Investigation reports from the Privacy Commissioner can serve as salutary reminders to the #privacy advocates on how to handle certain situations.
This came to the fore in the investigation report published by the Office of the Privacy Commissioner in Hong Kong on 17 February 2022 in respect of a hacker’s intrusion into the email system of an international company with a subsidiary in Hong Kong.
The company took some positive action; such as changing the passwords on the affected accounts and disabling the forwarding function on the same day the incident was discovered, plus the company decided to notify the Privacy Commissioner about the data breach (even if this is not mandatory in Hong Kong).
Additionally, the company also migrated the email system to a cloud-based service email provider, which offered strong password security and multi-factor authentication. Other technical improvements were made to information security systems. For example, the company has updated its Information Management Regulations, requiring signed acknowledgment from its employees of having read and understood its provisions and engaging external professionals to conduct training sessions on information security, and committed to undertake training on an annual basis.
However, the data breach was followed by an investigation report highlighting some common features and failings of data breach incidents:
- The intrusion lasted for at least four months before it was discovered
- It takes an eventual odd occurrence to trigger an action such as, in this case, a delivery failure message on an email and an alert employee who escalated the report for further investigation
- 24 out of the 41 emails account of the company belonged to former staff members and were no longer in use
- The hacked email accounts all used the same password, that was the default password.
- The web-based email service in use did not support multi-factor authentication.
Following this, the Privacy Commissioner issued an enforcement notice for certain prescribed steps to be taken. These steps, inevitably focus on concrete remedies to be taken to correct a data breach. Such notice certainly indicates the policy steps the Privacy Commissioner hopes businesses will adopt. These are some of the recommendations proposed by the Privacy Commissioner in the investigation report:
- establish a privacy management program;
- appoint a data protection officer;
- adopt a policy on email communications; and
- instill a privacy-friendly culture in the workplace.