Why acting quickly is vital when a data breach occurs

Out-Law Analysis | 06 Jan 2021 | 9:38 am | 3 min. read

It is a business imperative to be able to act quickly in the event of a data breach.

A speedy response can enable businesses to minimise any economic loss and business interruption they might experience, and it can also help them to limit the extent of that breach and meet reporting requirements they may be subject to.

In Hong Kong, recent data shows that there continues to be a large prevalence of security incidents – there were 6,312 security incidents in the first three quarters of 2020, more than the total figure of 6,058 recorded for the whole of 2016 and compared a total figure reported for 2019 of 9,458, according to the Hong Kong Computer Emergency Response Team Coordination Centre.

These incidents are arising at a time when there is growth in organisations' data footprint in light of an increase in remote working and adoption of new communication services during the ongoing coronavirus crisis.

While many businesses now have to spread their net wider to address cyber risk, cyber criminals continue to step up their pursuit of valuable datasets. There was an explosion in 2020 in the number of Covid-19-related lures being used by cyber criminals to seek to inject malware and gain access to infrastructure, and ultimately access business' data.

Taken together, these factors highlight the heightened risk environment businesses are operating in. Any business can be impacted by a data breach, and when there is a breach of security of data and when personal data is involved, it is likely to constitute a breach of data protection principle four under the Personal Data Privacy Ordinance in Hong Kong. A 2019 report by Chubb Insurance found that the most commonly breached data files among SMEs in Hong Kong were customer records and employee records.

As previously highlighted, to best address the data risks they face, and be in the best position possible to innovate with data, businesses need to get the 'data basics' right first – to know what data they collect, where it is stored and whether data subjects are aware of the data being collected about them and how it is being used. A data mapping exercise can help organisations understand the volume and type of information they collect, including whether the data constitutes personal data and falls subject to data protection law.

A study by Pinsent Masons last year found that the way businesses organise the data they hold and address security weaknesses identified in the aftermath of cyber incidents has come into sharp focus from regulators across the globe. Having a thorough and tested data breach incident response plan that can be implemented in the immediate aftermath of a breach is vital in this respect, and will further help businesses resume operations faster than they might otherwise in the event that a data breach leads to disruption to services.

There is important information that businesses should seek to decipher in the immediate aftermath of a data breach:

  • what happened and/or when did it happen? The timing of incidents and the first knowledge of them by internal staff or, as relevant, any external third party data processors, is a vital consideration in the context of mandatory data breach notifications businesses are subject to in many jurisdictions – a discussion paper published by the Hong Kong government in January 2020 suggests similar reporting obligations could be written into the law in Hong Kong in due course too.
  • what is the root cause and/or what data has been taken and in which jurisdiction? If personal data has been compromised, you should understand the significance – for example, the number of data subjects affected and the type of personal data involved.
  • are there any remedial actions that could be taken or have been taken? Hong Kong's privacy commissioner and other data protection authorities around the world would expect a company to be able to point out the deficiencies identified from a breach and suggest the remedial actions it would take and have taken in order to prevent recurrence of the incident. By acting quickly in this regard, businesses are more likely to avoid an enforcement notice from the privacy commissioner.

After the incident, the company would also need to consider:

  • revising personal data-related policies and practices to prevent similar breaches in future, including in respect of data retention;
  • providing proper guidance and training to staff to require compliance with relevant policies and practices;
  • dealing with complaints from customers and data access requests; and
  • defending civil claims from customers.

Involving legal advisers at the outset can help businesses meet their duties around legal compliance and help them preserve their position in respect of any potential regulatory investigations or litigation that may arise.