Experts point out that the recent data breach that had impacted Cathay Pacific exposes a gap in Hong Kong laws.
The Hong Kong-based international airline had, on October 24, 2018, acknowledged a data breach that had impacted its computer system at least seven months before. A Cathay Pacific press release had stated, “Cathay Pacific announced today that as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing passenger data of up to 9.4 million people. Upon discovery, the company took immediate action to investigate and contain the event. The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.”
Experts have now come up saying that this breach, which could have impacted up to 9.4 million people, has to do with Hong Kong laws, which don’t demand timely declaration. As of now, Hong Kong laws don’t demand disclosure of data leaks and that definitely is an issue.
Cathay Pacific, which had detected the suspicious activity on its network in March, had confirmed the breach in May. But the company had disclosed details of this breach last week, seven months after detecting suspicious activity. Though this delay has been harshly criticized, the airline has stated that the incident required thorough investigation because of the complexity of the data involved and that accounted for the delay.
Well, the fact that Hong Kong laws don’t demand timely declaration of such incidents needs to be discussed in the light of what is happening all the world around.
As per the new GDPR (General Data Protection Regulation), companies in the European Union countries should report any data breach within 72 hours of its detection.
Coming to the region where Hong Kong is situated, South Korea, Australia, the Philippines, Indonesia, Taiwan- all have notification-related laws in place. Singapore, where companies already are covered by the continuous disclosure obligation, too is changing its laws to suit the changing times.
Irrespective of all these changes happening across the world, Hong Kong still holds on to a privacy law that dates back to 1995 and which is based upon Data Protection Directive, the previous privacy law of the European Union. Hong Kong’s privacy law is of a rather outdated model, based on the kinds of threats to privacy that used to happen in the 1980s and early 1990s.
A report in The Straits Times, discussing the issues pertaining to the Hong Kong laws in the light of the Cathay Pacific incident, states, “Currently, disclosure of data leaks in Hong Kong is not mandated and is “a matter of best practice”, said Mr Olli Jarva, managing consultant of the software integrity group at tech firm Synopsys…Law Professor Stuart Hargreaves from The Chinese University of Hong Kong said the incident shows that the city’s privacy laws are outdated and need a refresh.”
The report also quotes Associate Professor Mak as suggesting, “Perhaps listing rules (in Hong Kong and Singapore) need to be relooked to include major data breaches such as the Cathay Pacific case as one of the specific items that should be disclosed immediately”.
The Cathay Pacific breach is currently being investigated by the police and the privacy commissioner.
