For Individuals: Protect Your Identity
If you lost your phone, laptop, or suspect hacking, follow these steps immediately (first 24 hours).
Spot signs: 2FA codes you didn't request, slow performance, ransom notes.
Tools: Check HaveIBeenPwned.com and ESET Online Scanner.
Isolate device: Disconnect Wi-Fi/LAN/Bluetooth. Do not power off (forensics).
Change passwords from a different, clean device.
Freeze credit cards. Notify banks. If HKID/FaceID data is lost, report to Immigration Dept immediately (Deepfake risk).
Resource: Use CyberDefender (Scameter+).
Notify PCPD voluntarily if personal data is at risk (Identity Theft). Report to Police if theft involved.
For SMEs: Business & Client Protection
SMEs (5-50 staff) must act fast to protect client trust and minimize PDPO risks.
Phase 1: Immediate Response (0-24 Hrs)
- 🔴 Isolate: "Air Gap" the network. Pull the network cables. Do NOT reboot servers (RAM contains evidence).
- 🔍 Assess Double Extortion: In 2026, Ransomware doesn't just lock data; it steals it. Check exfiltration logs.
- 📞 Triage: Call HKCERT Hotline (8105 6060) for technical help.
Phase 2: Notification & Compliance
- Clients: Notify immediately if high risk (e.g., credit cards/HKID leaked). Transparency reduces lawsuits.
- PCPD: "Voluntary" for general SMEs, but highly expected within 72 hours.
- Police: Report to Cyber Security Bureau (CSTCB) if criminal hacking is suspected.
Phase 3: Recovery
Restore from clean Offline/Immutable Backups (3-2-1 rule). Patch vulnerabilities. Anonymize data per 2026 PCPD Guidelines.
⚖️ Am I Legally Liable? (2026 Status)
The law has evolved. Are you a "General SME" or "Critical Infrastructure"?
If you are in Energy, Banking, Transport, or Comms (under the Cybersecurity Critical Infrastructure Ordinance):
- Reporting breaches to the Commissioner is MANDATORY within a tight timeframe (e.g., 2 hours for severe incidents).
- Fine: Up to HK$5 Million for non-compliance.
Status: Technically Voluntary (under PDPO), but dangerous to ignore.
Risk: PCPD enforcement on "Security Principle" (DPP4) is strict. If you hide a leak and clients complain, you risk Enforcement Notices. Failure to comply with a Notice is a Criminal Offense.
Even if the government doesn't fine you, clients can sue for damages under PDPO Section 66 (e.g., emotional distress or fraud loss). Prompt notification is your best defense in court.
🎓 Knowledge Check: 2026 Guidelines
Test your understanding of the current threats and laws.