Date: 17 February 2022
PCPD Reports on its Work in 2021 and Releases an Investigation Report
The Office of the Privacy Commissioner for Personal Data (PCPD) reports on its work in 2021 and releases an investigation report today (17 February).
Complaints Cases
The PCPD received 3,151 complaint cases in 2021, which represented a drop of 35% when compared to 4,862 cases in 2020. This was mainly attributable to the decrease of doxxing cases and the number of complaints cases arising from a single incident. Of these complaint cases, 93% involved complaints against private organisations or individuals, while the remaining 7% were against public organisations or government departments.
Data breach incidents
In 2021, the PCPD received 140 personal data breach notifications from organisations, representing an increase of 36% year-on-year. The data breach incidents involved hacking, system misconfiguration, unauthorised access to personal data by employees, loss of documents or portable devices, inadvertent disclosure of personal data by emails or post, and accidental erasure of personal data, etc.
The PCPD initiated 377 compliance checks in 2021, representing a 10% increase as compared to 344 compliance checks in 2020.
Amending the Personal Data (Privacy) Ordinance to combat doxxing acts
To combat doxxing acts that are intrusive to personal data privacy, the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) came into operation on 8 October 2021. The Amendment Ordinance criminalises doxxing acts, and empowers the Privacy Commissioner to carry out criminal investigations and institute prosecutions in respect of doxxing -related offences.
On 13 December 2021, the PCPD made the first arrest for a suspected contravention of section 64(3A) of the Amendment Ordinance relating to “disclosing personal data without consent”.
In 2021, the PCPD handled a total of 842 doxxing cases, including complaints received or cases discovered proactively by the PCPD. The number of cases in 2021 dropped by 19% when compared to 1,036 cases in 2020. Under the Amendment Ordinance, the Privacy Commissioner is given statutory powers to demand the cessation of disclosure of doxxing messages. From the commencement of operation of the Amendment Ordinance until 31 January 2022, the PCPD has issued more than 350 cessation notices to 12 platforms, involving over 1,700 doxxing messages.
Apart from enforcement, the PCPD has also launched a series of publicity and educational campaigns to enhance the public awareness of and compliance with the Amendment Ordinance, including broadcasting videos, TV and radio announcements, distributing promotional leaflets and posters, organising webinars, and promoting the new provisions on social media platforms. As of 31 January 2022, the Privacy Commissioner and colleagues of the PCPD have conducted 16 webinars/seminars on the Amendment Ordinance with a total of 2,668 participants.
The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, stressed, “To avoid breaking the law, members of the public should think twice before publishing or re-posting any message that appears to be a doxxing message on the internet or any social media.”
Investigation Report
On completion of its investigation into an incident which involved a hacker’s intrusion into the email system of Nikkei China (Hong Kong) Limited (Nikkei), the PCPD also published an investigation report today. The investigation arose from a data breach notification lodged by Nikkei with the PCPD on 17 March 2021, which reported that a hacker had intruded into six staff email accounts, forwarding the emails that had been sent to those email accounts to two unknown email addresses. The incident led to the leakage of the personal data of over 1,600 customers.
From the evidence collected in the investigation, the Privacy Commissioner finds that the following four deficiencies existed in the security of Nikkei’s email system at all material times:
-
Weak password management
-
Retention of obsolete email accounts
-
Lack of security controls for remote access to the email system
-
Inadequate security controls on information system
The Privacy Commissioner considers, upon conclusion of the investigation, that Nikkei failed to take all practicable steps to ensure that its customers’ personal data was protected against unauthorised or accidental access, processing or use, thereby contravening Data Protection Principle 4(1) as regards the security of personal data under the Personal Data (Privacy) Ordinance. The Privacy Commissioner has issued an enforcement notice to Nikkei, directing Nikkei to remedy and prevent recurrence of the contravention.
Through the report, the Privacy Commissioner also wishes to remind organisations that have an email system which handles customers’ personal data to be vigilant of cyberattacks targeting their email systems. Adequate policies, measures and procedures covering system security should be put in place, and should cover the following areas:
-
Establish a Personal Data Privacy Management Programme;
-
Appoint Data Protection Officer(s);
-
Devise policy on email communications;
-
Adequate security measures; and
-
Instil a privacy-friendly culture in the workplace
Download the Investigation Report “Hacker’s Intrusion into the Email System of Nikkei China (Hong Kong) Limited”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r22_7840_e.pdf