With the exponential growth of digitalisation, cyberattacks have become one of the major risks for most businesses, especially those which provide online services and products. Such attacks may lead to financial losses, reputational damage, regulatory penalties and other harm. Regardless of their sizes, organisations may come under attack from threat actors at any time.
To cite an example, we would all remember the Cathay Pacific Airways Limited (“Cathay Pacific”) data breach incident that happened in October 2018, as it involved unauthorised access by external parties to Cathay Pacific’s servers, affecting around 9.4 million passengers worldwide. Apparently, the damage arising from the incident not only tarnished the goodwill and reputation of the carrier gained over the years, but also led to substantial financial losses. Other than subject to an investigation into the incident undertaken by my Office, which concluded that Cathay Pacific had contravened the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”), the carrier was also fined GBP$500,000 by the UK Information Commissioner’s Office in 2020 and had to pay CAD$1,550,000 in 2021 to settle a class action brought in Canada.
The Increasing Trend of Cyberattack Incidents
Indeed, the siren went off when the Cathay Pacific incident was in the limelight. In recent years, leakage of personal data on the Internet has become an unprecedented risk to users and surfers, with the number of data breaches on a steady rise. An annual global study by Sophos Labs which surveyed 5,600 IT professionals in mid-sized organisations across 31 countries or regions showed that ransomware attacks had been surging and getting more sophisticated than ever before. The study also revealed that 66% of organisations worldwide were hit with ransomware in 2021, an increase of 29% as compared with 2020.
A similar trend is observed from the data breach incidents handled by my Office. In 2019 and 2020, cyberattack incidents including ransomware attacks comprised around a quarter of the reported data breaches. The percentage increased to 29% last year and over 600,000 Hong Kong citizens were affected in various cybersecurity incidents.
Common Causes of Data Breaches
Data breaches can be caused by technical vulnerabilities or human blunders. In this article, I would like to focus on the technical risks, among which weak user passwords, phishing, unpatched vulnerabilities, outdated operating systems and software applications, and the implantation of malicious software represent some of the more common causes of data breach incidents.
From the incidents handled by my Office, we note that phishing and unpatched vulnerabilities are the two most common causes of data breaches. Our observation in this regard is in line with the statistics recently published by Hong Kong Computer Emergency Response Team Coordination Centre (“the Centre”) in its Annual Report 2021. According to the report, phishing (48% of the cases) was the prime cause of security incidents handled by the Centre in 2021.
Two investigations conducted by my Office in recent years reflected the same phenomenon. In the Cathay Pacific case, we concluded that one of the factors attributing to the data breach incident was the carrier’s failure to identify a commonly known unpatched information security vulnerability and take reasonably practicable steps to safeguard the security of its server, which left a loophole for unauthorised access. In another case relating to the intrusion into the email system of the media company Nikkei China (Hong Kong) Limited, it was found that one of the possible causes of attacks to the email system was that the relevant user passwords had been leaked to hackers through phishing attacks.
Relevant Requirements under the Ordinance
Data Protection Principle (“DPP”) 4(1) of Schedule 1 to the Ordinance requires a data user to take all practicable steps to ensure that any personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use having particular regard to:
(a) the kind of data and the harm that could result if any of those things should occur;
(b) the physical location where the data is stored;
(c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
(e) any measures taken for ensuring the secure transmission of the data.
It is noteworthy that DPP 4(1) imposes a positive duty on a data user to safeguard the security of personal data by taking all practicable steps. Whether a data user would be considered to have taken all reasonably practicable steps would be assessed on a case-by-case basis.
PCPD’s Guidance on Data Security Measures
Against this background, and as concerns on data security have reached an all-time high, it is desirable that some practicable recommendations on data security measures be provided for data users in Hong Kong to facilitate their understanding as well as compliance with the relevant requirements under the Ordinance. It is in this light that my Office has recently published the Guidance Note on Data Security Measures for Information and Communications Technology (“the Guidance”).
The Guidance provides recommendations on six key areas as follows:
Data governance and organisational measures
The Guidance recommends data users to establish clear policies and procedures on data governance and data security about such aspects as staff’s respective roles and responsibilities in maintaining the information and communications technology (“ICT”) systems, data security risk assessments, and the outsourcing of data processing and data security work. When it comes to manpower deployment, the Guidance recommends that suitable personnel in a leadership role, such as a Chief Information Officer, a Chief Privacy Officer or an equivalent person, should be appointed to bear responsibilities for personal data security. Sufficient training should be provided for staff members at induction and regularly thereafter to ensure their familiarity with the requirements under the Ordinance and the data user’s data security policies and procedures.
Risk assessments
Data users are recommended to conduct risk assessments on data security for new systems and applications before launch, as well as periodically thereafter pursuant to established policy and procedures. For small- and medium-sized enterprises that may not have the relevant expertise, they should consider engaging third-party specialists to conduct security risk assessments. Results of risk assessments should be reported to senior management, and security risks identified in risk assessments should be addressed promptly.
Technical and operational security measures
The Guidance recommends that a data user should put in place adequate and effective security measures to safeguard the information and communications systems and personal data in its control or possession based on the nature, scale and complexity of the ICT and data processing activities, as well as the results of risk assessments. A list of recommended technical and operational measures, ranging from securing computer networks, database management and access control to encryption and anonymisation of data, is provided in the Guidance for the reference of data users.
Data processor management
It is an increasingly common practice to engage contractors as data processors for processing personal data. A case in point includes service providers for cloud and data analytics services. Given that the Ordinance imposes a positive duty on data users to ensure that contractual or other means be adopted to safeguard the security of person data transferred to data processors, the Guidance recommends a list of actions which data users may take before and when engaging a data processor.
Remedial actions in the event of data security incidents
Timely and effective remedial actions taken by a data user after the occurrence of a data security incident will help reduce the risks of unauthorised or accidental access, processing or use of the personal data affected, thereby reducing the harm that may do to the organisation or affected data subjects. The Guidance offers examples on common remedial actions that a data user may take in the event of a data security incident.
Monitoring, evaluation and improvement
A data user may commission an independent task force (e.g. an internal or external audit team) to monitor the compliance with the data security policy and periodically evaluate the effectiveness of the data security measures. It is recommended that improvement actions should be taken for non-compliant practices and ineffective measures.
In the light of the rapid evolution of the means, forms and complexity of cyberattacks, and the heightened expectation of the society as regards individuals’ personal data privacy, data security will likely take centre stage in the years to come. Indeed, a robust data security system is a core element of good data governance. I hope that the Guidance will help organisations and businesses, especially small and medium-sized enterprises, in Hong Kong strengthen their data security systems, thereby minimising their exposure to data security risks and enhancing their competitive edge in the digital era.
The Guidance, supplemented by case studies and infographic illustrations, is available in hard copy and can be downloaded at https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_datasecurity_e.pdf. 
