Securities regulator should look into Cathay Pacific data leak case

  • Office of the Privacy Commissioner for Personal Data is impotent when it comes to punishing firms for breaching the law
PUBLISHED : Monday, 05 November, 2018, 4:44pm
UPDATED : Monday, 05 November, 2018, 11:07pm

It’s hard to imagine that there could be no consequence or penalty for a listed corporate giant after the leaking of the personal data of millions of customers. Yet, given the regulatory and legal environment in Hong Kong, that may well be the case for Cathay Pacific, the city’s flagship carrier.

The data breach has affected 9.4 million customers and caused a war of words between the former and current privacy commissioner. In an unusually harsh criticism, former chief Allan Chiang Yam-wang blasted his successor, Stephen Wong Kai-yi, for routinely failing to investigate companies adequately even when there were prima facie grounds to do so.

Apparently, it’s the difference between undertaking a “compliance check” rather than a formal probe. Well, it’s a fine distinction. Known formally as the Office of the Privacy Commissioner for Personal Data, it’s long on promoting privacy and data protection awareness but short on powers to enforce penalties and punish wrongdoers. In other words, it’s a paper tiger.

Privacy chief hits back at predecessor over Cathay data leak remarks

If the office were to shut down tomorrow, no one in Hong Kong would experience the slightest difference in their lives, except that taxpayers would save a pretty penny.

There is a local regulator that does have teeth: the Securities and Futures Commission. Legal and investment experts have argued there is a case for the commission to involve itself.

Like many other jurisdictions, Hong Kong’s securities law requires listed companies to disclose information expeditiously that could have an impact on share prices.

Cathay knew about the problem in March and determined it was a data breach by May. Yet, it sat on the information until last month. One ludicrous explanation for the delayed disclosure by Cathay management was that it didn’t want to cause a public panic. If it was such a serious matter, it should have informed the authorities, including the police, even if it didn’t want to alarm the public.

It’s been pointed out that the massive hacking was made public only after its interim results were released in August. On the night of October 24, the airline finally disclosed the data breach on the local stock exchange’s disclosure platform. Cathay’s share price plunged 3.3 per cent the next day, compared to the Hang Seng Index’s decline of 1 per cent.

The news did appear to be price-sensitive for market participants. This should be a test case for the commission to be involved.