By Claire Chow

Hong Kong, 8 August 2023: While you are reading this, someone may know you are doing so. Paranoid? Perhaps, but it is a fact that cyberattacks are increasing worldwide, leaving individuals and organisations exposed not only to immense inconvenience but also reputational damage, financial loss and potential legal consequences.

Statistics and analysis from global software security company Check Point make for sobering reading: the firm says cyberattacks on corporate networks shot up 38% last year; Asia Pacific was second only to Africa as the region with the highest proportion of attacks per organisation; and the top three most attacked industries were Education/Research, Government and Healthcare. It also notes hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive – all rich sources of sensitive data given that many people in our post-pandemic world continue to work remotely.

The global trend is mirrored here in Hong Kong where the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (PCPD) in the first half of 2023 increased by more than 20% compared to the second half of 2022.

How do data breaches occur? There are a variety of causes: cyberattacks by hackers, thieves and other bad actors; system faults and administration errors; loss of physical documents or portable devices; improper or wrongful disposal of personal data; inadvertent disclosure, typically by sending an email to the wrong recipient; and staff negligence or misconduct.

Against this background, the PCPD has this past June issued a new “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) to assist organisations in preparing themselves for the worst. It also contains practical recommendations for handling breaches in order to contain the resulting damage. Specifically, the Guidance recommends organisations should follow five steps when handling a data breach:

Collate essential information: As a starting point, the data user should promptly gather all relevant information about the breach to assess its impact and identify mitigation measures.

Contain the data breach: Take urgent action to shut down the problem as effectively as possible and ensure it cannot happen again.

Assess the risk of harm: Fallout from a breach can include threats to personal safety, identity theft, financial loss, humiliation or loss of dignity, damage to reputation or relationships; and loss of business or employment opportunities.

Consider notifications: When deciding whether to report a breach to those affected, the PCPD and other law enforcement agencies, the extent and seriousness of the breach should be considered, as should the consequences of failing to give notification.

Document the breach: Record each step of the investigation and recovery process, undertake a post-incident review and improve protocols as a result. Thus, a comprehensive record of what has taken place is secured for future reference.

Aside from the Guidance, the PCPD has launched an e-Data Breach Notification Form, an online service with guided questions and multiple-choice answers which enables organisations to grasp the details of data breach incidents more effectively and report them to the PCPD in a timely manner.

In summary, it should be noted that an effective data breach handling policy is essential for any organisation. Not only does it demonstrate proactive management and accountability, it helps maintain sound business relationships and in some cases, public confidence. Last, and by no means least, showing such foresight and precaution can help reduce the risk of litigation.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.