Eugene Low. Data breach notification in Hong Kong: Why is it important for companies?



Similar documents
Procedure for Managing a Privacy Breach

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

(a) the kind of data and the harm that could result if any of those things should occur;

A Best Practice Guide

Cloud Computing. Introduction

005ASubmission to the Serious Data Breach Notification Consultation

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY

Cyber and data Policy wording

Helpful Tips. Privacy Breach Guidelines. September 2010

Applying the legislation

Personal Information Protection Act Information Sheet 11

IT OUTSOURCING SECURITY

Personal data privacy protection: what mobile apps developers and their clients should know

Data Breach Notifications. Submission by the Australian Communications Consumer Action Network to the Attorney General s Department

Cyber Risks October

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

PRIVACY BREACH MANAGEMENT POLICY

2. Open and transparent management of personal information

Protection of Privacy

Anatomy of a Hotel Breach

Issue #5 July 9, 2015

Data Protection Breach Reporting Procedure

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

PROFESSIONAL INDEMNITY CLAIM FORM

Cyber Threats: Exposures and Breach Costs

Data Security Breach Management Procedure

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Corporate Policy and Strategy Committee

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Managing your data processors: legal requirements and practical solutions

The potential legal consequences of a personal data breach

Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud

MEDJOBBERS.COM & JOBBERS INC TERMS AND CONDITIONS

Regulatory Policy. Unsolicited Electronic Communications

Information security due diligence

Boys and Girls Clubs of Kawartha Lakes B: Administration B4: Information Management & Policy: Privacy & Consent Technology

Frequently Asked Questions About Recruitment Advertisements

Reducing Cyber Risk in Your Organization

What's Up with Apps in Hong Kong July 2013


Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Data Protection Breach Management Policy

Privacy, the Cloud and Data Breaches

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

All travel must be booked in the applicable class of service for discounts to apply.

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Cyber Exposure for Credit Unions

Supplementary Policy on Data Breach Notification Legislation

Acceptable Use Policy

BUSINESS ASSOCIATE AGREEMENT

Dealing with data breaches in Europe and beyond

Personal Data & Privacy Policy Statement

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Data Management Session: Privacy, the Cloud and Data Breaches

Direct Recruitment Privacy Policy

FISHER & PAYKEL PRIVACY POLICY

ADP Ambassador /Referral Rewards Program. Terms and Conditions of Use

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Information Handling Policy

Privacy Policy documents for

Acceptable Use Policy

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Terms and Conditions for Online Services of BOC Credit Card (International) Limited

Making Sense of Cyber Insurance: A Guide for SMEs

Program: Master s of Intellectual Property Law (Comprehensive) Syllabus

Privacy Policy 1. GENERAL

BLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY

BOC Credit Card (International) Limited - Terms and Conditions for Online Services

Cross-Sound Cable Company, LLC Procedure for Disclosure of Critical Energy Infrastructure Information

Disclaimer: Template Business Associate Agreement (45 C.F.R )

CENTRAL SAVINGS BANK BUSINESS INTERNET BANKING AGREEMENT

Incident Response. Six Best Practices for Managing Cyber Breaches.

GymSports NZ Incorporated. Membership Data Regulation. Commencement Date 23 January Issued 23 January 2009

region16.net Acceptable Use Policy ( AUP )

UK Data Risks Incident RoadMap

ROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014.

ADP Ambassador / Referral Rewards Program Terms and Conditions of Use

Inject Design General Terms & Conditions

Reseller Agreement. Domain Central Australia Pty Ltd (ACN ) Level 27, 101 Collins Street, Melbourne VIC 3000 AUSTRALIA

PUBLIC/PERSONAL LIABILITY CLAIM FORM

Quorum Privacy Policy

ISO27001 Controls and Objectives

Credit Reporting Agencies and the Privacy Act - A Summary

any Service that involves gambling, betting, adult, sex or over 18 services or information;

University Healthcare Physicians Compliance and Privacy Policy

CSR Breach Reporting Service Frequently Asked Questions

Code of Practice on Data Protection for the Insurance Sector

Guidance on Personal Data Protection in Cross-border Data Transfer 1

PRIVACY POLICY. Mil y Un Consejos Network. Mil y Un Consejos Network ( Company or we or us or our ) respects the privacy of

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Overview of the Impact of the Privacy Reforms on Credit Reporting

The Association of Professional Compliance Consultants Professional Standards for Member Firms

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Professor Dorothy J. Glancy, - Santa Clara University School of Law

Who s next after TalkTalk?

Privacy and Security Incident Management Protocol

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Transcription:

P a g e 1 Privacy Interviews with Experts September 2015 Eugene Low Partner Hogan Lovells Hong Kong Data breach notification in Hong Kong: Why is it important for companies? The number of data breaches is rapidly increasing not only in Hong Kong but around the world, so it is critical for companies to be prepared to prevent and handle these situations. In this interview, Mr. Low provides great insight on best practices for responding to a data breach, including immediate notification to affected individuals and to the Privacy Commissioner among others, what needs to be included in a data breach notification and how it should be communicated. Eugene Low is a well-rounded practitioner handling all areas of contentious and advisory IP, TMT and data privacy work in Hong Kong and China. Eugene advises extensively on data privacy compliance, data breaches and is experienced in advising clients in handling customer complaints and investigations by regulatory authorities. Mr. Low is an accredited mediator and a member of the INTA Bulletins Committee. He also serves as a panellist for the Hong Kong International Arbitration Centre, the Asian Domain Name Dispute Resolution Centre and the Kuala Lumpur Regional Centre for Arbitration. Eugene is also a regular contributor for various publications and also a frequent speaker on data privacy issues. Nymity: What are the most common causes of data breaches in Hong Kong? Eugene: As in other jurisdictions, data breaches in Hong Kong can happen for many reasons. In recent years, however, the most common causes appear to be poor IT security and the lack of employee awareness. As examples, in its latest annual report, the Privacy Commissioner of Hong Kong highlighted two data breach incidents in 2014, both of which were attributed to one or both of these causes:

P a g e 2 Case #1: A university reported that its network-attached servers had been hacked and files containing personal data of more than 15,000 individuals had been accessed by a hacker. The university responded to the Privacy Commissioner's enquiries that the incident was caused by lack of proper security patches on the servers, hence allowing hackers to use ransomware to exploit the security loophole. Case #2: A university reported that a staff member had mistakenly sent an invitation email for admission activities to over 3,000 former students. The mistake was due to human error in conducting a mail merge, resulting in a mismatch in the recipients' data. Nymity: Is it mandatory for a company to provide notification in the event of a data breach? Eugene: No. The Privacy Commissioner however encourages companies to consider notifying the individuals concerned and other relevant parties (e.g. the Privacy Commissioner, law enforcement agencies, etc.) when a real risk of harm is reasonably foreseeable. Nymity: What legal provisions or advisory guidelines apply to the notification of data breaches in Hong Kong? Eugene: There are no legal provisions which apply to data breach notifications in Hong Kong. A number of advisory guidelines are applicable, notably the Guidance Note on "Data Breach Handling and the Giving of Breach Notifications" published by the Privacy Commissioner as well as various circulars and guidance notes issued by the Hong Kong Monetary Authority applicable primarily to the banking sector. Nymity: In the event of a data breach: How can the risk of harm be assessed? Who must assume the responsibility of handling the incident within the company? To whom should this person notify the data breach? Is there any difference between the notification to the regulator and the one to customers? What is the time framework to make a notification? How can a notification be done? What should be included in the notification? Eugene: As mentioned, there are no legal provisions on data breach notifications in Hong Kong. However, as a matter of good practice: How can the risk of harm be assessed? Risk-assessment and fact-finding is a crucial first step. Ideally, all the relevant stakeholders (both internal and external) should be involved as soon as possible. However, given the prevalence of data breaches happening in the cyberworld, in terms of priority, it is almost inevitable that the company's IT personnel would have to be involved to identify the cause of the breach and to implement remedial measures. It is still relatively uncommon for companies in Hong Kong to have a designated personal data officer (or very often they wear multiple hats) so marketing and legal teams will also play a crucial role in identifying the data/individuals concerned and the associated risks. Who must assume the responsibility of handling the incident within the company?

P a g e 3 The company should have an incident-response team consisting of the various stakeholders, e.g. IT, legal, marketing, public relations, human resources. The team should have a co-ordinator but in reality the team members do have to work very closely together because a data breach very often involves a matrix of issues to be assessed and dealt with. To whom should this person notify the data breach? Is there any difference between the notification to the regulator and the one to customers? In most cases, the primary classes of persons to be notified would be the affected individuals and the Privacy Commissioner. In appropriate cases, notifications may also be made (or have to be made) to law enforcement agencies (for example where criminal activities are suspected) or to industry associations or regulators (for example, the financial industry regulators). Notifications may also be made to the public at large, for example by posting a data breach notification on the data user's website (this would be appropriate if, for instance, the data user wants to notify the data subjects affected but cannot identify them or their contact information), or to Internet service providers/search engines if assistance is required for removing caches. Some data users may opt to make a notification to enhance transparency and to convey a message that they have taken and will take steps to safeguard their customers' personal data. What is the time framework for notification? If the company decides to make a notification, this should be done as soon as possible. Data breaches are usually time-sensitive. Delay in making notification may result in further damage to the individuals (e.g. further misuse of their data) and to the company (e.g. loss of credibility). How should notification be done? This depends. As mentioned above, companies who want to be more transparent may choose to make the notification by posting a message on their official website. There have been recent examples in Hong Kong where a company notified its loyalty scheme members of a suspected hacking by way of a newspaper notice, and where a bank wrote to the affected customers individually of a suspected leak of credit card details. In the latter case, it would not have been appropriate for the bank to make a public notification as this might lead to further loss to its customers. What should be included in the notification? Usually a notification will include: Cause and extent of the breach Immediate remedies that the company has taken Long-term remedial measures In appropriate cases, companies may offer an apology or a sweetener (e.g. in the form of a coupon) The key message to send out is that the company has taken the right steps which will minimise the chances of a repeat incident.

Nymity: Are there any exemptions to notification e.g. breaches involving encrypted data? w w w. N y m i t y. c o m P a g e 4 Eugene: As notifications are not mandatory in Hong Kong, there are not really any exemptions. However, for example for breaches involving encrypted data, the company, after having assessed the risk, may come to the conclusion that the chances of real loss are low and therefore may opt not to make a notification at all. Nymity: What are the consequences for failing to provide notification? What powers does the regulator have in respect of enforcement in the event of non- disclosure? Eugene: Generally speaking, there are no legal consequences as such for failing to give notification for a data breach in Hong Kong (but there can be legal risks where the company's non-disclosure may arguably lead to further loss suffered by the individuals, e.g. stolen credit card details), and the Privacy Commissioner does not have any power of enforcement in the event of non-disclosure. One potential downside of non-disclosure is that if the breach does come to light, negative publicity may follow and the company may be perceived as trying to conceal its fault both in the eyes of its customers and the Privacy Commissioner. Nymity: What lessons can a company learn from a data breach to prevent recurrence? Eugene: I would suggest that companies take a step back to conduct a complete review of their data privacy practice and policy. The whole concept of data security relates back to the fundamentals of data privacy. For instance, before collecting personal data, companies should critically ask themselves how much personal data do they really need to collect? How long do they need to keep those data for? Where are those data kept? It is notable that a lot of data breach cases involve the leak of irrelevant or obsolete personal data which arguably add to the damage rather unnecessarily. Nymity: What are the top five data breach notification best practices that companies operating in Hong Kong should implement? Eugene: While there is no "one-size-fits-all' solution, generally speaking I would recommend companies in Hong Kong to pay attention to the following: - Develop a data breach response policy. Having an established policy (as opposed to handling a data breach on an ad-hoc basis) would help companies in pulling together the relevant stakeholders (both internal and external), and assessing the steps that ought to be taken, much more efficiently and consistently. - Take a wholesale review of the company's data privacy practice and policy. Avoid keeping obsolete, unnecessary personal data this will in turn reduce the company's exposure to data breaches. - Make sure the IT infrastructure (in particular security measures) is reasonably up-to-date. - Provide regular data privacy training and guidance to employees, contractors and data processors. Develop appropriate data security-related manual, e.g. BYOD and social media policies. - Consider taking out cyber liability insurance.

P a g e 5 These interviews are provided by Nymity as a resource to benefit the broader privacy community. The interviews represent the points of view of the interview subjects and Nymity makes no guarantee as to the accuracy of the information. Errors or inconsistencies may exist or may be introduced over time as material becomes dated. None of the foregoing is legal advice. If you suspect a serious error, please contact research@nymity.com. Copyright 2014 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use, or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc. Requests may be sent to research@nymity.com.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information