice, in terms of the notification timing, whilst the PCPD Guidance does not provide for a specific definition on what constitutes "as soon as practicable", in previous data breach incidents, the PCPD has commented that regulatory notification made within 12 days is considered timely. Organisations should, however, keep a close eye on potential legal developments in this space, given PCPD's indication of potential reforms to the notification regime in Hong Kong. In particular, we mention that in the Constitutional and Mainland Affairs Bureau's discussion paper dated January 2020, the proposed notification timeframe included was for notification to be made "as soon as practicable, under all circumstances, in not more than five business days" from "when the data user becomes aware of a data breach".
Post-breach: Critical steps when handling a data breach incident
In the event of a data breach, data users should act swiftly in managing and mitigating the impact of the breach. The PCPD Guidance outlines some of the key steps organisations should consider when handling a data breach, including the following:
1. Immediate gathering of essential information: Promptly collecting all relevant information of the breach to assess its impact on data subjects and identify appropriate mitigation measures. Organisations should consider key questions including when the breach had occurred, how the breach was detected, cause of the breach, as well as the kinds of personal data involved and an estimate of the number of affected data subjects.
2. Containment measures: Taking immediate steps to contain the breach and minimise harm. This may include, among other things, shutting down or isolating the compromised systems and servers, disabling system functions relevant to the breach, alerting banks or credit card companies to reduce the risk of financial losses (where applicable) and notifying the relevant law enforcement agencies if it likely involves any criminal activities.
3. Risk assessment: Evaluating the risk of harm to affected data subjects, such as identity theft or financial loss, taking into account the sensitivity and amount of personal data involved, circumstances of the breach and the nature of harm.
4. Considering giving data breach notifications: Deciding whether to notify affected data subjects and relevant authorities taking into account all relevant factors, and to consider the potential consequences and seriousness of the breach.
5. Documentation of the breach: Maintaining comprehensive records of the breach (including details of the incident, containment actions, and remedial measures taken) to facilitate a post-breach review of its existing personal data handling practices, and to ensure proper compliance with the relevant regulatory requirements.
Organisations are encouraged to adopt these steps to effectively manage the aftermath of a data breach and mitigate potential harm caused to the affected data subjects.
Other practical considerations when multiple jurisdictions are involved
Where a data breach affects data subjects in multiple jurisdictions, in addition to the above considerations from Hong Kong law perspective, organisations also need to take into account the following factors when formulating and implementing an overall response strategy:
1. Differences in legal obligations: It is likely that different jurisdictions have different thresholds, formality and timeframe requirements for notifying and reporting data breaches. Organisations should understand these differences and try to adopt a practically balanced approach to coordinate the notification and reporting efforts in the involved jurisdictions. It is also advised to keep the information disclosed in any notification or report as consistent as possible across all the jurisdictions.
2. Preparation for the chain effect: If, after assessment, the organisation decides to notify / report the breach in selective jurisdictions and not others, it should prepare for the potential reactions from the media and interested individuals from other jurisdictions when the breach is made public, and there should be standard communication protocols, media announcement and Q&As ready to be distributed, so as to address potentially numerous enquiries from data subjects and regulators. Again, planning ahead and keeping consistent is the key to smoothen the potential impact.
Key takeaways
Organisations should closely review its existing data breach management practice and consider adopting the best practices set out above to ensure that it has a robust compliance framework in place.
We will be keeping a close eye on any potential legal developments in this space, and we are here to support you in safeguarding your organisation's data security.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
