ACFE 资讯分享 | Personal Data Protection In The Digital Era

With the exponential growth of digitalisation, cyberattacks have become one of the major risks for most businesses, especially those which provide online services and products. Such attacks may lead to financial losses, reputational damage, regulatory penalties and other harm. Regardless of their sizes, organisations may come under attack from threat actors at any time.

随着数码化的蓬勃发展，网络攻击已成为大多数企业（尤其是提供线上服务和产品的企业）所面临的主要风险之一。网络攻击可以导致财务损失、声誉受损、监管处罚和其他损害。无论规模大小，机构均可能随时受到黑客的攻击。

To cite an example, we would all remember the Cathay Pacific Airways Limited (“Cathay Pacific”) data breach incident that happened in October 2018, as it involved unauthorised access by external parties to Cathay Pacific’s servers, affecting around 9.4 million passengers worldwide. Apparently, the damage arising from the incident not only tarnished the goodwill and reputation of the carrier gained over the years, but also led to substantial financial losses. Other than subject to an investigation into the incident undertaken by my Office, which concluded that Cathay Pacific had contravened the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”), the carrier was also fined GBP$500,000 by the UK Information Commissioner’s Office in 2020 and had to pay CAD$1,550,000 in 2021 to settle a class action brought in Canada.

举例而言，国泰航空有限公司（国泰航空）在2018年10月发生的数据泄漏事故记忆犹新，当中涉及外部人士未获授权查阅国泰航空的服务器，影响全球约940万名乘客。该事故不仅损害了国泰航空多年来建立的商誉，亦导致重大的财务损失。当时个人数据隐私专员公署（隐私公署）曾展开调查，并认为国泰航空违反了《个人数据（隐私）条例》（第486章）（《隐私条例》）的规定。此外，国泰航空亦在2020年被英国资讯专员办公室罚款50万英镑，并在2021年支付155万加元以就加拿大一宗集体诉讼达成和解。

Indeed, the siren went off when the Cathay Pacific incident was in the limelight. In recent years, leakage of personal data on the Internet has become an unprecedented risk to users and surfers, with the number of data breaches on a steady rise. An annual global study by Sophos Labs which surveyed 5,600 IT professionals in mid-sized organisations across 31 countries or regions showed that ransomware attacks had been surging and getting more sophisticated than ever before. The study also revealed that 66% of organisations worldwide were hit with ransomware in 2021, an increase of 29% as compared with 2020.

事实上，当国泰航空事故被广泛报导时，已经响起了警号。近年来，个人数据在互联网上泄漏已成为用户所面对的前所未有的风险，而数据泄漏的宗数亦不断上升。Sophos Labs的一项年度全球研究访问了31个国家／地区中型机构的5,600名资讯科技专业人员，结果显示勒索软件攻击持续增加，并且变得更加复杂。该研究亦显示，在2021年全球66%的机构曾遭受勒索软件攻击，较2020年高出了29%。

A similar trend is observed from the data breach incidents handled by my Office. In 2019 and 2020, cyberattack incidents including ransomware attacks comprised around a quarter of the reported data breaches. The percentage increased to 29% last year and over 600,000 Hong Kong citizens were affected in various cybersecurity incidents.

从隐私公署处理的数据泄漏事故中，也观察到类似的趋势。在2019年和2020年，涉及勒索软件攻击的网络攻击事故，约占接报的数据泄漏事故的四分之一。这个比例去年上升至29%，而超过60万名香港市民亦受到各种网络安保事故影响。

Data breaches can be caused by technical vulnerabilities or human blunders. In this article, I would like to focus on the technical risks, among which weak user passwords, phishing, unpatched vulnerabilities, outdated operating systems and software applications, and the implantation of malicious software represent some of the more common causes of data breach incidents.

数据泄漏可能由技术漏洞或人为疏忽造成。本文将重点关注技术风险，其中用户使用低强度密码、网络钓鱼、未修补漏洞、过时的操作系统和软件应用程序以及植入的恶意软件，是数据泄漏事故的一些常见原因。

From the incidents handled by my Office, we note that phishing and unpatched vulnerabilities are the two most common causes of data breaches. Our observation in this regard is in line with the statistics recently published by Hong Kong Computer Emergency Response Team Coordination Centre (“the Centre”) in its Annual Report 2021. According to the report, phishing (48% of the cases) was the prime cause of security incidents handled by the Centre in 2021.

从隐私公署处理的事故中，我们注意到网络钓鱼和未修补的漏洞是数据泄漏两个最常见的原因。我们在这方面的观察与香港电脑安保事故协调中心最近公布的2021年报的统计数据一致。该报告指出，网络钓鱼（占整体案例48%）是该中心2021年处理的安保事故的主要原因。

Two investigations conducted by my Office in recent years reflected the same phenomenon. In the Cathay Pacific case, we concluded that one of the factors attributing to the data breach incident was the carrier’s failure to identify a commonly known unpatched information security vulnerability and take reasonably practicable steps to safeguard the security of its server, which left a loophole for unauthorised access. In another case relating to the intrusion into the email system of the media company Nikkei China (Hong Kong) Limited, it was found that one of the possible causes of attacks to the email system was that the relevant user passwords had been leaked to hackers through phishing attacks.

公署近年来进行的两次调查，也反映了这个现象。在国泰航空的案例中，我们认为，造成数据泄漏事故的因素之一，是国泰航空未能识别广为人知的资讯安保漏洞，并采取合理可行的措施来保障其服务器的安全，令人可乘机入侵其服务器。在另一宗有关传媒机构日经中国（香港）有限公司电邮系统遭入侵的案件中，隐私公署发现电邮系统受到攻击的原因之一，可能是相关用户密码因网络钓鱼攻击而外泄。

Data Protection Principle (“DPP”) 4(1) of Schedule 1 to the Ordinance requires a data user to take all practicable steps to ensure that any personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use having particular regard to: 

《隐私条例》附表1的保障资料第4(1)原则规定数据使用者须采取所有切实可行的步骤，以确保由数据使用者持有的个人资料受保障而不受未获准许的或意外的查阅、处理、删除、丧失或使用所影响，尤其须考虑：

(a) the kind of data and the harm that could result if any of those things should occur;

(a) 该数据的种类及如该等事情发生便能做成的损害；

(b) the physical location where the data is stored;  

(b) 储存该数据的地点；

(c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;  

(c) 储存该数据的设备所包含（不论是自动化方法或其他方法）的安保措施；

(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data;

(d) 为确保能查阅该数据的人的良好操守、审慎态度及办事能力而采取的措施；

(e) any measures taken for ensuring the secure transmission of the data. 

(e) 为确保在安保良好的情况下传送该数据而采取的措施。

It is noteworthy that DPP 4(1) imposes a positive duty on a data user to safeguard the security of personal data by taking all practicable steps. Whether a data user would be considered to have taken all reasonably practicable steps would be assessed on a case-by-case basis. 

值得注意的是，数据保护第4(1)原则规定数据使用者有责任采取所有切实可行的步骤保障个人数据安全。数据使用者是否被视为已采取所有合理可行的步骤，将按个别情况进行审视。

Against this background, and as concerns on data security have reached an all-time high, it is desirable that some practicable recommendations on data security measures be provided for data users in Hong Kong to facilitate their understanding as well as compliance with the relevant requirements under the Ordinance. It is in this light that my Office has recently published the Guidance Note on Data Security Measures for Information and Communications Technology (“the Guidance”).

在此背景下，加上数据安保受关注的程度日渐提升，我们希望为香港的数据使用者提供一些切实可行的数据安保建议，以助他们理解和遵从《隐私条例》的相关规定。因此，隐私公署最近公布了《资讯及通讯科技的安保措施指引》（《指引》）。

The Guidance provides recommendations on six key areas as follows:

《指引》就以下六个关键领域提供了建议：

Data governance and organisational measures

数据管治和机构性措施

The Guidance recommends data users to establish clear policies and procedures on data governance and data security about such aspects as staff’s respective roles and responsibilities in maintaining the information and communications technology (“ICT”) systems, data security risk assessments, and the outsourcing of data processing and data security work. When it comes to manpower deployment, the Guidance recommends that suitable personnel in a leadership role, such as a Chief Information Officer, a Chief Privacy Officer or an equivalent person, should be appointed to bear responsibilities for personal data security. Sufficient training should be provided for staff members at induction and regularly thereafter to ensure their familiarity with the requirements under the Ordinance and the data user’s data security policies and procedures.

《指引》建议数据使用者制订明确针对数据管治和数据安保的政策和程序，涵盖个别员工在维护资讯及通讯系统的角色和责任、数据安保风险评估、外判数据处理及数据安保工作等范畴。在人手调配方面，《指引》建议数据使用者应委任合适的领导人员（例如首席资讯主任、首席隐私主任或同等人员）负责个人资料保护。工作人员应在入职时及往后定期接受足够的培训，以确保他们熟悉《隐私条例》的规定，以及数据使用者的资料安保政策及程序。

Risk assessments

风险评估

Data users are recommended to conduct risk assessments on data security for new systems and applications before launch, as well as periodically thereafter pursuant to established policy and procedures. For small- and medium-sized enterprises that may not have the relevant expertise, they should consider engaging third-party specialists to conduct security risk assessments. Results of risk assessments should be reported to senior management, and security risks identified in risk assessments should be addressed promptly.

数据使用者应在启用新系统和新应用程序前，以及在启用后定期根据既定的政策和程序进行数据安保风险评估。缺乏相关专业知识的中小企应考虑聘用第三方专家，以进行安全风险评估。风险评估的结果应定期向高级管理层汇报，而在风险评估中发现的安保风险应及时处理。

Technical and operational security measures

技术上及操作上的安保措施

The Guidance recommends that a data user should put in place adequate and effective security measures to safeguard the information and communications systems and personal data in its control or possession based on the nature, scale and complexity of the ICT and data processing activities, as well as the results of risk assessments. A list of recommended technical and operational measures, ranging from securing computer networks, database management and access control to encryption and anonymisation of data, is provided in the Guidance for the reference of data users.

《指引》建议数据使用者应根据资讯及通讯科技和数据处理活动的性质、规模、复杂性，以及风险评估的结果，采取足够及有效的安保措施，以保护其控制或所持有的个人数据和资讯及通讯系统。《指引》为资料使用者建议了一系列技术上及操作上的安保措施，包括保护电脑网络、数据库管理、存取管控、资料匿名化和加密等。

Data processor management

数据处理者的管理

It is an increasingly common practice to engage contractors as data processors for processing personal data. A case in point includes service providers for cloud and data analytics services. Given that the Ordinance imposes a positive duty on data users to ensure that contractual or other means be adopted to safeguard the security of person data transferred to data processors, the Guidance recommends a list of actions which data users may take before and when engaging a data processor.

将处理个人数据的工作外判予承办商的做法日益普遍。当中数据处理者的例子包括云端服务和数据分析服务的供应商。根据《隐私条例》，数据使用者有责任采取合约规范方法或其他方法，保障转移予数据处理者的个人数据的安全，《指引》就数据使用者在聘用数据处理者时可采取的措施提供了一系列的建议。

Remedial actions in the event of data security incidents

数据安保事故发生后的补救措施

Timely and effective remedial actions taken by a data user after the occurrence of a data security incident will help reduce the risks of unauthorised or accidental access, processing or use of the personal data affected, thereby reducing the harm that may do to the organisation or affected data subjects. The Guidance offers examples on common remedial actions that a data user may take in the event of a data security incident.

数据使用者在数据安保事故发生后采取及时和有效的补救措施，将减低个人数据被未获准许的或意外的查阅、处理或使用的风险，从而减轻对受影响人士可能造成的伤害。《指引》就数据使用者在发生数据安保事故时可采取的补救措施提供了一些常见例子。

Monitoring, evaluation and improvement

监察、评估及改善

A data user may commission an independent task force (e.g. an internal or external audit team) to monitor the compliance with the data security policy and periodically evaluate the effectiveness of the data security measures. It is recommended that improvement actions should be taken for non-compliant practices and ineffective measures.

数据使用者可委派独立的专责小组（例如内部或外部审计团队）负责定期监察数据安保政策的遵从情况，以及定期评估数据安保措施的成效。《指引》建议，如发现违反政策的行为或安保措施成效不彰，应采取改善行动。

In the light of the rapid evolution of the means, forms and complexity of cyberattacks, and the heightened expectation of the society as regards individuals’ personal data privacy, data security will likely take centre stage in the years to come. Indeed, a robust data security system is a core element of good data governance. I hope that the Guidance will help organisations and businesses, especially small and medium-sized enterprises, in Hong Kong strengthen their data security systems, thereby minimising their exposure to data security risks and enhancing their competitive edge in the digital era.

鉴于网络攻击的手段、形式和复杂程度快速演变，且社会对个人数据隐私的期望越来越高，数据安保将会是未来几年的焦点。事实上，稳健的数据安保系统是良好数据管治的核心元素。我希望《指引》能帮助香港的机构和企业，尤其是中小企，加强数据安保系统，从而减低资料安保风险，并提升他们在数码时代的竞争优势。

出处：香港律师会会刊（实践技能）

本文由ACFE China校对翻译，如需转载，请提前告知。

想了解IAPP哪个证书适合你？

全套资料长按扫码领取

全套资料试听课在线试讲

想了解IAPP哪个证书适合你？

......

识别下方二维码

为你一一解答

资格评估可直接扫码

免费评估/赠送一份国际隐私认证学习资料一份