Skip to content

Something urgent? Call us now! (852) 3416 1711

Data breaches and how to handle them

By Claire Chow

Hong Kong, 8 August 2023: While you are reading this, someone may know you are doing so. Paranoid? Perhaps, but it is a fact that cyberattacks are increasing worldwide, leaving individuals and organisations exposed not only to immense inconvenience but also reputational damage, financial loss and potential legal consequences.

Statistics and analysis from global software security company Check Point make for sobering reading: the firm says cyberattacks on corporate networks shot up 38% last year; Asia Pacific was second only to Africa as the region with the highest proportion of attacks per organisation; and the top three most attacked industries were Education/Research, Government and Healthcare. It also notes hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive – all rich sources of sensitive data given that many people in our post-pandemic world continue to work remotely.

The global trend is mirrored here in Hong Kong where the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (PCPD) in the first half of 2023 increased by more than 20% compared to the second half of 2022.

How do data breaches occur? There are a variety of causes: cyberattacks by hackers, thieves and other bad actors; system faults and administration errors; loss of physical documents or portable devices; improper or wrongful disposal of personal data; inadvertent disclosure, typically by sending an email to the wrong recipient; and staff negligence or misconduct.

Against this background, the PCPD has this past June issued a new “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) to assist organisations in preparing themselves for the worst. It also contains practical recommendations for handling breaches in order to contain the resulting damage. Specifically, the Guidance recommends organisations should follow five steps when handling a data breach:

Collate essential information: As a starting point, the data user should promptly gather all relevant information about the breach to assess its impact and identify mitigation measures.

Contain the data breach: Take urgent action to shut down the problem as effectively as possible and ensure it cannot happen again.

Assess the risk of harm: Fallout from a breach can include threats to personal safety, identity theft, financial loss, humiliation or loss of dignity, damage to reputation or relationships; and loss of business or employment opportunities.

Consider notifications: When deciding whether to report a breach to those affected, the PCPD and other law enforcement agencies, the extent and seriousness of the breach should be considered, as should the consequences of failing to give notification.

Document the breach: Record each step of the investigation and recovery process, undertake a post-incident review and improve protocols as a result. Thus, a comprehensive record of what has taken place is secured for future reference.

Aside from the Guidance, the PCPD has launched an e-Data Breach Notification Form, an online service with guided questions and multiple-choice answers which enables organisations to grasp the details of data breach incidents more effectively and report them to the PCPD in a timely manner.

In summary, it should be noted that an effective data breach handling policy is essential for any organisation. Not only does it demonstrate proactive management and accountability, it helps maintain sound business relationships and in some cases, public confidence. Last, and by no means least, showing such foresight and precaution can help reduce the risk of litigation.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.

39+ years of legal experience is just a click away.

Friendly and approachable, we are ready to answer your questions and offer you sound advice.

Contact us now

BC&C-contact-us

News & Knowledge

Learn more about what we do and what we say. Subscribe to our newsletter to ensure you receive our updates.

  • This field is for validation purposes and should be left unchanged.

The tipples that take their toll

Hong Kong, 16 October 2024: “Getting your head down, sweetie? Jolly good idea!” So says Leonard Rossiter after causing Joan Collins to spill a drink on herself aboard a flight. It was one of a series of classic TV ads starring the pair promoting Cinzano vermouth, with Rossiter’s social-climbing buffoonery always ensuring the icily elegant […]

Read more

Law & More: Episode 45 – Anoop Gidwani

Hong Kong, 14 October 2024: In the latest episode, we welcome forensic accountant and tenacious investigator of white collar crime Anoop Gidwani, who has recently left the Independent Commission Against Corruption after 37 years of distinguished service. As well, Anoop’s unwavering commitment to integrity extends to cricket, a sport he continues to serve with distinction […]

Read more

Updating copyright for the AI landscape

By Susan Cheung and Nicole Chin Hong Kong, 7 October 2024: The Commerce and Economic Development Bureau and the Intellectual Property Department have jointly published a consultation paper, taking a significant step towards modernising Hong Kong’s copyright regime in response to the rapid advancements in artificial intelligence (AI). The paper addresses key issues regarding copyright […]

Read more

Ian McWalters delivers compelling talk

Hong Kong, 2 October 2024: A large audience gathered at the University of Hong Kong to hear former Justice of Appeal Ian McWalters deliver the sixth annual HKU-Boase Cohen & Collins Criminal Law Lecture. His talk, “The Exercise of Discretion in the Criminal Justice System”, examined discretionary decision making by law enforcement, prosecutors and judicial […]

Read more

The blurred lines of ‘medical beauty’

By Teresa Leung Hong Kong, 25 September 2024: Our city’s largely unregulated “medical beauty” industry is back in the news following the jailing of a beautician over a botched botox injection. It is the latest in a string of cases featuring unlicensed medical practices – some of them leading to permanent physical damage or even […]

Read more