Ada Chung Lai-ling FCG HKFCG, Privacy Commissioner for Personal Data, Hong Kong, discusses the increasing trend of cyberattack incidents, and explains the guidance published by her Office on recommended data security measures for information and communications technology.
As we leap towards the fourth industrial revolution, digitisation is fast gaining ground and has revolutionised the way we hold and use data. Nonetheless, easier and faster means to process and hold data comes with an increased risk of data security, which can be detrimental to organisations of all sizes. Cyberattacks that target personal data for malicious purposes have been on the rise and have become one of the leading concerns for most businesses, especially those that provide online services and products. Such attacks may lead to financial losses, reputational damage, regulatory penalties and other harm. Regardless of their size, organisations may come under attack from threat actors at any time.
A notable example is the data breach incident of a major airline carrier in Hong Kong that happened in October 2018. The incident involved an unauthorised access by external parties to the carrier’s servers, affecting around 9.4 million passengers worldwide. The damage arising from the incident not only tarnished the goodwill and reputation of the carrier gained over the years, but also led to substantial financial losses. Other than being subject to an investigation into the incident undertaken by my Office – the Office of the Privacy Commissioner for Personal Data (PCPD) – which concluded that the carrier had contravened the requirements of the Personal Data (Privacy) Ordinance (Cap 486) (the PDPO), the carrier was also fined £500,000 (about HK$4.8 million) by the UK Information Commissioner’s Office in 2020, and had to pay Can$1,550,000 (about HK$9 million) in 2021 to settle a class action brought against it in Canada.
The increasing trend of cyberattack incidents
Indeed, in recent years leakage of personal data on the internet has become an unprecedented risk to users and surfers, with the number of data breaches on a steady rise. As suggested in the Mid-Year Update of the 2022 SonicWall Cyber Threat Report, when compared to the first half of 2021, Asia and Europe experienced a 4% and 63% increase, respectively, in ransomware attacks in the first half of 2022. In particular, ransomware attacks targeting the financial and healthcare sectors showed a triple-digit increase of 243% and 328%, respectively.
As for the data breach incidents handled by my Office, cyberattack incidents, including ransomware attacks, comprised almost 30% of the reported data breaches in both 2021 and 2022.
Common causes of data breaches
Data breaches can be caused by technical vulnerabilities or human blunders. In this article, I would like to focus on the technical risks, among which weak user passwords, phishing, unpatched vulnerabilities, outdated operating systems and software applications, and the implantation of malicious software represent some of the more common causes of data breach incidents.
From the incidents handled by my Office, we note that phishing and unpatched vulnerabilities are the two most common causes of data breaches. Our observation in this regard is in line with the statistics recently published by Hong Kong Computer Emergency Response Team Coordination Centre (the Centre) in the Hong Kong Security Watch Report (Q3 2022). According to the report, phishing was the prime cause of the security incidents handled by the Centre (accounting for 65.3% of the cases) in the third quarter of 2022.
At least four investigation reports published by my Office in recent years reflect the same phenomenon. In three reports (including one relating to the case of the airline carrier mentioned above), we concluded that the major factor, or one of the major factors, attributing to the data breach incident was the data user’s failure to identify a known unpatched information security vulnerability and take reasonably practicable steps to safeguard the security of its server or database, which left a loophole for unauthorised access. In another case relating to the intrusion into the email system of a media company, it was found that one of the possible causes of attacks to the email system was that the relevant user passwords had been leaked to hackers through phishing attacks.
Relevant requirements under the PDPO
Data Protection Principle (DPP) 4(1) of Schedule 1 to the PDPO requires a data user to take all practicable steps to ensure that any personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use, having particular regard to:
- the kind of data and the harm that could result if any of those things should occur
- the physical location where the data is stored
- any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored
- any measures taken for ensuring the integrity, prudence and competence of persons having access to the data, and
- any measures taken for ensuring the secure transmission of the data.
It is noteworthy that DPP 4(1) imposes a positive duty on a data user to safeguard the security of personal data by taking all practicable steps. Whether a data user would be considered to have taken all reasonably practicable steps would be assessed on a case-by-case basis.
PCPD’s guidance on data security measures
Against this background, and as concerns about data security have reached an all-time high, it is desirable that some practical recommendations on data security measures be provided for data users in Hong Kong to facilitate their understanding of and compliance with the relevant requirements under the PDPO. It is in this light that my Office published the Guidance Note on Data Security Measures for Information and Communications Technology
The Guidance provides recommendations on the six key areas outlined below.
1. Data governance and organisational measures
The Guidance recommends data users to devise clear policies and procedures on data governance and data security, covering the following aspects:
- the respective roles and responsibilities of staff in maintaining the information and communications technology (ICT) systems
- data security risk assessments
- the access of data in and export of data from ICT systems
- the outsourcing of data processing and data security work
- the handling of data security incidents, including an incident response plan and reporting mechanism, and
- the destruction of data that is no longer necessary for the original purposes of collection or related purposes.
Aside from devising the above policies and procedures, it is also important to optimise the deployment of manpower responsible for data governance. In this regard, the Guidance recommends that suitable personnel in a leadership role, such as a Chief Information Officer, a Chief Privacy Officer or an equivalent person, should be appointed to bear responsibility for personal data security. The number, seniority and technical competence of the staff members allocated for data security should also be proportional to the nature, scale, complexity and data security risk of the data processing activities.
Furthermore, sufficient training should be provided for staff members at induction and regularly thereafter to ensure their familiarity with the requirements under the PDPO and the data user’s data security policies and procedures.
2. Risk assessments
Data users are recommended to conduct risk assessments on data security for new systems and applications before launch, as well as periodically thereafter pursuant to established policy and procedures.
For small- and medium-sized enterprises that may not have the relevant expertise, they should consider engaging third-party specialists to conduct security risk assessments.
The results of risk assessments should be regularly reported to senior management and any security risks identified in risk assessments should be addressed promptly.
3. Technical and operational security measures
The Guidance recommends that, based on the nature, scale and complexity of the ICT and data processing activities, as well as the results of risk assessments, a data user should put in place adequate and effective security measures to safeguard the information and communications systems and personal data in its control or possession.
A list of recommended technical and operational measures is provided in the Guidance for data users’ reference. The measures fall under eight major categories:
- security of computer networks
- database management
- access control
- firewalls and anti-malware software
- protection of online applications
- encryption of data
- prevention of unauthorised disclosure of data through emails or during file transfers, and
- backup of data and timely destruction or anonymisation of unnecessary data.
4. Data processor management
It is increasingly common for data users to engage contractors as data processors for processing personal data. A case in point includes providers of cloud and data analytics services.
Given that the PDPO imposes a positive duty on data users to ensure that contractual or other means are adopted to safeguard the security of personal data transferred to data processors, the Guidance recommends a list of actions which data users may take before and when engaging a data processor. These actions include:
- implementing policies and procedures to ensure that only competent and reliable data processors will be engaged
- conducting assessment to ensure that only necessary personal data is transferred to the data processor
- clearly stipulating in the data processing contract the security measures that must be taken by the data processor
- requiring the data processor to immediately notify all data security incidents, and
- conducting field audits to ensure compliance with the data processing contract by the data processor and imposing consequences for breach of contract.
5. Remedial actions in the event of data security incidents
Timely and effective remedial actions taken by a data user after the occurrence of a data security incident will help reduce the risks of unauthorised or accidental access, processing or use of the personal data affected, thereby reducing the harm that may be caused to the affected organisations or individuals.
The Guidance offers examples of common remedial actions that a data user may take in the event of a data security incident. These actions include:
- where practicable, immediately stopping the affected ICT systems and disconnecting them from the internet and other systems of the data user
- immediately changing the passwords or ceasing the access rights of the users suspected to have caused or contributed to the data security incident
- immediately changing system configurations in order to control access to the affected ICT systems
- notifying the affected individuals without undue delay and providing them with suggestions on possible actions for self-protection
- notifying my Office and other law enforcement agencies or regulators (where applicable) without undue delay
- fixing the security weaknesses in a timely manner, and
- where practicable and to the extent that it does not affect future forensic analysis, scanning the ICT systems for any other unknown security vulnerabilities.
Furthermore, a data user should take into consideration lessons learnt from a data security incident to review and strengthen its overall data governance and data security measures.
6. Monitoring, evaluation and improvement
A data user may commission an independent task force (for example an internal or external audit team) to monitor the compliance with the data security policy and periodically evaluate the effectiveness of the data security measures. Improvement actions should be taken for
non-compliant practices and ineffective measures.
Role of governance professionals
Given the rapid evolution of the means, forms and complexity of cyberattacks, and the heightened expectation of society as regards individuals’ personal data privacy, data security will likely take centre stage in the years to come. Indeed, governance professionals will increasingly need to grapple with data security issues in their daily work and provide pertinent advice to the board on data governance and security issues. Governance professionals are also very well placed to supervise, and advise on, the handling of data breach incidents by organisations. I hope that the Guidance and the information pamphlet will serve as a ready reference for governance professionals in the performance of their roles in this regard.
Ada Chung Lai-ling FCG HKFCG
Privacy Commissioner for Personal Data, Hong Kong
The Guidance, supplemented by case studies and infographic illustrations, is available in hard copy and can be downloaded from the Resources Centre/Publications section of the PCPD website: www.pcpd.org.hk.