News & Insights

Data breaches: how ready are you?

View PDF

Authored by: Kelley Loo

Did you know?

According to statistics released by Hong Kong’s Privacy Commissioner (PC), the number of data breach notifications received by the privacy watchdog in 2023, increased by nearly 50% compared with 2022.

In the first quarter of 2024, data breach incidents have dominated the headlines. We have already seen the PC investigating a number of high profile data breach incidents, stemming from a variety of causes including cyberattacks, accidental disclosures, and insufficient security measures.

Why does this matter to you?

Data breaches can happen to anyone regardless of how secure you think your data is. Under data protection principles set out in Hong Kong’s Personal Data (Protection) Ordinance (PDPO), data users should take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. Even if a data user has outsourced the processing of personal data to a third party, it remains liable under the law for its data processor’s acts or omissions.

A data breach may amount to a contravention of the PDPO. This could result in an investigation, possible publication of the investigation report, and issuance of an enforcement notice. In addition, affected data subjects can also seek damages directly from a data user through a civil action. Combined with reputational damage and the loss of customer trust, it is clearly critical that data users have effective procedures in place for preventing, responding to, and handling data breaches.

Organisations should not wait until a data breach has occurred to try and salvage the aftermath. One recent case identified infrequent security audits and unnecessary retention of personal data as two of the deficiencies that allowed the data user’s servers to be attacked by malicious ransomware. Another recent case, where hackers stole personal data during a system migration process, resulted in an enforcement notice. The PC found that the company had made several errors leading to the hacking, including failing to:

  • conduct a privacy impact assessment prior to migration
  • carry out a comprehensive code review process
  • ensure a thorough security assessment
  • have an effective mechanism in place to detect unusual activities such as the extraction of users’ personal data from the system.

It is also important to be aware that long-proposed reforms to the PDPO are back on the table. The proposals include the introduction of a mandatory data breach notification mechanism in situations where there is “a real risk of significant harm”. Relevant breaches should be notified to the Privacy Commissioner within 5 business days. Last year, it was already reported that the Privacy Commissioner is working with the Government to formulate concrete legislative amendments. These are expected soon so businesses should review their practices now.

Our data privacy team has successfully advised companies from various industries on cybersecurity, handling data breaches, and investigations by the Privacy Commissioner and the Hong Kong Police. Please reach out to us for more information.

Key Contacts

Kelley Loo

Partner | Intellectual Property

Email or call +852 2825 9575

Related Services and Sectors:

Data Protection and Privacy, Intellectual Property

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)