Data breach incidents have dominated recent headlines. While these incidents are unfortunate for the parties involved, they provide us with valuable lessons about the proper approach to processing personal data and cybersecurity.
In this article, we highlight some of the key lessons to be learnt.
1. It is now commonplace for organisations to have in place policies on data handling and information security which reflect requirements under data privacy laws. Whilst this is a good first step, care must be taken to ensure:
- Proper compliance with policies. In a recent data breach incident, one of the key issues was keeping data for longer than is necessary for the fulfillment of the purpose for which the data was collected — although the organisation had a data retention policy, data was kept beyond the retention period stated. Organisations should implement measures to delete data promptly upon expiration of the retention period. Appointing designated personnel / a data protection officer to oversee the personal data privacy management programme and monitor compliance would be one appropriate measure.
- Policy contents and procedures should not be overly general. For example, there should be a specific and clear data retention period for each type of data or each system/server/database, e.g. no longer than two years in respect of recruitment-related data held about a job applicant from the date of rejection. As another example, rather than requiring security audits to be “regular”, operational procedures should clearly state what is the expected frequency or how the frequency is to be determined.
2. Organisations should also proactively conduct regular security audits to monitor potential threats and developments. What amounts to “regular” would depend on the scale of information systems and amount of personal data processed. For large organisations, it may be necessary to conduct risk assessments and security audits at least once a year. In addition, prior to deploying a new system or upgrade, a pre-implementation risk assessment or independent security audit should be conducted.
3. For organisations that operate large-scale information systems and retain significant amounts of personal data, it is not enough to rely on a single anti-malware software program to detect suspicious activities, which can easily be disabled by hackers. Rather, a “defence-in-depth” cybersecurity strategy that uses multiple security measures to safeguard an organisation’s systems should be deployed.
These are just a few of the many lessons learnt from recent data breach incidents. To ensure compliance with applicable data privacy laws, in particular regarding the retention of personal data and data security, we recommend clients to take this opportunity to review their privacy policies and security measures to check for any gaps and room for improvement.
For further information, please contact:
Machiuanna Chu, Partner, Deacons
machiuanna.chu@deacons.com
