The fact Cathay Pacific does not have to notify anyone of a data breach is unacceptable. The law must change
- Stuart Hargreaves says it is inexcusable that Cathay took months to announce a security breach affecting millions. It’s about time Hong Kong updated its law
- The government should enact an EU-style system, which requires that authorities are notified of any breach within 72 hours of it being discovered.
On October 24, Cathay Pacific revealed that it had suffered a computer security breach, exposing 9.4 million passenger records. Although the information varied from customer to customer, the breach apparently involved names, dates of birth, addresses, passport information, identity card numbers, expired credit card numbers, travel histories and customer service records.
Perhaps more staggering than the scope of the incident is the fact that it took place in March, more than six months ago. Even now, some individuals might not have been informed if they are among the affected passengers – the airline said it would contact customers over the next few days.
The leaked information could be put to malicious use. The most obvious consequences could be identity theft and fraud, or criminal attempts to open new accounts and credit cards. To prevent such misuse, Cathay said it was offering “ID monitoring services” to help ascertain whether customers’ personal information had been shared online.
But this is far from foolproof: several years ago, the CEO of a similar service known as Lifelock publicly advertised his social insurance number as a guarantee that his company could prevent identity theft in the event of a data leak. He subsequently had his identity stolen at least 13 times.
But the harm to Cathay Pacific’s customers could go far beyond identity theft. The leak of individual travel records is a gross violation of privacy that no kind of ID monitoring can remedy. Information about where we go, when and with whom can reveal an awful lot about our lives.
The declining fortunes of Cathay Pacific
Consider the possible complications. We might not shed tears for, say, a cheating spouse who is found to have flown to Bali for a weekend with a colleague rather than to Taipei on a solo business trip. But perhaps we would be more concerned for a domestic violence victim whose travel records effectively reveal the identity of a new partner. Have these unsettling scenarios happened? We don’t know because Cathay isn’t saying.
Under Hong Kong’s privacy law, the airline is under no obligation to notify either the Office of the Privacy Commissioner or its own customers of the data breach, nor does it need to detail concrete steps it is taking to deal with the incident. In contrast, the European Union has enacted a new privacy law, the General Data Protection Regulation, which requires data controllers to notify the relevant authorities of any breach within 72 hours of discovering it.
The notification must include a description of the breach, the number of individuals and data records concerned, the name and contact information of a dedicated staff member, the likely consequences of the breach, and the measures that will be taken to mitigate any possible adverse effects. Failure to report a data breach draws a fine of up to 10 million euros (HK$89 million) or 2 per cent of a company’s global turnover.
Presuming Cathay Pacific imposed all reasonable safeguards to protect the data of its customers, it is not necessarily at fault for the breach. Hacking happens; no completely secure computer system has yet been devised. What is inexcusable, however, is the airline’s tardiness in notifying its customers. More than six months have gone by while passengers were kept in the dark about a major security breach, and even now there is a dire lack of clarity about precisely who has been affected and to what extent.
Hong Kong’s privacy law is hopelessly outmoded. It has been significantly amended only once, and that was in the wake of the 2010 Octopus card data scandal. After it was revealed that customers’ information had been sold to third parties without their consent, the law was tweaked to regulate direct marketing. When the business world fails to properly regulate itself, it is time for the government to step in.
That was the case in 2010, and it is the case now. An obvious thing Hong Kong could do is to implement an EU-style mandatory notification system for data breaches. However, the government would be wise to be proactive rather than reactive.
It should not be shutting the stable door after the horse has bolted, or amending the law only in response to well-publicised incidents. It is high time for a comprehensive review and reform of the law to be undertaken – and for the Personal Data (Privacy) Ordinance to be brought into the modern era.
Stuart Hargreaves is a professor in the Faculty of Law at the Chinese University of Hong Kong. [email protected]