Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
Authored by: Kelley Loo
Did you know?
According to statistics released by Hong Kong’s Privacy Commissioner (PC), the number of data breach notifications received by the privacy watchdog in 2023, increased by nearly 50% compared with 2022.
In the first quarter of 2024, data breach incidents have dominated the headlines. We have already seen the PC investigating a number of high profile data breach incidents, stemming from a variety of causes including cyberattacks, accidental disclosures, and insufficient security measures.
Why does this matter to you?
Data breaches can happen to anyone regardless of how secure you think your data is. Under data protection principles set out in Hong Kong’s Personal Data (Protection) Ordinance (PDPO), data users should take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. Even if a data user has outsourced the processing of personal data to a third party, it remains liable under the law for its data processor’s acts or omissions.
A data breach may amount to a contravention of the PDPO. This could result in an investigation, possible publication of the investigation report, and issuance of an enforcement notice. In addition, affected data subjects can also seek damages directly from a data user through a civil action. Combined with reputational damage and the loss of customer trust, it is clearly critical that data users have effective procedures in place for preventing, responding to, and handling data breaches.
Organisations should not wait until a data breach has occurred to try and salvage the aftermath. One recent case identified infrequent security audits and unnecessary retention of personal data as two of the deficiencies that allowed the data user’s servers to be attacked by malicious ransomware. Another recent case, where hackers stole personal data during a system migration process, resulted in an enforcement notice. The PC found that the company had made several errors leading to the hacking, including failing to:
It is also important to be aware that long-proposed reforms to the PDPO are back on the table. The proposals include the introduction of a mandatory data breach notification mechanism in situations where there is “a real risk of significant harm”. Relevant breaches should be notified to the Privacy Commissioner within 5 business days. Last year, it was already reported that the Privacy Commissioner is working with the Government to formulate concrete legislative amendments. These are expected soon so businesses should review their practices now.
Our data privacy team has successfully advised companies from various industries on cybersecurity, handling data breaches, and investigations by the Privacy Commissioner and the Hong Kong Police. Please reach out to us for more information.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.