Data Breach Incident
|
Accidental Disposal / Loss of Physical Document or Electronic Storage Device
|
Immediate Remedial Measures
|
- Try to locate the lost document / portable storage device as soon as possible
- If recovering the lost document / portable storage device is unsuccessful, contact the data
subjects immediately
|
Measures for Preventing Future Recurrence
|
- Use designated bags with secured zip / lock to transit document with personal data
- Store document / device in a locked cabinet / drawer
- Maintain a record keeping track of document movement
- Use less printout and adopt digitalisation of document as far as practicable
- Arrange centralised destruction exercise regularly
- Seek management’s approval before the use of portable storage device
- Install Mobile Device Management software which can wipe the data from the portable storage
device remotely if it is lost
- Purge the personal data upon fulfilment of the original collection purpose
|
Data Breach Incident
|
Cyberattack (e.g. Hacking / Brute Force Attack / Ransomware Attack etc.)
|
Immediate Remedial Measures
|
- Disconnect the compromised device from the Internet and any network to which it is linked
- Perform an offline complete scan of the computer network using anti-virus software. Ignore
any pop-ups telling you to connect to the Internet. If any malware is found, follow the
software’s instructions on how to quarantine or remove the malicious files
- Change login details for the compromised device / software / database / system
- Notify the relevant law enforcement agencies if identity theft or other criminal activities are
or suspected to be committed
|
Measures for Preventing Future Recurrence
|
- Install a two tier firewall and enable end-point protection
- Use most updated version of operating systems and anti-virus programs
- Apply the latest security patches and virus signatures for all devices, including offline
virtual machines
- Set a limit on the number of requests in a minute to a user login page from a single IP address
- Set up CAPTCHA1 on the login page to guard against brute
force attacks
- Do back up on a regular basis
- Carry out network segmentation by dividing the corporate network into subnets and dedicating
each subnet to specific needs and functions. Only those with “a need-to-know” can
access specified domains
1. A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text but computer programs cannot.
|
Data Breach Incident
|
Email or Postal Leakage
|
Immediate Remedial Measures
|
- Try to recall the email / retrieve the letter if possible
- If recalling / retrieving is unsuccessful, contact and request the unintended recipients to
delete the email / destroy the letter immediately
|
Measures for Preventing Future Recurrence
|
- Adopt four-eyes principle (i.e. counter-check the document by different staff) to ensure that
all recipients’ names, contact information, content and / or attachments are correct
- Use open-window envelope for posting if possible
- Minimise the kinds of personal data contained in an email
- Disable autocomplete function of the email system to prevent sending email to a similar but
incorrect email address
- Name files properly in the first place such that the file name can truly reflect the content
with an aim to minimising the chance of attaching wrong document in an email
- Use shared drive for internal transfer of files containing personal data
- Use strong password to protect email attachments containing personal data. Provide the recipient
with the password of the attachment by another means
|
Data Breach Incident
|
Staff Misconduct
|
Immediate Remedial Measures
|
- Disable the account / access right of the staff concerned
- Notify the relevant law enforcement agencies if criminal activities are or likely to be
committed
|
Measures for Preventing Future Recurrence
|
- Install Data Loss Prevention system / tool to scan external outgoing emails and quarantine those
with sensitive information, such as HKID number and credit card details.
Management’s approval is required before the release of the quarantined email
- Allow authorised access to personal data only on a case-by-case basis, need-to-use basis or
role-based approach
- Lock up restricted and confidential document at all time
- Review the system log records proactively to detect any irregularity at an early stage
- Perform full IT audit on departing staff upon their cessation of employment
|
Data Breach Incident
|
Phishing
|
Immediate Remedial Measures
|
- Disconnect the compromised device from the Internet and any network to which it is linked
- Perform an offline complete scan of the computer network using anti-virus software. Ignore
any pop-ups telling you to connect to the Internet. If any malware is found, follow the
software’s instructions on how to quarantine or remove the malicious files
- Change login details for the compromised device / software / database / system
|
Measures for Preventing Future Recurrence
|
- Do not respond to any email that request you to provide login details or sensitive information
(e.g. bank account details)
- Avoid opening any suspicious email attachment
- Carefully check the email address domain name for suspicious email
- Hover over a URL in an email to see the true destination before clicking to ensure legitimacy
- Install anti-phishing and anti-spam software
- Arrange personal data security awareness training to staff
|
Data Breach Incident
|
Program Bug or System Misconfiguration
|
Immediate Remedial Measures
|
- Disable the access to the concerned program / system / platform
- Contact the responsible vendor immediately if the concerned program / system / platform is
developed / maintained by a third party
|
Measures for Preventing Future Recurrence
|
- Perform tests (including integrated tests, user acceptance test) to verify the program / system
before moving it to the production environment
- Carry out vulnerability scanning and penetration testing to the system regularly and after any
significant changes
- Check proper permissions have been set for files and folders on a regular basis
- Enter contract / agreement with a vendor with good reputation and track record in the
industry. The contract / agreement must incorporate robust privacy protection requirements
|