Determining the scope of the information security management system

A requirement additional to ISO/IEC 27001:2013, 4.3 is: When determining the scope of the PIMS, the organization shall include the processing of PII. NOTE The determination... ... - Licensed content not shown -


Art.46: Processing agents must adopt security measures, both technical and administrative, suitable to protect personal data from unauthorized access and accidental or illegal destruction, loss, change, communication, or dissemination events, or any other occurrence resulting from inappropriate or illegal processing. § 1 The National Data Protection Authority may determine minimum technical standards for the purposes of the provisions this Article, considering the nature of the information processed, the specific. characteristics of the processing, and the current state of technology, especially in the case of sensitive personal data, as well as the principles outlined in Article 6 of this Law.§ 2 The measures contemplated in the head provision of this Article must be considered from the phase of the development of the good or service until its execution.


S.1798.150.a: (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. (B) Injunctive or declaratory relief. (C) Any other relief the court deems proper. (2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

DPP (Data Protection Principles) - Hong Kong

DPP.4.1: All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to— (Amended 18 of 2012 s. 40; 17 of 2018 s. 129) (a) the kind of data and the harm that could result if any of those things should occur; (b) the physical location where the data is stored; (Amended 18 of 2012 s. 40) (c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; (Amended 18 of 2012 s. 40) (d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and (e) any measures taken for ensuring the secure transmission of the data.