With digitization advancing at breakneck speed, cyberattacks have emerged as a significant threat for most businesses, especially those that deliver services and products online. According to Check Point, an international provider of cybersecurity solutions, the average weekly cyberattacks per organization worldwide increased by 38 percent in 2022 when compared with 2021. Organizations of any size could be vulnerable to cyberattacks and suffer financial losses, reputational damage, regulatory penalties and other harm as a result.
The upward trend in cyberattacks has also led to a corresponding increase in data breaches, which stem not only from human blunders but also technical vulnerabilities relating to phishing, unpatched vulnerabilities, weak user passwords and the implantation of malicious software. Over the past five years, on average, about 26 percent of data breaches reported to the PCPD were caused by cyberattacks. In three of our recently published investigation reports, we concluded that the major factor, or one of the major factors, attributing to the data breach was the data user’s failure to identify a known unpatched security vulnerability and take reasonably practicable steps to safeguard the security of its server(s) or database(s), which left a loophole for unauthorized access.
Relevant requirements under the PDPO
The Personal Data (Privacy) Ordinance (PDPO) imposes a positive duty on data users to safeguard the security of personal data. Data Protection Principle 4(1) requires a data user to take all practicable steps to ensure that any personal data held by the data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to: the kind of data and the harm that could result if any of those things should occur; the physical location where the data is stored; any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and any measures taken for ensuring the secure transmission of the data.
PCPD’s guidance on data security measures
As concerns on data security have reached an all-time high, the PCPD published the Guidance Note on Data Security Measures for Information and Communications Technology, which provides recommendations on the following six key areas:
Data governance and organizational measures: First and foremost, data users are recommended to establish clear policies and procedures on data governance and data security, covering aspects such as staff’s respective roles and responsibilities in maintaining the information and communications technology (ICT) systems, data security risk assessments, and the outsourcing of data processing and data security work. Regarding manpower deployment, suitable personnel in a leadership role, such as a chief information officer or a chief privacy officer, should be appointed to bear responsibilities for personal data security. Sufficient training should be provided for staff members at induction and regularly thereafter to ensure their familiarity with the requirements under the PDPO and the organization’s data security policies and procedures.
Risk assessments: The guidance also recommends data users to conduct risk assessments on data security for new systems and applications before launch, as well as periodically thereafter pursuant to established policies and procedures. Small- and medium-sized enterprises (SMEs), which may not have the relevant expertise, should consider engaging third-party specialists to conduct security risk assessments. Results of risk assessments should be reported to the senior management, and security risks identified should be addressed promptly.
Technical and operational security measures: A data user should put in place adequate and effective security measures to safeguard the information and communications systems and personal data in its control or possession based on the nature, scale and complexity of the ICT and data processing activities, as well as the results of risk assessments.
Data processor management: If data users engage contractors as data processors for processing personal data, they should ensure that contractual or other means are adopted to safeguard the security of personal data transferred to data processors. The guidance recommends actions for data users to take before and when engaging a data processor.
Remedial actions in the event of data security incidents: Timely and effective remedial actions taken by a data user after the occurrence of a data security incident will help reduce the risks of unauthorized or accidental access, processing or use of the personal data affected. The guidance offers examples on remedial actions that a data user may take following a data security incident.
Monitoring, evaluation and improvement: Nowadays, it is increasingly common for an independent contractor to be commissioned by the data user to monitor the compliance with the data security policy and periodically evaluate the effectiveness of the data security measures. We recommend improvement actions be taken for non-compliant practices and ineffective measures.
As many accountants or chief financial officers are also responsible for overseeing and ensuring the proper operation of the information systems of their respective organizations, accountants or CFOs are recommended to keep themselves abreast of the latest developments and measures in safeguarding data security. I believe that the guidance will help organizations and businesses, especially SMEs, in Hong Kong strengthen their data security systems and mitigate data security threats, thereby enabling them to gain a competitive edge in today’s digital economy.