Practical Tips for Handling Data Breach Incident

• Try to locate the lost document / portable storage device as soon as possible
• If recovering the lost document / portable storage device is unsuccessful, contact the data subjects immediately

• Use designated bags with secured zip / lock to transit document with personal data
• Store document / device in a locked cabinet / drawer
• Maintain a record keeping track of document movement
• Use less printout and adopt digitalisation of document as far as practicable
• Arrange centralised destruction exercise regularly
• Seek management’s approval before the use of portable storage device
• Install Mobile Device Management software which can wipe the data from the portable storage device remotely if it is lost
• Purge the personal data upon fulfilment of the original collection purpose

• Disconnect the compromised device from the Internet and any network to which it is linked
• Perform an offline complete scan of the computer network using anti-virus software. Ignore any pop-ups telling you to connect to the Internet. If any malware is found, follow the software’s instructions on how to quarantine or remove the malicious files
• Change login details for the compromised device / software / database / system
• Notify the relevant law enforcement agencies if identity theft or other criminal activities are or suspected to be committed

• Install a two tier firewall and enable end-point protection
• Use most updated version of operating systems and anti-virus programs
• Apply the latest security patches and virus signatures for all devices, including offline virtual machines
• Set a limit on the number of requests in a minute to a user login page from a single IP address
• Set up CAPTCHA¹ on the login page to guard against brute force attacks
• Do back up on a regular basis
• Carry out network segmentation by dividing the corporate network into subnets and dedicating each subnet to specific needs and functions. Only those with “a need-to-know” can access specified domains

1. A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text but computer programs cannot.

• Try to recall the email / retrieve the letter if possible
• If recalling / retrieving is unsuccessful, contact and request the unintended recipients to delete the email / destroy the letter immediately

• Adopt four-eyes principle (i.e. counter-check the document by different staff) to ensure that all recipients’ names, contact information, content and / or attachments are correct
• Use open-window envelope for posting if possible
• Minimise the kinds of personal data contained in an email
• Disable autocomplete function of the email system to prevent sending email to a similar but incorrect email address
• Name files properly in the first place such that the file name can truly reflect the content with an aim to minimising the chance of attaching wrong document in an email
• Use shared drive for internal transfer of files containing personal data
• Use strong password to protect email attachments containing personal data. Provide the recipient with the password of the attachment by another means

• Disable the account / access right of the staff concerned
• Notify the relevant law enforcement agencies if criminal activities are or likely to be committed

• Install Data Loss Prevention system / tool to scan external outgoing emails and quarantine those with sensitive information, such as HKID number and credit card details. Management’s approval is required before the release of the quarantined email
• Allow authorised access to personal data only on a case-by-case basis, need-to-use basis or role-based approach
• Lock up restricted and confidential document at all time
• Review the system log records proactively to detect any irregularity at an early stage
• Perform full IT audit on departing staff upon their cessation of employment

• Disconnect the compromised device from the Internet and any network to which it is linked
• Perform an offline complete scan of the computer network using anti-virus software. Ignore any pop-ups telling you to connect to the Internet. If any malware is found, follow the software’s instructions on how to quarantine or remove the malicious files
• Change login details for the compromised device / software / database / system

• Do not respond to any email that request you to provide login details or sensitive information (e.g. bank account details)
• Avoid opening any suspicious email attachment
• Carefully check the email address domain name for suspicious email
• Hover over a URL in an email to see the true destination before clicking to ensure legitimacy
• Install anti-phishing and anti-spam software
• Arrange personal data security awareness training to staff

• Disable the access to the concerned program / system / platform
• Contact the responsible vendor immediately if the concerned program / system / platform is developed / maintained by a third party

• Perform tests (including integrated tests, user acceptance test) to verify the program / system before moving it to the production environment
• Carry out vulnerability scanning and penetration testing to the system regularly and after any significant changes
• Check proper permissions have been set for files and folders on a regular basis
• Enter contract / agreement with a vendor with good reputation and track record in the industry. The contract / agreement must incorporate robust privacy protection requirements