29 July 2016
A recent possible hack of the Hong Kong Department of Health's (DH) record system in Hong Kong may affect 17,000 patients.
On 19 July 2016, the DH discovered suspicious files on the computer server hosting its Immunisation Record System. The suspicious files were believed to have been saved on the server after a breach of the security system, which took place on 10 and 11 July 2016. The DH immediately suspended its computer server and reported the matter to the Privacy Commissioner and the Police. Enquiries and investigations into the incident are on-going.
The affected server was used by the DH to receive information from primary schools prior to visits by the DH School Immunisation Team to such schools in order to carry out vaccinations. The information transmitted included a database containing student names and was not stored on the server, but merely transmitted through it.
Potential breach of the PDPO?
Data protection principle 4 (DPP 4) of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), stipulates that data users are required to take all practical steps to ensure that personal data held by them is protected against unauthorised or accidental access, processing, erasure or use.
However, just because a system has been hacked, does not automatically mean that a data user is in breach of DPP 4. No security measure is full proof. Whether or not a data user is in breach of DPP 4, will depend on the level of security and safeguarding measures the data user had in place and whether or not they were reasonably sufficient, taking into account the type of personal data concerned and the harm that could occur if there was a data breach. If such measures are considered by the Privacy Commissioner to be sufficient, then the relevant data user will most likely not be found to be in breach of DPP 4.
Cyber attacks and cyber security
The latest attack against the DH is just one of many. On 11 November 2015, VTech Holdings Limited was the victim of a hack, resulting in the largest ever cyber attack affecting children's data worldwide. On 23 December 2015, the Privacy Commissioner announced that it had commenced investigations into the SanrioTown website due to a security vulnerability which meant that the personal data of 3.3 million individuals could have been publicly accessible.
No organisation is immune to the risk of cyber attacks. Every organisation needs to take measures to tighten security by taking a proactive and preventative approach. It is no surprise that the cyber security spotlight has been shining on the financial industry in the last couple of years, given the volume and nature of the data it handles. On 18 May 2016, the Hong Kong Monetary Authority announced yet another measure, the commencement of its Cybersecurity Fortification Initiative1. Its aim is to enhance the cyber security of financial institutions by: (i) introducing a cyber risk assessment framework; (ii) rolling out a new training programme to ensure that there is a steady supply of qualified cyber security professionals; and (iii) setting up a cyber intelligence platform to allow banks to share information regarding cyber threats.
Other organisations should perhaps heed the almost daily cyber-warning and actively fortify their cyber security measures especially if they deal in high volumes of data and/or data that can be regarded as sensitive such as medical data, children's data, credit card information the loss of which could cause serious harm to an individual. It is not enough to have a simple "one-size fits all" approach. Given the quick-sand nature of the technology landscape nowadays, when new threats emerge of data being swept away at a dizzying rate, it is good business to conduct regular reviews to test for vulnerabilities. Any vulnerabilities that are exposed should be promptly and effectively rectified or, if not rectified, should be documented with a clear explanation as to why they have been left open. Such documentation will come in handy when or if there is a cyber attack and an investigation is conducted by the Privacy Commissioner or other regulators to determine if the organisation has breached the PDPO or other relevant regulations.
Would you leave the door to your house wide-open? Cyber attackers target any company, so why make yourself vulnerable to a possible hack and suffer eventual legal liability and reputational damage when you can invest now in putting the right procedures in place and taking steps to ring-fence your most valuable assets: your data. Damage to reputation may take a long time to fix. Taking proactive steps now to minimise the risk of cyber attacks and having procedures in place in the event an attack happens, may go a long way to safeguarding a hard-earned reputation.