CYBER ATTACKS: THE INCREASINGLY COMPLEX LANDSCAPE OF REGULATORY REPORTING EXPECTATIONS

Personal data protection legislation is evolving globally, and no more rapidly than across Asia. The landscape of data breaches and other regulatory reporting obligations is becoming increasingly varied, with potential traps for those who are not following the latest developments.

Some of these apply extraterritorially to data users doing business in Asia even if they are incorporated elsewhere.

In Hong Kong, the law remains territorial, but it is becoming clear that the Privacy Commissioner for Personal Data (PCPD), expects companies that suffer data breaches to notify both the PCPD and affected data subjects in Hong Kong, even though there is currently no mandatory data breach reporting obligation under Hong Kong law.

C-suite concerns and high-profile enforcement action

By late 2022, US corporate executives had already identified cyber attacks as the primary business risk, and revising and enhancing companies’ cyber risk management as their second most important focus, according to PwC’s ‘Pulse Survey’. Last year, “more frequent and/or broader cyber attacks” remained the primary risk identified by US corporate executives in the same survey.

The profile and public awareness of ransomware has also been raised by high-profile actions by law enforcement, among them the recent actions taken against the LockBit ransomware group. These culminated on 7 May 2024 in a global law enforcement coalition including the UK National Crime Agency, the US Department of Justice and the US Treasury Department (among others) naming and sanctioning a co-founder of the LockBit group.

Jul-Sep 2024 issue

RPC

Join our free mailing list to read the full article