In Part I , we discussed the first two lessons learnt from the recent cyberattacks. We will share the final three lessons learnt from recent cyberattacks in Part II. 

Lesson 3: Avoid Collecting Children’s Data As Much As Possible 

In response to recent incidents involving children’s data, the Hong Kong Privacy Commissioner issued a Guidance Note in December 2015 (Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children) which recommends data users avoid, not just limit, collecting personal data of children.“[C]hildren may not fully understand all the privacy risks and may not know whether they should or how to refuse providing personal data. This is particularly relevant in relation to personal data that is more sensitive in nature, such as that related to health, biometrics, etc.” the Guidance says. 

Where collection of personal data of children is essential, companies should consider the vulnerability of children and adopt “age-appropriate” practices. These include: clearly separating “mandatory” and “voluntary” data provision requirements; avoiding open response questions (where children may share more data than is necessary); including warning messages where too much data is being supplied; and stating when they need to obtain the consent of a parent or guardian before supplying their data. It should also be made easy for a child to irrevocably delete any accounts created which contain their personal data.

Recommendation: Consider whether collecting children’s data is necessary and avoid doing so where possible. Follow official guidance when handling children’s data. 

Lesson 4: Review Security Measures – Are They Appropriate? 

Around the world, organisations that collect, or control the collection of, personal data are subject to broad security requirements which must be tailored to the organisation. For example, under Hong Kong law, “[a]ll practicable steps shall be taken to ensure that personal data […] are protected against unauthorised or accidental access, processing, erasure, loss or use…” According to guidance issued by the Hong Kong Privacy Commissioner in 2010 (DPPs in the PDPO - from the Privacy Commissioner’s Perspective), the security measures in place must be proportionate to the degree of sensitivity of the data and potential harm from loss. Therefore, the implementation of security measures requires a thorough assessment of various factors.  In case of a data breach, existing security measures will be a focus of the investigation and play a crucial role in the outcome of the investigation. 

Recommendation: Ensure that your IT and security teams implement and update security controls and procedures tailored to your organisation’s data processing activities.  This should include robust controls for access to customer databases, particularly those containing children’s data. 

Lesson 5: Implement A Data Breach Incident Response Plan

Mandatory data breach notification schemes are being increasingly introduced around the world.  In countries where data breach reporting is not yet mandatory, voluntary data breach notification regimes might exist (such as in Hong Kong).  With the ramifications of data breaches rarely confined to a single jurisdiction, the message to multinationals is that data breach reporting is becoming a key compliance obligation.  

The best way to comply with data breach notification requirements is the implementation of a data breach incident response plan (at country, regional or global level).  Such plan needs to clearly assign responsibilities and prescribe consistent incident response processes and protocols. A clear escalation process should also be incorporated to provide legal and compliance teams with the relevant information to assess whether or not a notification is required. 

Recommendation: Formulate a data breach incident response plan that is capable of effective implementation within your organisation. Speed and consistency in a time of crisis can make a difference to corporate credibility, customer confidence and the risk of sanction by the authorities.