Hong Kong’s data breach notification framework - inadequacies and corrective actions required

Data breaches resulting from information security failures continue to be a matter of pressing concern. Given the increasing number of compromised data security incidents globally, data breach notification has emerged as an issue of increasing urgency. In response, breach notification laws have been enacted to ensure individuals are appropriately informed when their personal identifiable information has been compromised, so as to enable affected individuals to mitigate any harm so arising. Mandatory data breach notification laws are an important development in this regard. Such laws mandate that an organization that has suffered a data breach involving personal identifiable information shall notify affected individuals and in some cases, regulators. This article argues that for Hong Kong to maintain its rightful place across international norms, as a modern, legally and commercially trustworthy and reliable jurisdiction, and at the same time continues to assure its citizens that the confidentiality of their personal identifiable information is secure, a mandatory approach to data breach notification needs to be implemented.