Blog Post

What the PCPD’s Data Breach Guidance Means for Impacted Organizations

Eva Kwok

Eva Kwok
Senior Managing Director,
FTI Cybersecurity

Frances Chen

Frances Chen
Managing Director,
FTI Technology

  • LinkedIn icon
  • Twitter icon
  • Print icon

Due to the frequency, sophistication, and severity of cyber attacks, coupled with data privacy concerns, proper cybersecurity protections and programs, including a data breach response plan, are critical to mitigate cyber and privacy risks and maintain business operations.

To help organizations maintain high standards for facing these challenges, Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) released updated “Guidance on Data Breach Handling and Data Breach Notifications.”1 The revisions offer guidance regarding how to comply with the Personal Data (Privacy) Ordinance (PDPO), and recommendations on adapting written data breach response plans. These are aimed at helping organizations to better identify, mitigate, assess, and contain damages caused by the data breach incident.2

It is important to note that the updated document serves as guidance and is not mandatory for organizations to follow. However, if an investigation or complaint occurs because of a cybersecurity or privacy related incident, the PCPD can take steps to determine if the organization met PDPO compliance requirements. 3 It is imperative that organizations align with the new guidance. Engaging proactively with the PCPD's recommendations not only shields entities from potential penalties but also fortifies its cybersecurity and privacy defenses, ensuring a robust response to any breach while safeguarding its reputation and stakeholder trust.

Doing so can help to avoid potential penalties, and in turn, mitigate cybersecurity and privacy risks through following data breach handling and notification actions outlined in the guidance.

What Has Changed

New and tightening disclosure notification requirements set by regulators are making waves across the globe, and the PCPD’s guidance follows suit.4 The PCPD states that “the data user should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.”5

There is a global push for governing bodies to become aware of incidents in a timelier fashion, which suggests that protecting user information and their privacy is a priority for the PCPD, similar to its worldwide counterparts. The revised guidance emphasizes the importance of implementing protections against a data breach to avoid causing damage to data subjects, especially if the breach involves sensitive information.

If an incident does occur, the guidance also recommends preparations to effectively manage the incident, from the immediate response to documenting and disclosing the aftermath. Further, the PCPD also uses this guidance to discuss the importance of learning from data breaches through post-incident assessments, which can identify root causes and remediation measures that need to be implemented, with the goal of preventing or reducing the impact of future breaches.

Next Steps

The PCPD recommends developing and/or updating a data breach response plan, which includes a “strategy for identifying, containing, assessing and managing the impact.”6 This development and updating phase should also include considering the unique cyber and privacy threats facing the organization, and how the data breach response plan can be tailored to mitigate these risks. The goal of this plan is to create a process that allows for a quick and effective response and recovery. In other words, creating a resilient foundation.

Effective incident response, whether to a data breach, cybersecurity incident, or privacy issue, is critical in mitigating financial and reputational damages, avoiding legal and regulatory repercussions, and restoring the trust of data subjects, something the PCPD’s guidance recognizes.

Containment measures are also included in the guidance document, providing steps to help reduce damage caused to data subjects. These recommendations include technical measures, such as disabling certain systems impacted by the breach, and non-technical actions, such as alerting law enforcement or associated financial institutions. 

More specifically, organizations are encouraged to follow these general, but key, steps when responding to a data breach: 

  • Immediate gathering of essential information
  • Containing the data breach
  •  Assessing the risk of harm
  • Considering giving data breach notifications
  • Documenting the breach

The Importance of the Guidance

Despite the PCPD releasing this document as guidance versus required action, its announcement stresses how seriously data breaches are viewed in Hong Kong. It reiterates the significance of taking a proactive approach to combatting threats to data protection and privacy, both to organizations and individuals.

In addition to shining light on the issue of protecting data and maintaining privacy, the guidance is designed to help organizations face the challenges of protecting against and responding to data breaches. The practical advice offered should help raise the collective bar regarding cybersecurity and privacy protections, helping secure personal and sensitive information. It is also worth noting that there is a possibility of amending the PDPD to include mandatory notification requirements for data breach incidents. An organization is a licensed corporation under the Securities and Futures Commission or an authorized institution under the Hong Kong Monetary Authority, the organization (e.g., financial institutions, financial intermediaries, or insurance companies) may be subject to additional data breach requirements.

[1] “Guidance on Data Breach Handling and Data Breach Notifications,” Office of the Privacy Commissioner for Personal Data, Hong Kong (updated June 2023), https://www.pcpd.org.hk/english/resources_centre/publications /files/guidance_note_dbn_e.pdf.
[2] Id
[3] Id
[4] Jordan Rae Kelly and Adriana Villasenor, “SEC’s New Cybersecurity Rules Have Global Reach,” Corporate Compliance Insights (August 22, 2023), https://www.corporatecomplianceinsights.com/sec-cybersecurity-rules-global-reach/.
[5] “Guidance on Data Breach Handling and Data Breach Notifications,” Office of the Privacy Commissioner for Personal Data, Hong Kong (updated June 2023), https://www.pcpd.org.hk/english/resources_centre/publications /files/guidance_note_dbn_e.pdf.
[6] Id

FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.

FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc.

All rights reserved. fticonsulting.com
 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.