Privacy laws in Hong Kong to get major overhaul as government targets companies after Cathay Pacific data breach scandal
- Personal details of 9.4 million customers were stolen in 2018 but airline failed to report it for months
- New law would give companies five days to report a breach and watchdog would have power to fine offenders proportion of global income
Hong Kong’s privacy laws could soon be strengthened with the government considering tougher financial penalties for companies that do not report data breaches within five days.
The move, which would bring the city in line with the European Union among others, comes in response to the hacking of Cathay Pacific in 2018, when the personal information of 9.4 million of the airline’s customers were stolen in a major security breach.
Although the hack occurred in March of that year, the carrier did not report it until October, and critics have long said the law lacks teeth in the face of rapid technological advances, a criticism Privacy Commissioner Stephen Wong Kai-yi has accepted.
Presently, individuals or companies involved in data breaches are under no obligation to report the incident. The privacy watchdog could issue an enforcement notice against violation of privacy laws, but only a failure to comply with directives would attract a fine of HK$50,000 or two years in prison.
The proposed amendments to the Personal Data (Privacy) Ordinance would change that, requiring companies to report any major breach quickly, and giving the watchdog the power to fine offenders a portion of their global turnover.
