Cathay Pacific data leak: what can customers affected do to protect personal data and get redress?
- Customers should be vigilant in monitoring possible misuse of data and enable two-factor notification
- Companies may have to ultimately submit to stricter regulations governing data and revise their existing security measures
A week after Cathay Pacific Airways announced that personal information of 9.4 million customers had been leaked in a data breach in March, the public continues to wait to learn more about the cause.
Police and the privacy watchdog have launched investigations into the belated disclosure but, for the consumers who learned their information had been compromised, questions remain about how best to act and who to turn to for help.
1. What steps can individuals take to protect personal data that has been leaked?
Unlike credit card information which can be easily cancelled, some data compromised in the Cathay breach is permanent, like name and address, or information that typically would not be reissued with a new identification number, like the Hong Kong identification card.
For such data, the best policy is to be vigilant in monitoring points where it could be misused, personal data security experts said, urging consumers to scrutinise financial statements and enable two-factor identification on accounts.
2. What are some best practices for keeping personal data secure online?
For future protection, personal data security experts urge consumers to pare down what data exists online and ask questions about how their service providers are protecting them.
“As we are shifting more of our physical activities online, we have to protect ourselves where we can,” said internet Society Hong Kong director Chester Soong. “My advice to most people is, unless the company or activity is a necessity, don’t sign up just for certain small benefits, and if you do, try to change your credentials every other month.”
Consumers also need to be aware of how smaller, in-person services, such as doctors, lawyers or accountants collect and secure their personal data.
3. How is the Hong Kong government working with consumers whose data was leaked in the recent breach?
Under Hong Kong privacy law, consumers do not have a direct route to sue companies they believe to have misused their data. Instead, the Office of the Privacy Commissioner for Personal Data (PCPD) might choose to investigate complaints and request businesses change their practices. Failure to act on such a request could result in penalties of HK$50,000 or two years’ imprisonment.
However, the PCPD can provide help and support for those seeking legal action against suspected misuse of their personal data. Privacy Commissioner Stephen Wong Kai-yi offered to help Cathay breach victims who wanted to pursue the airline for damages on Monday.
Customers could also look to advocacy groups such as the Consumer Council who could push the government for further regulation or take more grass-roots action.
Cathay Pacific data leak: British-based law firm urges passengers to seek damages through group legal action overseas
4. What are the legal options available for victims of the breach?
If a consumer did want to sue, they could look to take legal action in the Hong Kong courts in the form of a tort case. However, such cases require both that the consumer prove Cathay’s negligence led to the breach, and then show that the breach caused them to suffer tangible damages, according to Stuart Hargreaves, professor in the Faculty of Law at Chinese University.
“It is highly unlikely the courts of Hong Kong would grant recovery only for emotional stress associated with having one’s information included in the breach,” Hargreaves said.
5. What can the government and financial institutions do to strengthen consumer data protection in Hong Kong?
In the wake of the Cathay breach, consumer advocates, experts, and consumers have been calling for stricter regulation for companies on how they report data breaches.
“A lot will depend on what happens with this case,” said John Bacon-Shone, director of the Social Sciences Research Centre at the University of Hong Kong, noting that in recent years the PCPD emphasis has been on education and compliance, and that they may be pressured to return their focus to investigation and expanding regulation.
Cathay Pacific urged to extend free ID monitoring service in wake of massive data breach affecting 9.4 million passengers
“Often the private companies don’t mind more regulation because then it’s fair game and everybody does it,” he said, pointing to cases in the United States where Apple and Google have supported stronger privacy regulations.
Digital security experts also warn that banks may need to update the way they verify customer information, which often requires confirming the same data points that were leaked.
“We are moving toward the point where there is no choice, you need dual factor identification, so you both get a code on your device, plus have to answer [personally written] questions,” Michael Gazeley, managing director of cybersecurity service provider Network Box Corporation, said.