image

Cybersecurity

Row over Cathay Pacific data leak rumbles on as Hong Kong privacy chief hits back at predecessor’s criticism over handling of case

  • Privacy Commissioner Stephen Wong says comments by Allan Chiang are ‘irresponsible’
  • Chiang had said it was not the first time watchdog failed to adequately investigate companies
PUBLISHED : Sunday, 04 November, 2018, 10:29pm
UPDATED : Monday, 05 November, 2018, 8:33am

Hong Kong’s privacy chief on Sunday hit back at scathing criticism from his predecessor over his handling of the Cathay Pacific Airways data leak, calling the comments “ungrounded … incorrect and irresponsible”.

Privacy Commissioner Stephen Wong Kai-yi said it was established practice, dating back to the reign of previous chief Allan Chiang Yam-wang, to start a formal investigation only if a compliance check found it necessary.

Chiang said on Saturday that the number of investigations and enforcement notices issued by the commissioner’s office had dropped significantly under his successor.

Chiang, privacy commissioner from 2010 to 2015, said it was not the first time the watchdog had failed to adequately investigate companies in such circumstances as the Cathay Pacific case.

The Cathay leak affected some 9.4 million people. The carrier declined to comment on how the information in its breach was collected, but said no leaked data was misused.

“Under compliance checks, the privacy commissioner’s office reviews a company’s data security measures and makes recommendations, then the case is closed,” Chiang said.

Cathay Pacific warns customers to guard against phishing attempts

“In the past three years, the number of investigations and the number of enforcement notices issued by the commissioner’s office have dropped significantly.”

Wong, who succeeded Chiang in August 2015, hit back with a lengthy statement on Sunday.

“Figures of enforcement cases of themselves do not speak for the quality of regulatory efforts,” he said.

“As a fair regulatory authority, [the office] does not regulate for figures but results.”

He said an analogy was that when the crime rate dropped, it did not mean law enforcement agencies relaxed their investigation efforts.

Wong also said compliance checks served to find out the relevant facts. It was also “a matter of procedural fairness” that such a check should precede a compliance investigation, which empowered the commissioner to summon witnesses, seize evidence and conduct public hearings.

He also stressed it was “entirely incorrect and irresponsible to suggest that after a compliance check, the process of compliance investigation will automatically stop”.

He added: “Any message to the public purported to suggest that [the office] will not carry out a detailed compliance investigation of the reported incident at this stage is ill-informed and misleading.

Why Cathay Pacific deserves praise, despite the data breach

“Since 2014, cases of data breach have shifted to data security mainly and the number of compliance checks has been on the high side.”

Wong said there were 219 compliance checks in 2014, 279 in 2015 and 259 in 2016. As at the end of last month, there were 253 compliance checks this year, compared with 253 for the whole of 2017.

“There are other compliance investigations arising out of complaints received. It is regrettable that only one case of investigation and report was selected [by Chiang] as the basis for ungrounded criticism.”

The office said that as of last Friday it had received 80 complaints and 104 inquiries in relation to the Cathay data breach.