個人資料私隱專員公署

Office of the Privacy Commissioner for Personal Data

Safeguarding Data Security Amid
Increasing Cyberattacks
The American Chamber of Commerce
21 March 2024

Ada CHUNG Lai-ling

Privacy Commissioner for Personal Data

1
Content
This presentation covers…

1. Overview of the Data Protection Principles as specified in

the Personal Data (Privacy) Ordinance (PDPO)

2. Cyberattacks and data breaches

3. PCPD’s resources for enhancing data security

2
Definition
Personal data means any data –
(Section 2(1) of the PDPO)

Relating directly or From which it is In a form in which

indirectly to a living practicable for the access to or
individual; identity of the processing of the data
individual to be is practicable
directly or indirectly
ascertained; and

3
6 Data Protection Principles
(Schedule 1 to the PDPO)

Represent the core requirements of the

Personal Data (Privacy) Ordinance (PDPO)

Cover the entire lifecycle of the handling of

personal data, from collection, holding,
processing, use to deletion

Data users must comply with the DPPs

4
DPP1
Purpose and Manner of Collection of Personal Data

Must be collected for a lawful The data is necessary, adequate but

purpose directly related to a not excessive in relation to the
function or activity of the data user purpose of collection

The means of collection must be All practicable steps shall be taken

lawful and fair to inform the data subject whether
it is obligatory to supply the personal
data, the purpose of data collection,
and the classes of persons to whom
the data may be transferred, etc.
5
DPP3
Use of personal data

“Prescribed consent” means

Personal data shall not, without the express consent given
prescribed consent of the data voluntarily which has not
been withdrawn in writing
subject, be used for a new purpose.

Under certain circumstances, a

relevant person in relation to a data
subject may, on his or her behalf,
Minors give the prescribed consent
required for using the data subject’s
personal data for a new purpose.
“New purpose ” means any
purpose which is unrelated to
the original purpose or its
directly related purpose
when the data is collected
6
DPP4
Security of personal data

Data users should take all If a data processor is engaged,

practicable steps to ensure the the data user must adopt
personal data that they hold is contractual or other means to
protected against unauthorised prevent unauthorised or
or accidental access, accidental access, processing,
processing, erasure, loss or use erasure, loss or use of the data
transferred to the data
processor for processing

7
Content
We now turn to…

1. Overview of the Data Protection Principles as specified in

Personal Data (Privacy) Ordinance (PDPO)

2. Cyberattacks and data breaches

3. PCPD’s resources for enhancing data security

8
 Global Situation
The bad news is that cyberattacks are rising
Cyberattacks around the world State of play in 2023
Ransomware victims of organisations
Q1 2021 – Q3 2023
experienced
1,278 cyberattacks in a
1,149
985
884
94% global survey
832
696 667 699
650 654
535 of IT professionals lose
sleep worrying about
the organisation being

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3
57% hit by a cyberattack
2021 2021 2021 2021 2022 2022 2022 2022 2023 2023 2023
Source:Corvus Source: Sophos
9
Global Examples
The Medibank and social media cases – why we need to be worried

Medibank (2022) Global Data Breach Involving Social Media

• Hackers used the credential stolen from an Platforms (2024)
employee account with preferential access • Reports that researchers uncovered global data
to the internal system of the insurer breach incidents affecting various online
• Health data of over 9 million customers platforms involving 26 billion records of
breached personal data
Source: Reuters (2022) Source: PCPD (2024) 10
Local Cyber Security Attacks
Cyberattacks are also increasing in Hong Kong
PCPD’s survey with HKCERT shows nearly ¾ of enterprises faced cyberattacks in 2023, the
highest in five years
% of enterprises that encountered cyberattacks in the past 12 months
Hong Kong, 2019 - 2023
Record High

65%
73% 73% 10%-pt
SMEs YoY Increase

41% 41% 39%

7%-pt

Corporates
71% YoY Decrease

19 20 21 22 23
Source: Hong Kong Enterprise Cyber Security Readiness Index
11
Local Data Breaches
Data breach notifications surged in 2023; hacking was a major contributor
Compared with 2022, DBNs in 2023 rose DBNs involving hacking rose both
substantially by 50% absolutely and relatively
Data breach notifications to PCPD Data breach notifications involving hacking
Absolute numbers
+50%
157 2022 29
120%
2023 64
105
As a percentage of total

Hacking Involvement of other factors

2022 28% 72%

13%
2022 2023
2023 41% 59%
Source: PCPD
12
Legal Liability
A data breach may amount to contravention of DPP4(1) and (2)

DPP4(1)
A data user shall take all reasonably practicable steps to ensure that
the personal data it holds is protected against unauthorised or
accidental access, processing, erasure, loss or use.

DPP4(2) If a data user engages a data processor, whether within or outside

Hong Kong, to process personal data on the data user’s behalf, the
data user must adopt contractual or other means, to prevent
unauthorised or accidental access, processing, erasure, loss or use of
the data transferred to the data processor for processing.
13
Inspections and Compliance Checks
PCPD takes proactive actions
Inspections Compliance checks
Inspections by PCPD in the past three years Compliance checks initiated by PCPD
Report Date Companies Inspected 377 392 393
344
9 Oct 23 ZA Bank Limited

20 Sep 23 The Registration and Electoral

Office
20 Dec 22 TransUnion Limited 2020 2021 2022 2023

18 Aug 21 (1) CLP Power Hong Kong

Selected compliance checks launched in 2023
Limited and (2) The Hongkong • All credit reference agencies
Electric Company, Limited • Use of AI by 28 local organisations
14
Investigation against Carousell Limited
Unauthorised scraping of personal data of Carousell users
Background
The investigation arose from a data
breach notification lodged by Carousell
Limited
The company reported that a listing
posted on an online forum offered the
sale of the personal data of 2.6 million
Carousell users, including the personal
data of 324,232 users in Hong Kong
Carousell’s Explanation
The data breach incident was caused by
a security vulnerability relating to a
system migration
Data User’s Obligation
Although Carousell Limited was at all
material times using the information
systems and database under the
centralised model of the Carousell
Group, Carousell Limited as a data user
under the PDPO has a positive duty to
safeguard the security of the personal
data under its control
15
Investigation against Carousell Limited
Decision

DPP4(1) contravention

The Privacy Commissioner served

Carousell Limited had not taken all practicable an Enforcement Notice on
steps in relation to the system migration to Carousell Limited, directing it to
ensure that the personal data held by Carousell remedy and prevent recurrence of
were protected from unauthorised or
accidental access, processing, erasure, loss or
the contravention
use, thereby contravening DPP 4(1) concerning
the security of personal data

16
Content
We now turn to…

1. Overview of the Data Protection Principles as specified in

Personal Data (Privacy) Ordinance (PDPO)

2. Cyberattacks and data breaches

3. PCPD’s resources for enhancing data security

17
PCPD’s Resources for Enhancing Data Security
PCPD is helping data users enhance data security and prevent data breaches
Data Security Thematic Webpage Data Security Scanner
One-stop access Self-assessment toolkit
to resources on for enterprises to assess
data security adequacy of data
security measures of ICT
systems

Data Security Hotline Guidance Materials

Provide SMEs with • Data Breach Response Plan
a channel to make • Guidance Note on Data Security
enquiries about Measures for ICT
compliance with • Privacy Management Programme
the PDPO (PMP)
18
Data Breach Response Plan
Putting a plan in place can help minimise impact of a data breach
What? Elements
Description of what makes a data breach
A document setting out how an organisation
should respond in a data breach Internal incident notification procedure

The plan should outline: Contact details of response team members

• a set of procedures to be followed in a data Risk assessment workflow
breach
Containment strategy
• strategy for identifying, containing,
assessing and managing the impact brought Communication plan
about by the incident from start to finish Investigation procedure
Why? Record keeping policy
Help ensure a quick response to and effective Post-incident review mechanism
management of a data breach Training or drill plan 19
Handling Data Breaches
Handling a data breach requires 5 steps, with a preparatory plan in place
Handling data breaches

Gathering essential information

1
immediately

2 Containing the data breach

3 Assessing the risk of harm

Considering giving data breach

4 notifications

5 Documenting the breach

20
Guidance Note on Data Security Measures for ICT
We recommend best practices in strengthening data security
Background

We have witnessed an increasing number of

data breaches over the years

Data users should step up their data security

measures to prevent malicious attacks on their
information systems

Robust data security system is a core element of

good data governance

21
 7 Recommended Measures
Taking the below measures enhances data security of organisations

Data Governance & Technical and Remedial Actions in Other

Organisational Operational Security the event of Data Considerations
Measures Measures Security Accidents

Risk Assessments Data Processor Monitoring,

Management Evaluation and
Improvement 22
Privacy Management Programme (PMP)
Definition and benefits of adoption
What’s PMP? Why PMP?
A management framework Minimise risk of data security
incidents
• For the responsible
collection, holding, Handle data breaches effectively to
processing & use of personal minimise damage
data by the organisation
Ensure compliance with PDPO
• To ensure compliance with
Build trust with employees and
Personal Data (Privacy)
customers, and enhance corporate
Ordinance (PDPO)
reputation and competitiveness

“Guide for Independent Non-Executive Directors” published by HKIoD recommends

use of PMP as part of ESG management!
23
3 Components of PMP
Apply PMP as a business imperative throughout the organisation

1. Organisational Commitment
• Get buy-in from the top
• Appoint Data Protection Officer
• Set up a reporting mechanism

2. Programme Controls
• Personal data inventory • Training, education & promotion • Communication
• Internal policies • Handling of data breach incidents
• Risk assessment tools • Data processor management

3. Ongoing Assessment and Revision

• Develop an oversight & review plan
• Assess and revise programme controls
24
1 2 3
Guidance Note on Data Security
Privacy Management Programme: Guidance on Data Breach Handling
Measures for Information and
A Best Practice Guide and Data Breach Notifications
Communications Technology
(revised in Mar 2019) (revised in Jun 2023)
(Aug 2022)

25
Thank you
2827 2827

www.pcpd.org.hk

[email protected]

26