Cathay Pacific data leak warrants formal investigation, Hong Kong ex-privacy chief says in break with successor
- Allan Chiang says it is not the first time watchdog under Stephen Wong has failed to adequately investigate companies
- Number of investigations by privacy commissioner fell from 106 in 2014 to only one last year
A formal investigation is needed into the data leak at Cathay Pacific Airways that affected 9.4 million passengers, a former chief of Hong Kong’s privacy watchdog said on Saturday, questioning why the regulator had not launched one.
In a rare move, Allan Chiang Yam-wang, privacy commissioner from 2010 to 2015, criticised the office of his successor Stephen Wong Kai-yi for only undertaking a “compliance check” instead of a formal probe into Hong Kong’s flagship airline.
He said it was not the first time the watchdog had failed to adequately investigate companies in similar circumstances.
“Under these compliance checks, the privacy commissioner’s office reviews a company’s data security measures and makes recommendations, then the case is closed,” Chiang said on a pre-recorded radio show.
“There is no mention of whether the company has breached any law, and details about how the leak happened may not be disclosed. This kind of lax action is far from serious regulatory measures.”
In May the Post reported that the privacy watchdog had put investigations on the back-burner since Wong took office, to focus more on public education.
The number of investigations fell from 106 in 2014, and 76 in 2015, to only four in 2016 and one last year.
Cathay was slammed by Wong’s office last week after disclosing the data breach, which has let slip about 860,000 passport numbers and 240,000 Hong Kong ID card numbers, among other information.
The airline has come under heavy scrutiny from lawmakers and the public, but has yet to respond to a request for information from Wong’s office.
A compliance check involves the privacy watchdog simply alerting an organisation over its concern about data protection measures, and inviting the group to take remedial action. There is no suggestion of criminality.
A formal probe however would mean the commissioner launching an investigation and issuing an enforcement notice to correct any shortcomings. Failure to follow up would constitute a criminal offence. A report would be disclosed to the public.
Chiang, now a barrister, said Cathay’s seven-month delay in revealing the leak was not covered by any specific privacy law, but the large number of passengers affected could be grounds for the watchdog to initiate an investigation.
“If there’s reasonable suspicion surrounding the case, then existing laws already allow the commissioner to launch a probe,” Chiang said.
“An investigation is a regulatory procedure that brings a stronger deterrent effect to prevent future breaches. There is little harm in taking a more formal approach.”
The Post has reached out to the privacy commissioner’s office for comment.
Chiang believed tougher laws were required to ensure timely notification of data breaches. He also suggested companies should be forced to explain to customers how their personal information had been collected in the first place.
Cathay has repeatedly declined to comment on how the information in its data breach was collected, but said no leaked personal information had been misused.
But Chiang dismissed these assurances.
“Without the right under the law to trace back the origin of the data, we have no way to establish any link between this leak and possible misuse,” he said.