Hong Kong Watchdog Unveils Gen AI Guidelines, Results of Data Breach Probe
The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) Monday published a checklist on guidelines for use of generative AI (Gen AI) by employees, along with findings from a data breach investigation.
Sign up for a free preview to unlock the rest of this article
Hong Kong organizations are increasingly exploring ways to use Gen AI to boost their competitiveness and drive digital transformation, the office noted. It stressed that Hong Kong places equal emphasis on development and security. The guidelines aim to balance those interests by helping companies develop internal policies or guidance on the use of Gen AI by employees while complying with the requirements of the Personal Data (Privacy) Ordinance.
The guidelines recommend that organizations' policies cover several aspects of Gen AI: (1) The scope of permissible use of Gen AI. (2) Personal data protection. (3) Lawful and ethical use and bias prevention. (4) Data security. (5) Violations of policies or guidelines.
The guidelines also give organizations practical tips for supporting staff who use Gen AI tools, such as ensuring that guidelines and policies are regularly communicated to them, offering training in Gen AI tools, and establishing a feedback mechanism so workers can identify areas for improvement.
The data breach probe arose from a notification by ImagineX in May 2024 that it had received a ransom note from a threat actor who claimed to have stolen its data and threatened to sell it, the PCPD said. The investigation found that the actor compromised a temporary user account that the company had created on its firewall for urgent remote support for a vendor.
After gaining access to the company's network, the bad actor stole around 68 GB of data from ImagineX, compromising four servers and five system accounts, the PCPD said. The breach affected two loyalty programs, affecting over 127,000 people. Personal data involved included names, email addresses and employees' passport copies.
After the breach, ImagineX took steps to notify and support the data subjects and put remedial measures in place, the PCPD said. However, it added, the company had failed to put in place an adequate level of data security and it was ordered to address the situation and prevent reoccurrences.