Once in a while I run across Hong Kong data breach stories. Today I ran across two stories, one of which made me raise my eyebrows: companies in Hong Kong don’t need to report data breaches. With such a policy, it’s questionable whether companies feel the need for disk encryption like AlertBoot.
Queen Mary Hospital Has Data Breach
Queen Mary Hospital has announced a second data breach in less than a year. In July 2010, slightly over 700 people were affected by the theft of computers and external disks. Today, QMH has announced that a flashdrive that was used as a backup is missing, affecting 19 patients. Names and Hong Kong identity card information were contained in the USB drive.
The device was not protected with either password protection or encryption software. In fact, the original desktop computer that was housing the data was not encrypted either, although password-protection was present on it. I’ve, of course, pointed out that password-protection is not security.
Hong Kong Office of the Privacy Commissioner for Personal Data
In a separate story, it was revealed that the Epsilon data breach had affected many companies in Hong Kong and China (referred to as the “mainland” in the scmp.com article). Seeing how Hong Kong is an international business venue, I guess it’s to be expected (that the Epsilon would have affected HK).
What was surprising, though, was this declaration:
But so far affected companies in Hong Kong have yet to pass on the information to their customers.
According to a spokeswoman at Hong Kong’s Office of the Privacy Commissioner for Personal Data, companies in the city “have no legal obligation to report a data breach”.
Which means that Queen Mary Hospital must really be concerned about the welfare of their patients. How else can you explain their actions?
Of course, I might snarkily note that if they were that concerned, they ought to seriously look into using a data encryption service like AlertBoot to secure their information.
Related Articles and Sites: