Skip to content

Newspaper Column

PCPD in Media

"Safeguarding Data Security in Hong Kong: A Call to Action" – Privacy Commissioner’s article contribution at Hong Kong Lawyer (Dec 2023)

The age of digital transformation has revolutionised the ways in which businesses and organisations operate. Through harnessing the power of data and emerging technologies, such as generative artificial intelligence (AI), the Internet of things, cloud computing, and blockchain, enterprises benefit from an abundance of opportunities for enhanced efficiency, connectivity, and productivity. From online shopping to creating a centralised health-care database, or from e-learning to instant transportation data, the far-reaching impact of digitalisation has been instrumental in driving innovation, redefining customer engagement, and streamlining operations in different sectors of the economy and society.

However, this digital boom is not without its challenges. As the world becomes increasingly digitalised, the accompanying cybersecurity threats such as ransomware, phishing, and malware attacks are growing. With cybersecurity and the protection of personal data privacy being complementary in nature, the increasing prevalence of cybersecurity attacks means that the risk of personal data breaches is also rising.

The rising tide of cybersecurity threats
Data security threats have been brewing for some time, with recent signs of escalation. At the international level, there has been a significant surge in the frequency and sophistication of cybersecurity attacks. According to the 2023 Mid-Year Cyber Security Report published in August 2023 by Check Point, a global cybersecurity firm, there has been an 8% increase in the number of weekly attacks during the second quarter of 2023, making it the most significant increase in two years. Data breaches resulting from cybersecurity attacks have become a more frequent occurrence, with multinational companies, foreign governments, and even a cybersecurity firm all falling prey to cybersecurity attacks in 2023, leading to the mass leakage of sensitive personal data, including health and employment data and online account credentials.

On the local front, over 110 cases of data breach incidents had been reported to my Office as of October 2023. In the latter part of 2023, several public organisations suffered back-to-back ransomware attacks, raising public concerns over the security of data held by public organisations. According to a study conducted by Green Radar (Hong Kong) Limited, a local cybersecurity firm, there has been a concerning 86% increase in phishing email attacks in 2023; and it is suggested that AI technologies such as ChatGPT have an increasingly significant part to play in creating phishing content.

The dire consequences of cybersecurity attacks
Cybersecurity attacks come in many forms, each of which has the potential to cause severe consequences to both enterprises (as data users) and individuals (as data subjects). Amongst them, phishing attacks that trick individuals into revealing account information through fraudulent links or websites, and malware (malicious software) or ransomware attacks (that involve hackers encrypting a victim’s data and then demanding a ransom payment in exchange for the decryption key) are three of the most common forms of cybersecurity attacks.

The fallout from cybersecurity attacks can be catastrophic. For enterprises, the disruptions to their operations caused by cybersecurity attacks may lead to financial losses and damage to their reputation and goodwill, which in turn may result in the loss of business opportunities and even a decline in the market value of the business. As an illustration, the major data breach that affected Australia’s Medibank in 2022 led to a significant plunge in the company’s share price, with its market capitalisation falling by 1.8 billion Australian dollars in just one day.

In addition, cybersecurity attacks may result in personal data theft and exploitation where personal data may be sold on the dark web, thereby exposing individuals to the danger of targeted cybersecurity attacks, identity theft, and unwanted direct marketing or spam messages, all of which can lead to losses or damages suffered by the concerned individuals.

With the threats and damaging consequences of cybersecurity attacks rising, data security is a pressing concern to us all.

A closer look at the Hong Kong scenario
In Hong Kong, Data Protection Principle (“DPP”) 4(1) of Schedule 1 to the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”) requires a data user to take all practicable steps to ensure that any personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use, having particular regard to:

  1. the kind of data and the harm that could result if any of those things should occur;
  2. the physical location where the data is stored;
  3. any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
  4. any measures taken for ensuring the integrity, prudence, and competence of persons having access to the data; and
  5. any measures taken for ensuring the secure transmission of the data.

A data user, being the person who either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of personal data, is therefore under a positive duty to safeguard the security of personal data by taking all reasonably practicable steps.

With a view to obtaining a better understanding of the cybersecurity readiness and privacy awareness of enterprises, my Office has commissioned the Hong Kong Productivity Council to conduct the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness Survey 2023” this year.

A total of 378 enterprises were surveyed in September 2023, including both corporates and small and medium-sized enterprises (SMEs) from six business categories, namely, (i) financial services; (ii) retail and tourism related; (iii) manufacturing, trading and logistics; (iv) information and communications technology (ICT); (v) professional services; and (vi) NGOs, schools, and others.

The results of the survey indicate that there is an overall decrease in cybersecurity readiness amongst enterprises, from 53.3 points out of 100 in 2022, to 47.0 points in 2023, which is the largest drop since the launch of the Cyber Security Readiness Index in 2018. Alarmingly, a staggering 73% of the surveyed enterprises have encountered cybersecurity attacks in 2023, which is a record high. The attacks included phishing, malware, ransomware, and other forms of attacks.

Regarding the thematic survey on privacy awareness, enterprises were surveyed on, inter alia, their awareness and current practices of privacy protection, their perceived level of difficulty in complying with the Ordinance, and their usage of and perceived level of risk in relation to emerging technologies, such as generative AI, data analytics, work process automation, and blockchain-related technologies.

Notably, although 64% of the surveyed corporates plan to implement, are in the course of implementing, or have fully implemented the Personal Data Privacy Management Programme (PMP) – a programme advocated by my Office to incorporate personal data protection as part and parcel of an enterprise’s data governance responsibilities – only 45% of SMEs are following suit.

Unsettlingly, the survey revealed that 21% of the surveyed corporates and 46% of SMEs have not implemented any privacy or data security protection measures, such as establishing internal policies in handling personal data, putting in place data breach notification mechanisms, or providing staff training on data privacy and compliance with the Ordinance.

There is clearly a gap to be closed.

The imperative to undertake proactive privacy and data security measures
The findings from the survey indicate that there is a gap in the level of preparedness and awareness regarding cybersecurity and data privacy amongst enterprises in Hong Kong. As the idiom “an ounce of prevention is worth a pound of cure” suggests, in the wake of recent cybersecurity incidents, it is imperative for enterprises to take proactive steps to safeguard data security to ensure that they can fend off future attacks.

As an organisational measure to enhance data governance, enterprises are encouraged to implement their own PMPs to ensure the responsible collection, holding, processing, and use of personal data.

Regarding data security, in addition to employing strong information technology security measures, enterprises are advised to conduct routine system risk assessments and penetration tests to identify existing or emerging threats, and to promptly address the vulnerabilities identified through patch management. Furthermore, enterprises should ensure that their privacy policies and practices are in continuous compliance with the Ordinance, as well as conduct privacy impact assessments before launching a new project, product, or service to discover and rectify any potential privacy risks at an early stage.

It is worth noting that human error is a frequent cause of data breaches. Therefore, ongoing staff training on data security best practices and drills are essential to reduce the risk of data breaches. Furthermore, a data protection officer should be appointed to ensure compliance with all legal requirements and internal risk control mandates.

Last but not least, to prepare for the unfortunate event of a data breach, a comprehensive data breach incident handling protocol or contingency plan, which includes aspects such as a designated internal and external reporting mechanism, as well as risk assessment and investigation procedures, is crucial to minimise damage, recover compromised data, and prevent future occurrences of similar types of breaches.

Supporting enterprises in safeguarding data security
To assist enterprises in safeguarding data security, my Office has dedicated its efforts over several years to produce a wide variety of resources on data security, including the safe and responsible use of AI technology.

To name a few, my Office issued the “Guidance on Ethical Development and Use of AI” in 2021 on the responsible use and development of AI technology. We also issued the “Guidance Note on Data Security Measures for Information and Communications Technology” in 2022 on the recommended measures to enhance data security and mitigate emerging threats, and the “Guidance Note on Data Breach Handling and Data Breach Notifications” in 2023 on the proper handling of data breach incidents.

With data security being one of my Office’s top working priorities, we recently launched the Data Security thematic webpage, a data security hotline, and the “Data Security Scanner” self-assessment toolkit for enterprises.

The Data Security thematic webpage offers one-stop access to vast amounts of resources on data security, including security alerts, the latest updates on data security, statistics and information concerning data breaches, as well as relevant legal and educational information, all with the tap of a finger.

In addition, a “Data Security Scanner” is accessible from the Data Security thematic webpage. This is a self-assessment toolkit developed by my Office to provide enterprises with a hassle-free means to assess the adequacy of their data security measures for their ICT systems, and to obtain advice or recommendations to enhance their data security in compliance with the requirements of the Ordinance. I firmly believe that these practical and convenient resources can assist enterprises to strengthen their capabilities in forestalling any possible cybersecurity attacks.

A call to action
As we reap the benefits of the digital age, we must stay vigilant to the escalating cybersecurity threats that come hand in hand with the benefits. It is opportune for enterprises, irrespective of their size or the sector in which they operate, to take action to enhance data security. This will not only serve to safeguard individuals’ data privacy rights but also foster the development of a relationship of trust between enterprises and their customers or stakeholders, thereby contributing to the success and sustainability of the enterprises in the long run.

In closing, enterprises are under a positive duty under the law to safeguard the security of personal data by taking all reasonably practicable steps. To cite Benjamin Franklin, “By failing to prepare, you are preparing to fail”. Let’s work together to create a safe and secure technological ecosystem in the era of Web 3.0 while leveraging the benefits brought by a digital economy and digital Hong Kong.

The “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness Survey” report, the guidance notes mentioned above, and the “Data Security Scanner” are accessible on the website of the Office of the Privacy Commissioner for Personal Data (