According to the report on the work of the Office of the Privacy Commissioner for Personal Data (PCPD) in 2015, 98 data breach incidents were reported to the PCPD in 2015, affecting 871 000 Hong Kong individuals and representing an increase of 40 per cent and 17.5 times respectively when compared with the 70 incidents and 47 000 individuals affected in 2014. The PCPD pointed out that some of these data breach incidents involved hacking and malware invasion, inadvertent disclosure of personal data by email, security vulnerability found on websites and computer networks of organisations, etc. Under the Personal Data (Privacy) Ordinance (Cap. 486), an individual who believes that he or she suffers damage due to infringement of his or her personal data privacy may seek compensation from the data user concerned under the Ordinance. In view of this, some foreign and Hong Kong insurance companies have offered in recent years insurance products concerning cyber-attacks, which cover areas including claims for compensation arising from leakage of personal data, leakage of data in breach of data protection obligations, defence costs in criminal and civil proceedings, etc. In this connection, will the Government inform this Council:
(1) whether it knows the details of the personal data involved in the data breach incidents reported to the PCPD in the past three years (including the nature of the data, and whether they involved credit card data), and whether the data users concerned had to make any compensation to the data subjects for such incidents; if so, of the relevant figures;
(2) given that data users report data breach incidents to the PCPD only on a voluntary basis, whether the authorities have considered making such reporting a mandatory legal obligation; if they have, of the details; if not, the reasons for that;
(3) given that with the development of technology, the volume of personal data handled by the organisations and enterprises in various sectors and industries will be on the increase, whether the authorities know if the PCPD has launched publicity and promotional activities with a view to boosting the importance attached to the protection of personal data by various organisations and enterprises; if the PCPD has, of the details; if not, the reasons for that; given that some members in the business sector have pointed out that some small and medium enterprises (SMEs) are vulnerable to cyber-attacks, whether the authorities have specific measures to assist SMEs in resisting cyber-attacks, so as to prevent the leakage of personal data from their systems; if they do, of the details; if not, the reasons for that; and
(4) given that while some members in the insurance industry have predicted that the demand for the aforesaid insurance products will be on the increase, and the underwriters and loss adjusters concerned need to possess professional expertise in related fields such as computer system, network security protection and insurance, in order to investigate network security vulnerabilities, assess the amount of losses, put forward suggestions for improvement, etc., whether the authorities have assessed if the insurance industry has enough talents possessing the relevant professional expertise at present; if they have assessed and the outcome is in the affirmative, of the details; if the outcome is in the negative, the measures the authorities will take to help the insurance industry upgrade the relevant human resources?
On the Hon Chan Kin-por’s enquiry, after consulting the Office of the Privacy Commissioner for Personal Data (PCPD), the Innovation and Technology Bureau and the Financial Services and Treasury Bureau (FSTB), we would like to provide a consolidated reply as follows:
(1) During the period from June 2013 to May 2016, the PCPD received a total of 253 notifications of data breach incidents. The personal data involved mainly included names, personal identification numbers (e.g., identity document number, student number, staff number) and contact information. Other types of personal data which were relatively common in these breach notifications included gender, nationality, date of birth, past payment amounts, etc. Credit card data were involved in seven cases. The PCPD does not have information on whether any data user in the 253 cases provided compensation to data subjects as a result of the breaches.
(2) It is the Government’s understanding that the arrangements for reporting incidents of personal data breach vary across jurisdictions. At present, only a small number of jurisdictions have put in place mandatory requirements for the data users concerned to report data breaches to the authorities responsible for privacy or data protection; in some jurisdictions, the reporting requirements apply only to individual specified industries or sectors.
During our review of the Personal Data (Privacy) Ordinance in 2009, views of the public were sought on the reporting mechanism for data breach incidents. Of the views received, the majority considered a voluntary reporting mechanism more preferable. The PCPD subsequently issued the Guidance on Data Breach Handling and the Giving of Breach Notifications in June 2010, and updated the Guidance in October 2015. We will continue to monitor developments in this respect.
(3) The PCPD is committed to promoting the culture of “protecting and respecting personal data”. Since 2014, the PCPD has been proactive in advocating the implementation of Privacy Management Programmes (PMPs) in organisations and enterprises, encouraging them to embrace personal data privacy protection as part of their corporate governance responsibilities, and promoting the concept, design, implementation and benefits of PMPs through various channels like promotion fora and workshops.
Regular corporate training activities organised by PCPD for different trades and industries include courses, talks and industry-specific campaigns, with the aim of promoting best practices in matters relating to the collection and management of personal data, information security, etc., and encouraging organisations to formulate corporate-wide strategies for privacy protection. In the past three years, the trades and industries covered by these activities included banking/financial services, insurance, legal services, mobile applications development, telecommunications, property management, retail, hotel, medical and health services, etc.
Last year, the PCPD launched an Online Training Platform together with the on-line study kit “Self-training Module on Protection of Personal Data for Small and Medium Enterprises (SMEs)”, which provides practical tips to SMEs for the day-to-day operation of business functions. Upon completion of the module, the SMEs may draw up their own privacy programmes and will receive a report analysing how personal data are being handled by their organisations, with suggestions and recommendations provided. The PCPD has partnered with the Trade and Industry Department, “SME One” of the Hong Kong Productivity Council, the SME Centre of Hong Kong Trade Development Council, etc. in organising talks to promote the above online study kit to SMEs.
Furthermore, the Government is committed to promoting information security awareness and data protection, including personal data protection, among local businesses especially SMEs and providing appropriate support. Through the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), the Office of the Government Chief Information Officer (OGCIO) co-ordinates computer security incident response, monitor and disseminate security alerts, and promote information security awareness to local enterprises and the public. The “SME Free Web Security Health Check Pilot Scheme” of the HKCERT provides free website vulnerability scanning service for participating SMEs and advises on information security improvements. In addition, the OGCIO works with the HKCERT to promote the “Check-Act-Verify” approach to SMEs, helping them identify potential cyber threats, take improvement measures and verify the effectiveness of the measures. To raise awareness of enterprises and the public on data protection and cyber security, the Government has resorted to channels including public seminars, contests, websites, radio broadcasting, social media, etc. (for example, the public seminars under the SME management workshop on “Cyber Security & Safety Measures for Businesses” and the “Protecting Data from Ransomware Attacks” held in March and May this year) to strengthen education and promotion.
(4) According to the Office of the Commissioner of Insurance, cyber insurance products are currently offered by several insurers in Hong Kong. We understand that generally these products may cover economic loss and legal liabilities arising from personal data breach. As cyber insurance calls for a wide range of specialist expertise and skills, particularly in the field of information technology, the demand for these talents is relatively high.
To enhance the training of talents in the sectors of insurance and asset and wealth management, the Government has allocated $100 million to launch a three-year pilot programme. The initiatives to be implemented include providing subsidies for organising high-quality and highly technical training courses. The Steering Committee of the pilot programme has discussed the need for providing specialised training courses on cyber insurance. The FSTB will liaise with the industry on the details of the relevant training courses at a later stage.