Enhancing Corporate and Organizational Information Security Practices with a Framework for Data Breach Notification

Project: Research

View graph of relations


The aim of this study is to examine the laws relating to data breach notification.Protecting the privacy of personal information continues to pose significant challenges fororganisations. As currency of the digital era, personal identifiable information (PII) has been thetarget of cyber-criminals. When confidential PII such as identity card number or a credit cardnumber falls into the wrong hands, identity theft and identity fraud is a common result.Corporate entities and organisations suffer economic harms and reputational damage as a resultof data breaches. Data breaches in the US cost organisations millions of dollars each year andaffect an equal number of people. One reason for the rise in data breaches is the increasingnumber and use of Internet-connected devices. Given that “Big Data” has become increasingaffordable, public and private organisations globally are beginning to harness the power of BigData to provide better services and products to consumers and civil society. This has resulted ineven larger data repositories being created by corporate entities and organisations Researchsuggests that rapid digitization of consumer’s lives, massive collection and storage will push databreach losses up to US$2.1 trillion globally by 2019 (Juniper Research, May 2015).On a daily basis, Hong Kong people share personal information such as date of birth, identitycard numbers, and credit card numbers with companies, organisations and government agencies,either out of necessity or simply for the sake of convenience. However, not many data breachesin Hong Kong are reported. This is because without breach notification laws, breaches remainprivate. The study aims to evaluate data breach reporting frameworks in the US and the EU toassess their impact and to examine how a similar reporting mechanism could be developed forHong Kong. The research is significant because it will generate the knowledge that can be usedto mitigate potential identity crime threats, enhance corporate reporting and instill greaterindividual confidence. The research outcome will be to recommend a framework to assist in theimplementation of a data breach reporting scheme for Hong Kong.A mixed methodology will be adopted. First, qualitative face to face interviews will beconducted with key stakeholders from a government, industry and regulatory view point. Theinterviews will be used to confirm findings from the legal theory aspects of the research and togain a deeper perspective of the scope of the data breach problem in Hong Kong. Second, anexamination and an analysis will be made of the legal and regulatory frameworks of data breachreporting models in the US and the EU to identify the key elements that will be relevant to theformation of a Hong Kong data breach reporting mechanism. The key elements will include howdata breaches are being reported under different models, when they are reported and who thebreaches are reported to. Third, Hong Kong’s existing legislative and regulatory framework willbe examined to evaluate whether and to what extent current laws could be used to develop databreach notification. Based on the findings, this study will be able to offer recommendationswhether existing laws can be used to develop a reporting mechanism, whether all data breachesshould be reported, how data breaches should be reported and who the breaches should bereported to.?


Project number9042433
Grant typeGRF
Effective start/end date1/01/171/12/21

    Research areas

  • Data breach , Breach notification models , Identity theft , Information security , Regulatory framework