To reduce the spread of coronavirus, businesses ranging from MNCs to local SMEs have implemented work-from-home (“WFH“) arrangements; in some cases, remote working is a necessity due to social distancing regulations. Heavy reliance is placed on the internet for remote access and online communication, causing an unprecedented surge in internet traffic. This has resulted in an increase of data privacy risks among other issues, such as significant reductions in Internet speed. Employers should ensure that the IT infrastructure of the business is secure and aim to mitigate risks of data breach.
Typically, office networks are better protected against data loss or privacy risks as they will have installed institutional protections such as virtual private networks (“VPN”), firewalls, stringent anti-virus software, and whitelisted IP addresses; a typical home network is unlikely to have such protections. Employers may consider the following points for the most effective safeguards of data privacy.
Legal Implications of Personal Data or Confidential Information Breach
Under the Personal Data (Privacy) Ordinance (“PDPO”), Data Protection Principle (“DPP”) 4 concerns the security of personal data. We have discussed DPP4 in a previous article “Data Privacy Focus Monday: Data Protection Principles (4) and (5) – Data Security and Openness”.
DPP4 requires data users to take all practicable steps to ensure that any personal data held is protected against unauthorized or accidental access, processing, erasure, loss or use, having regard to the kind of data and the harm that could result; physical location of the data stored; any security measures incorporated; any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and any measures taken for ensuring the secure transmission. Under DPP4, data users must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of data transferred to data processor for processing.
Contravention of the PDPO or an enforcement notice issued by the Privacy Commissioner for Personal Data of Hong Kong (“Privacy Commissioner”) could result in criminal liability, with a maximum fine of HK$50,000 (with a daily penalty of HK$1,000) and imprisonment for 2 years, with subsequent convictions resulting in a maximum fine of HK$100,000 (with a daily penalty of HK$2,000) and imprisonment for 2 years. In addition, data subjects may seek compensation by civil action where the data user has contravened the PDPO.
Measures to Minimise Data Privacy Risks
1: Reviewing IT service contracts
Businesses should consider the contractual rights they may have and obligations held by their IT service provider (whether it be for cloud storage, communications, or otherwise). Will non-performance [by the IT service provider] caused by COVID-19 be subject to a force majeure provision? We have discussed the importance of the force majeure clause in our previous article, “Commercial Contracts and the Importance of the Force Majeure Clause“. The current COVID-19 pandemic has highlighted the need for catch all provisions and referencing specific possible events, as well as unforeseeable events, when drafting commercial contracts. Unfortunately, many businesses may find themselves tied into a contract that is significantly difficult to complete and substantially expensive, hence drafting of future contracts and force majeure clauses within them, becomes a crucial element.
Additionally, in most contracts there exist exclusion of liability clauses that may limit the remedies your business can claim in the event of a data loss breach. Possible exclusions may include: time bars, exclusion of consequential or indirect losses.
A data processor is not directly liable to a data subject for infringement of his personal data privacy. Aggrieved data subjects may seek recourse from data user who engaged the data processor. To comply with DPP2 and DPP4, businesses, as data users must ensure that contractual means with processors are in place to ensure protection of personal data from unauthorised or accidental access, processing, loss of use, and is not retained for longer than necessary for the purpose of processing the data. The Privacy Commissioner also issued in 2012 a non-binding information leaflet on Outsourcing the Processing of Personal Data to Processors. Some methods of compliance through contractual means suggested included the “absolute prohibition or qualified prohibition (e.g. unless with the consent of the data users) on the data processor against sub-contracting the service that it is engaged to provide” or “data user’s right to audit and inspect how the data processor handles and stores personal data; and consequences for violation of the contract”.
2: Reviewing contractual protection with clients
Businesses may consider including indemnification or limitation of liabilities clauses to ensure risk allocation or including disclaimers in contracts and company websites to disclaim the risk associated with IT securities.
3: Internal privacy policies
- guidance on compliance with the PDPO, including the six DPPs;
- preliminary solutions to IT related difficulties; and
- data breach incident response plan (see below).
Businesses may also consider their existing insurance policies and whether they include sufficient coverage on disruptions or data loss due to IT service failures. Where they may be insufficient, additional cover for specific IT disruption exposure may be required.
4: Data breach incident-response management and monitoring
Businesses should develop response frameworks and containment measures to be followed by employees where data loss has occurred, in addition to plans for monitoring IT disruptions. It is best practice to keep a comprehensive record for future reference or relaying relevant information to relevant parties (such as law enforcement, the Privacy Commissioner, clients, IT service providers, etc.).
Data breach incident response plans should include four broad aspects: communication, analysis, containment, post-incident review. Our data protection team is more than happy to work with you on building a response plan for your business and guiding you through the implementation stage.
5: Measures to prevent data loss or hacking
Businesses will need to consider some of the following measures to mitigate the risk of data loss or hacking, including:
- Enhancing secure remote access, including properly configured firewalls, encrypting vulnerable client data, or limiting the means of data transmission. Installing ad-blockers can also mitigate the risks of viruses.
- Where possible, managed devices provided by the company may provide the most basic level of protection.
- Employees should regularly update the operating system for their devices to minimise risks associated with cloud-based storage systems.
- Prevention and control of unauthorised/authorised user access through methods such as multi-factor authentication or restricting risky user access may be able to prevent events of hacking into the cloud system. Clouds may also be restricted to browser access only.
- Employees should take extra care in the event of payment requests or change in bank account particulars. Where there is any doubt, it is recommended to contact the client or colleague orally to confirm such payment requests.
- Email attacks are happening in increasing volume – hackers can now mimic actual email addresses.
The Privacy Commissioner in Hong Kong together with Singapore’s Personal Data Protection Commission have released a jointly-developed Guide to Data Protection by Design (“DPbD”) for IT Systems. Companies may gain practical assistance in applying DPbD principles for all phases of software development and good practices for data protection for IT systems.
Although ensuring the safety of employees and visitors/clients are of top priority during the Coronavirus pandemic, employers should keep in mind the data privacy risks and avenues of mitigation. Flexibility and having a response management procedure in place to deal with a data privacy breach enables businesses to operate more smoothly remotely. Businesses (employers and employees alike) should be fully aware of their existing rights and obligations with IT service providers and clients to ensure that they are not running into legal issues that may have severe impacts on business operation.
If you would like to understand more on the business and legal implications for your organization and as individuals related to the COVID-19 pandemic, you can contact Hugill & Ip’s Data Privacy team of solicitors.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.