How should employers protect personal data? A review of the Nikkei data breach
The recent investigation report on the hacking of the email systems of Nikkei China (Hong Kong) Limited ("Nikkei") published by the Privacy Commissioner for Personal Data ("PCPD") on 17 February 2022 is a helpful reminder to employers to protect against cyberattacks and ensure compliance with the Personal Data (Privacy) Ordinance (Cap. 486) (the "Ordinance").
Hong Kong's Data Privacy Laws
The Ordinance provides that data users, such as employers, must comply with Data Protection Principles ("DPP") when collecting, handling and using personal data of data subjects (i.e. the individual who is the subject of the personal data). Typically for employers, this would include its employees' and clients' personal data (such as the individual's identity card number, address, contact number and banking account records). If that personal data is collected, handle and or used, the employer will need to comply with the following DPPs:-
i. DPP1: Personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the employer. All practicable steps must be taken to notify the data subjects of the purpose of data collection, and the classes of persons to whom the data may be transferred. Employers can comply with these notification requirements by preparing a Personal Information Collection Statement.
ii. DPP2: Personal data must be accurate and up-to-date, and kept no longer than necessary. Employers should ensure that they practice prompt erasure of personal data that is no longer required for which the data is collected and used. For example, employers should erase personal data belonging to unsuccessful job applicants.
iii. DPP3: Personal data must only be used for the purposes for which they were collected or a directly related purpose, unless with the data subject's express and voluntary consent.
iv. DPP4: Employers must have security measures in place to ensure the security of personal data and protect against unauthorized or accidental access, processing, erasure, or use by other people without authority.
v. DPP5: Employers must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
vi. DPP6: Data subjects must be given rights of access to their personal data and the right to correct any inaccurate record. Employers should be aware of the manner and timeframe for compliance with such requests.
The Nikkei Data Breach
On 17 March 2021, Nikkei lodged a data breach notification with the PCPD that a hacker had hacked into six staff email accounts and forwarded emails to two unknown email addresses. The incident led to the leakage of personal data of over 1,600 customers, including names, email addresses, addresses, company names, telephone numbers and credit card information. As a result, Nikkei was held to have contravened DPP4 by failing to take all reasonable measures to ensure that the personal data held by it is protected against unauthorised or accidental access, processing, erasure, loss or use.
The PCPD found that, Nikkei, at the time of the investigation, had in place a set of "Information Management Regulations" which set out the overall security management framework with respect to all company-owned information. Staff were verbally instructed to thoroughly study the content of this policy, which was held in a shared folder accessible to all staff members. In May 2018, Nikkei Inc. issued the “Table of Requirements for Security Management Measures” (Security Policy of the Parent Company) providing practical guidance on the security management measures applicable to the entire group of companies which Nikkei belonged to (including Nikkei). These included a password policy setting out the minimum length and complexity that a password should have.
Whilst most corporations are likely to have internal IT policies similar to Nikkei's to govern the handling of personal data, nonetheless, the PCPD still found four deficiencies in the security of Nikkei's email system at all material times:
i. Weak password management;
ii. Retention of obsolete email accounts;
iii. Lack of security controls for remote access to the email system; and
iv. Inadequate security controls on information system.
In light of these findings and notwithstanding its existing IT polices in place, the PCPD found that Nikkei failed to take all practicable steps to ensure that its customers' personal data was protected against unauthorized or accidental access, processing or use, thereby, contravening DPP4(1) of the Ordinance. The PCPD issued an enforcement notice to Nikkei directing it to remedy and prevent recurrence of the contravention.
Recommendations for employers
Employers are encouraged to consider the following good practices to ensure compliance with the DPPs. For example:
i. Establish detailed personal data management policies and practices and ensure that its employees are fully informed and understand these policies;
ii. Ensure that the Personal Information Collection Statement are updated and cater to the purpose each time personal data is collected;
iii. When data processors are engaged to process the personal data collected, ensure that there are proper contractual means to ensure that the data processor is compliant with the data security requirements;
v. Have in place a detailed response mechanism in the event of data breaches;
vi. Have in place a proper information security policy to incorporate a strong password management policy, a mechanism for regular deletion of expired or obsolete email accounts, and a mechanism for regular monitoring and auditing the use of email accounts;
vii. Formulate effective measures to ensure staff awareness and compliance with the information security policy;
viii. Engage independent data security experts to conduct routine reviews and audits of the security of information systems, including email systems, such as security monitoring, alerting functions to alert system administrators to any access or login to the system from unusual or unknown IP addresses;
ix. Provide up-to-date training and education to employees on information security with proper records of training processes and measurements of participation and effectiveness.
It is important that employers understand and comply with the Ordinance, as breach of statutory provisions may lead to significant fines, civil and criminal liability, and loss in employee and/or customer confidence and reputational damage.
RPC regularly assist and advise employers on compliance with the Ordinance and our work includes:-
- drafting data policies and personal information collection statements;
- reviewing data processing and transfer agreements;
- assisting with and responding to data access requests;
- advising on data breaches; and
- defending enforcement actions by regulatory agencies.
Please do not hesitate to contact us if you have any queries on this article or require advice and assistance on data protection in the workplace.
Our team at RPC are widely recognized as leading employment lawyers in Hong Kong. We are of the few specialist employment law practices in Hong Kong and we act for both employers and employees on contentious and non-contentious matters.
Please do not hesitate to contact our Partner and Head of the Employment Practice in Hong Kong, Andrea Randall (email@example.com / +852 2216 7208) for any queries regarding the issues raised in this article or any employment law related queries you may have.
All material contained in this article is provided for general information purposes only and should not be construed as legal, accounting, financial or tax advice, or as opinion to any person or specific case. RPC accepts no responsibility for any loss or damage arising directly or indirectly from action taken, or not taken, which may arise from reliance on information contained in this article. You are urged to seek legal advice concerning your own situation and any specific legal question that you may have.