Posted on August 2, 2011 by HL Chronicle of Data Protection

Hong Kong Set to Implement Data User Return Scheme by 2013

This post was contributed by Gabriela Kennedy, a Partner, and Zuzana Hecko, a Summer Intern, both of the Intellectual Property, Media and Technology Group of Hogan Lovells Hong Kong

On July 7, the Hong Kong Privacy Commissioner for Personal Data (“the Commissioner”) issued a consultation document setting out the mechanism for a Data User Return Scheme (“the Scheme”).  Provisions allowing the Commissioner to request returns from specific data users are already present in Part IV of the Personal Data (Privacy) Ordinance ("the Ordinance").  So far, the Commissioner has not exercised this right, but following a survey of practices in other jurisdictions and taking into account the heightened awareness of privacy rights and corporate sensitivity about personal data, the Commissioner is now of the view that it is time to introduce the Scheme in Hong Kong.

The consultation document (PDF) seeks views on the implementation and operational framework for  the Scheme in Hong Kong.


Benefits of the Scheme

The Scheme aims to provide better protection of personal data among corporate data users.  Once the Scheme is implemented data users will be required to submit an annual return detailing the personal data they control and the purposes of collection or processing of such data.  Data users may provide more information than prescribed by the Commissioner if they so wish in order to show their commitment to the protection of personal data of their customers.  It is hoped that the Scheme will lead to greater accountability and transparency of data protection practices of corporations as well as an enhancement of their data privacy protection standards.  Companies required to submit Data User Returns will need to take care when filling them in and provide correct information as the intentional provision of false or misleading information constitutes an offense under the Ordinance (attracting a fine of HK$10,000 and imprisonment for up to 6 months).  It is also an offense not to submit a return or to submit it late (although a penalty will be applied for the late submission of a return this will not rule out a prosecution for late submission).

The Commissioner will keep a Register of Data Users, in effect a database of data users, which would contain all the information submitted annually by data users.  The register will be available to the public for inspection, thus giving data subjects an opportunity to understand data users' privacy practices and compare them with the practices of other data users.  Data subjects will have a single point of access to information about how Data Users handle their personal data.

Who will be covered by the new Scheme?

It is proposed that  the Scheme will be rolled out in several consecutive phases, covering: a) first, the public sector; b) second, three large regulated industries (banking, telecommunications and insurance) and c) third, organizations with a large database of members (such as customer loyalty schemes). These initial sectors have been selected by the Commissioner because of the large amount of personal data under their control, the sensitivity of the personal data they control, the frequent and diverse use of the personal data they hold, the relative high number of complaints in these sectors and because it is the common practice in these sectors to transfer personal data to third parties for marketing or other purposes.

When will the new Scheme come into operation?

The Commissioner expects to finalize the implementation framework for the Scheme by the end of 2011 and publish a Notice in the Government Gazette regarding the introduction of the Scheme by mid-2012 in the hope that it will come into force by the end of 2012.  This means that by the second half of 2013 the first phase of the Scheme may be rolled out and the first data user returns are expected.  More information can be found on the website of the Commissioner (PDF).
Tags: , ,
Posted on March 19, 2010 by Christopher Wolf

Short Guide to Responding to Data Security Breaches

The recent effective data for enforcement of the new HIPAA/HITECH data-security breach notification law, and continued passage of and amendments to state notification laws, make compliance with data-security breach notification requirements more challenging than ever.

The H&H Chronicle of Data Protection thought it would be useful to provide this Short Guide to Responding to Data Security Breaches as a refresher for some and as a wake-up call for others.

Companies collect, maintain, use, and exchange vast amounts of personal data on employees, consumers and others. Unwanted release or exposure of personal information can violate privacy, lead to identity theft, and result in adverse publicity. Lawmakers, regulators, and advocates are increasingly focused on data security and breaches of it. Data security is becoming a risk-management priority at companies.

Still, breaches happen, even with the most careful precautions.

Effective handling of a data-security breach and legal compliance are achieved best with advanced planning to ensure that an business's response is effective, efficient, and timely. Business responses will be facilitated if the business already knows which laws and contracts apply to its data and what its duties will be if its information is improperly disclosed or accessed.

Fundamentally, businesses should have a detailed written data security breach response plan that has been shared with those who will implement the response, because responding to a data security breach “on the fly” creates the potential for liability-creating mistakes.

What law applies to a data-security breach?

As most businesses know by now, starting in California in 2003, the law began to impose an obligation on those who hold data on persons to provide notice if there is a breach of its security. Forty-five states, Washington, DC, the Virgin Islands, and Puerto Rico have such laws currently, and federal rules govern disclosure of health-related personal information.

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) each has issued data breach notification rules. See this previous blog entry for details. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information. Enforcement of the HHS and FTC breach notification rules began last month, as described here.

The Federal Trade Commission, state attorneys general, and private plaintiffs have pursued companies that have experienced data-security breaches. Such investigations typically have focused not only on whether notice protocols were followed, but also on underlying data security. Under HITECH, the Department of Health and Human Services has enhanced power to investigate and enforce against data security deficiencies.

What actions should the business take promptly after a breach?

Contain the breach. As soon as the business becomes aware of a data breach it should take all necessary steps to limit further data loss and should investigate the incident. It should also determine whether to involve law enforcement and should limit traffic into the affected area until security officials or law enforcement investigate.

Convene a response team. Businesses should have a standing security breach response team that includes representatives from the office of the general counsel, information technology security, human resources, internal audit, and public communications. When a breach occurs, the response team should convene without delay. Team composition may vary, according to the type and location of the breach.

Analyze the breach. The business should record all information relevant to the breach; learn and evaluate the cause and effect of the incident; determine whether other systems are at serious risk of future breach; and consider engaging specialized consultants to capture relevant information and perform forensic analysis.

Determine timing requirements. Time is of the essence. Law of many states prescribes time limits for notification of persons data on whom was breached. Expedition is not just sensible; often it is legally mandated.

Collect information promptly. Information that should be gathered promptly includes the date, time, duration, and location of the breach; how the breach was discovered, by whom, and any known details about it; and information on compromised data, including a list of affected individuals by category, data fields, the number of records affected, and which if any data were encrypted.

What next steps should the business take?

Analyze legal implications of the breach. Legal analysis should include analysis of relevant business contracts for notification and other obligations; breach-notification requirements; and pertinent indemnification agreements. The states and countries potentially involved in the breach should be identified with reference to the location of persons and systems affected by the breach. Federal, state, and international statutes and regulations potentially triggered or violated by the breach, and their notification requirements, should be identified.

Contact law enforcement. Where appropriate, contact local or federal law enforcement agencies.

Contact insurance carrier. Review insurance pertinent to the breach; notify the insurance carrier in accordance with policy requirements.

What internal and external breach-related communications should the business make?

A wave of telephone calls, e-mails, and other inquiries should be expected when a breach is reported. Before occurrence of a breach, the business should have a plan for handling such inquiries. Actions to consider include selecting a mode of communication with the public (toll-free 1-800 numbers and/or e-mail address); selecting a mode of communication with interested parties; training and hiring staff for inquiry response, or outsourcing such activities; preparing a script; notifying credit-reporting agencies prior to providing notification to a large group of affected persons (or as required by applicable law); documenting inquiry responses; and preparing Frequently Asked Questions (“FAQs”) for potential online posting.

What should be in the business’s notification plan?

The business should develop a notification plan for affected persons, based on legal requirements and its contractual obligations. The content of notice to affected persons will be dictated by regulation or contract, and public relations considerations should be taken into account. Remember that notices to attorneys general or consumer protection authorities are required in some jurisdictions. Similarly, how notice is delivered (e.g. by mail, or e-mail if the recipient agreed in advance to such notification method) requires a legal determination. Generally, notice should include this information:

  • Description of what happened;
  • Type of protected data involved;
  • Actions the business has taken to protect data from further unauthorized access;
  • What the business will do to assist affected persons;
  • What affected persons can do to assist themselves;
  • Contact information for the business to respond to inquiries (a toll-free 1-800 number should be provided); and
  • Contact information for local and federal government authorities.

The business may elect to offer remediation services to assist affected persons after a breach, including credit monitoring services, identify-theft insurance, identity-theft information packets, and/or compensation for identity theft. A number of companies have elected to offer remediation services, although usually such services are not legally required.

What other post-breach actions are indicated?

Prepare for litigation. If litigation is threatened, preservation of relevant documents and information is vital.

Re-assess technology systems, physical and administrative security. The business should conduct an analysis of the breach to determine causes and should review access controls and procedures to ensure that weaknesses have been addressed and resolved.

Perform an assessment. Assess the business's operations to determine necessary revisions to data collection, retention, storage, and processing policies and procedures, so that further breaches are less likely to occur.

Evaluate the business’ response. After the business has responded to the breach, it should evaluate its response and implement changes to improve its effectiveness in preventing and responding to breaches.

Summary

  • Have a written post-breach response plan ready and tested before a breach happens.
  • Ensure that business officials know what role they will have when a breach happens.
  • Have a communications plan regarding breaches.
  • Know what regulations, statutes, and contracts cover post-breach obligations.
  • When a breach happens, act promptly to prevent further exposure of data.
  • Promptly find out what happened and preserve the evidence.
  • Involve technology and legal experts as needed.
  • Have draft notices that are ready to be customized with reference to the facts.
  • Contact law enforcement, credit resorting agencies, and the business's insurance carrier as  appropriate.
  • Keep regulators informed, both when required by law and when merely sensible.
  • Provide timely notice; legal deadlines are strict.
  • Help affected individuals; their goodwill can forestall legal difficulties.
  • Update the breach response plan periodically.

       
Tags: , , , ,