Skip to content

Something urgent? Call us now! (852) 3416 1711

Data breaches and how to handle them

By Claire Chow

Hong Kong, 8 August 2023: While you are reading this, someone may know you are doing so. Paranoid? Perhaps, but it is a fact that cyberattacks are increasing worldwide, leaving individuals and organisations exposed not only to immense inconvenience but also reputational damage, financial loss and potential legal consequences.

Statistics and analysis from global software security company Check Point make for sobering reading: the firm says cyberattacks on corporate networks shot up 38% last year; Asia Pacific was second only to Africa as the region with the highest proportion of attacks per organisation; and the top three most attacked industries were Education/Research, Government and Healthcare. It also notes hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive – all rich sources of sensitive data given that many people in our post-pandemic world continue to work remotely.

The global trend is mirrored here in Hong Kong where the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (PCPD) in the first half of 2023 increased by more than 20% compared to the second half of 2022.

How do data breaches occur? There are a variety of causes: cyberattacks by hackers, thieves and other bad actors; system faults and administration errors; loss of physical documents or portable devices; improper or wrongful disposal of personal data; inadvertent disclosure, typically by sending an email to the wrong recipient; and staff negligence or misconduct.

Against this background, the PCPD has this past June issued a new “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) to assist organisations in preparing themselves for the worst. It also contains practical recommendations for handling breaches in order to contain the resulting damage. Specifically, the Guidance recommends organisations should follow five steps when handling a data breach:

Collate essential information: As a starting point, the data user should promptly gather all relevant information about the breach to assess its impact and identify mitigation measures.

Contain the data breach: Take urgent action to shut down the problem as effectively as possible and ensure it cannot happen again.

Assess the risk of harm: Fallout from a breach can include threats to personal safety, identity theft, financial loss, humiliation or loss of dignity, damage to reputation or relationships; and loss of business or employment opportunities.

Consider notifications: When deciding whether to report a breach to those affected, the PCPD and other law enforcement agencies, the extent and seriousness of the breach should be considered, as should the consequences of failing to give notification.

Document the breach: Record each step of the investigation and recovery process, undertake a post-incident review and improve protocols as a result. Thus, a comprehensive record of what has taken place is secured for future reference.

Aside from the Guidance, the PCPD has launched an e-Data Breach Notification Form, an online service with guided questions and multiple-choice answers which enables organisations to grasp the details of data breach incidents more effectively and report them to the PCPD in a timely manner.

In summary, it should be noted that an effective data breach handling policy is essential for any organisation. Not only does it demonstrate proactive management and accountability, it helps maintain sound business relationships and in some cases, public confidence. Last, and by no means least, showing such foresight and precaution can help reduce the risk of litigation.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.

39+ years of legal experience is just a click away.

Friendly and approachable, we are ready to answer your questions and offer you sound advice.

Contact us now

BC&C-contact-us

News & Knowledge

Learn more about what we do and what we say. Subscribe to our newsletter to ensure you receive our updates.

  • This field is for validation purposes and should be left unchanged.

Focus on enforcing foreign judgments

Hong Kong, 17 December 2024: Our Consultant John Zhou was pleased to attend a high-powered legal seminar in Hong Kong examining the broad topic of recognition and enforcement of foreign judgments. The five-day course, jointly organised by the Hague Academy of International Law and the Asian Academy of International Law, and held at the latter’s […]

Read more

Carry on camping – and consuming

Hong Kong, 11 December 2024: Step aside, Tarzan, a pop singer called Danny Jones is the real king of the jungle. He has just been crowned winner of reality TV show I’m a Celebrity…Get Me Out of Here! – a feat that is headline news in the UK. The annual series sees a group of […]

Read more

GBA ‘has vast potential’ for HK legal sector

Hong Kong, 9 December 2024: Colin Cohen has hailed the Greater Bay Area as hugely important to the future of Hong Kong’s legal profession after being part of a high-powered delegation from the city that visited Guangdong Province. The group, comprising more than 30 lawyers, held talks with government, administrative and regulatory officials in the […]

Read more

Cross-border talks enhance legal ties

Hong Kong, 6 December 2024: Our Senior Partner Colin Cohen is part of a delegation of Hong Kong legal professionals currently visiting Guangdong Province for talks aimed at furthering cross-border co-operation in legal and business matters. The group, comprising more than 30 individuals, includes office bearers of the Law Society of Hong Kong and the […]

Read more

Bill brings choice to end-of-life care

By Alex Liu Hong Kong, 3 December 2024: A new law that formally recognises a terminally-ill patient’s right, under certain circumstances, to refuse life-sustaining treatments has been passed by the Legislative Council, thus giving Hong Kong a much-needed legal framework for end-of-life care. It is expected to be implemented in around 18 months’ time. The […]

Read more