Out-Law Analysis 3 min. read
06 Jan 2021, 9:38 am
It is a business imperative to be able to act quickly in the event of a data breach.
A speedy response can enable businesses to minimise any economic loss and business interruption they might experience, and it can also help them to limit the extent of that breach and meet reporting requirements they may be subject to.
In Hong Kong, recent data shows that there continues to be a large prevalence of security incidents – there were 6,312 security incidents in the first three quarters of 2020, more than the total figure of 6,058 recorded for the whole of 2016 and compared a total figure reported for 2019 of 9,458, according to the Hong Kong Computer Emergency Response Team Coordination Centre.
These incidents are arising at a time when there is growth in organisations' data footprint in light of an increase in remote working and adoption of new communication services during the ongoing coronavirus crisis.
While many businesses now have to spread their net wider to address cyber risk, cyber criminals continue to step up their pursuit of valuable datasets. There was an explosion in 2020 in the number of Covid-19-related lures being used by cyber criminals to seek to inject malware and gain access to infrastructure, and ultimately access business' data.
Taken together, these factors highlight the heightened risk environment businesses are operating in. Any business can be impacted by a data breach, and when there is a breach of security of data and when personal data is involved, it is likely to constitute a breach of data protection principle four under the Personal Data Privacy Ordinance in Hong Kong. A 2019 report by Chubb Insurance found that the most commonly breached data files among SMEs in Hong Kong were customer records and employee records.
As previously highlighted, to best address the data risks they face, and be in the best position possible to innovate with data, businesses need to get the 'data basics' right first – to know what data they collect, where it is stored and whether data subjects are aware of the data being collected about them and how it is being used. A data mapping exercise can help organisations understand the volume and type of information they collect, including whether the data constitutes personal data and falls subject to data protection law.
A study by Pinsent Masons last year found that the way businesses organise the data they hold and address security weaknesses identified in the aftermath of cyber incidents has come into sharp focus from regulators across the globe. Having a thorough and tested data breach incident response plan that can be implemented in the immediate aftermath of a breach is vital in this respect, and will further help businesses resume operations faster than they might otherwise in the event that a data breach leads to disruption to services.
There is important information that businesses should seek to decipher in the immediate aftermath of a data breach:
After the incident, the company would also need to consider:
Involving legal advisers at the outset can help businesses meet their duties around legal compliance and help them preserve their position in respect of any potential regulatory investigations or litigation that may arise.