Hogan Lovells 2024 Election Impact and Congressional Outlook Report
In June, the aviation industry suffered one of the largest known data breaches in recent history when the personal data of 9.4 million Cathay Pacific passengers was compromised. In this article for StrategicRISK, we unpick the lessons to be learnt
In June, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued an enforcement notice against Cathay Pacific Airways (and its affiliate Hong Kong Dragon Airlines) after a data breach compromised the personal data of some 9.4 million customers.
The enforcement notice concerned two aspects of the Personal Data (Privacy) Ordinance (PDPO):
The enforcement notice raises key practical compliance points for those assessing and managing data security risk:
Further, because of the scale of the Cathay Pacific data breach, as well as the lapse of time between discovery and reporting (see below), there is speculation that Hong Kong may introduce a mandatory data breach notification obligation to the PDPO.
Comprehensive mandatory data breach notification obligations already exist in Australia, the Philippines, Taiwan and South Korea, with Singapore likely to adopt this soon. The PCPD encourages breach notification, but as in China and Japan, this remains a recommended best practice rather than a mandatory requirement.
The decision may also support class action civil suits in some jurisdictions and rekindle the debate about Hong Kong’s stalled efforts to create a class action regime.
The Cathay Pacific breach related to more than one vulnerability in the airline’s systems and probably involved more than one party. It had also been under way for some time before being detected, and concerned some 9.4 million individuals from over 260 jurisdictions.
The attacks affected four systems: the customer loyalty system, a shared back-end database used to support web-based applications, a reporting tool that extracted and complied data from other databases, and a database used to allow customers to redeem non-air rewards through the Asia Miles loyalty scheme.
The airline notified the PCPD of the breach on 24 October 2018 and started notifying affected people the next day.
There is currently no mandatory breach notification requirement in the PDPO. The PCPD’s investigation therefore focused primarily on Cathay Pacific’s compliance with its data security and retention obligations.
In respect of data security, the PCPD came to the following conclusions:
Based on these points, the PCPD found that Cathay Pacific had breached the DPDO.
As to data retention, notwithstanding policies around deletion of data, Cathay Pacific was found to have retained about 240,000 Hong Kong identification card numbers for 13 years after stopping using this data to verify identities. This unnecessary retention breached the PDPO.
As to the delay in notification, Cathay Pacific notified the PCPD of the security breaches on 24 October 2018 and started notifying affected data subjects the next day - seven months after the initial attack and five months after its internal investigations detected unauthorised access.
The PCPD found that Cathay could have made its notification sooner, although this delay did not in itself breach the PDPO.
According to the enforcement notice, Cathay Pacific should:
The PCPD noted the increasing risks posed by data security breaches and recommended that organisations redouble efforts to be accountable for personal data, including efforts by the PCPD to ensure that data protection is a matter of high-level governance within organisations (and not just within their IT departments), including as recommended through the PCPD’s Privacy Management Programme.
The spotlight on Cathay Pacific continues, information having recently surfaced of its practice of recording passenger activity through its in-flight entertainment system, including collecting images of passengers.
In a world where organisations obtain, retain and process more and more personal data, and cyber attacks become increasingly sophisticated and difficult to combat, there are clearly lessons to be learned from the Cathay Pacific breach. The sheer scale of the breach shows how badly things can go wrong without proper internal controls and the PCPD has been at great pains to point out where Cathay Pacific fell short and what an effective data security policy should look like.
Cathay Pacific is by no means alone. Both Marriott and British Airways have recently received significant fines related to substantial data breaches and, sadly, they will not be the last.
Managing the risk of cyber incidents
A question of class (actions)
Specialist class action lawyers in the US and Europe have been readying themselves for mass claims against Cathay Pacific since the data breach was announced – the PCPD’s findings will only add fuel to that fire.
This case will also, no doubt, reignite the discourse around whether Hong Kong should implement a class action regime for consumer cases.
In 2012, the Law Reform Commission of Hong Kong (the LRC) recommended the introduction, under an incremental approach, of a class action regime, following which the Department of Justice created a cross-sector working group.
The working group’s current view is that more in-depth analysis is needed, including of the proposed definition of “consumer cases”, certification criteria for a class action to be adopted by the courts, the design of the procedural rules and other ancillary measures.
A draft public consultation is said to be in development, although there is no timetable for its completion yet.
It is unsurprising that the Department of Justice is taking its time: there are competing public policy considerations. A class action regime would likely enhance access to justice and provide an efficient (and faster) mechanism for dealing with consumer cases. However, there is a concern about inadvertently creating a more litigious society, such as in the US. The LRC’s recommendation of an incremental approach was designed to ameliorate the risk of the latter but the concern is real.
This is definitely a space to watch. From our experience defending class actions in the US and elsewhere, any move towards a similar regime would significantly alter Hong Kong’s legal landscape. Whether that is for the better or not remains to be seen.
Authored by Mark Lin, Mark Parsons and Byron Phillips