Wednesday, April 11, 2018

[RTHK LTHK] Cathay Pacific data breach reveals privacy regulatory deficiencies in Hong Kong

How many did you lose? I lost six. You lost only two? Lucky you. Oh, you lost eight? That’s too bad. 

In the past week, many citizens in Hong Kong have been playing this game of “how many pieces of personal data did Cathay Pacific manage to expose for you.” Sadly, this is not funny at all.

News broke late in the evening of October 24 that Cathay Pacific suffered a data breach affecting 9.4 million of its passengers world-wide. The exposed data involved names, dates of birth, addresses, emails, travel document information such as passport numbers, identity card numbers, travel histories, and so on. A much smaller number of people had their expired credit card numbers exposed. 

But the news of the breach was not only shocking for its scale, but even more so for the long period of time the airline took to go public. Cathay Pacific claimed it first discovered in March of this year of unusual activities, and by May, they confirmed that passengers’ personal data have been accessed. The company chose only to report to the police, the privacy regulator, and the affected passengers in late October — at least five months since they realized this personal data leakage incident. 

What happened is still up to investigation, but the delay to report must have made the investigation much harder than it should be. Not surprisingly, the delay in notifying passengers has caused widespread criticism from Cathay Pacific passengers. Passengers were skeptical if the airline has disclosed the true account of the incident, out of the sketchy bits of information provided. But many felt even more angry when they heard the airline saying that the reason for the delay — in addition to carrying out an internal investigation — was to avoid provoking unnecessary fear and concern. 

I and many other affected passengers want to tell the airline that these are our data that you have mishandled and lost, and it should be up to us to decide whether we are fearful or concerned about the aftermaths, not you. It is not the business of the one which mishandled our data to determine whether my worries would be unnecessary or not. 

That is why there is a requirement for mandatory notification within a reasonably short period, from the time of the discovery of a data breach incident, in many countries’ privacy laws. Unfortunately, our Personal Data (Privacy) Ordinance in Hong Kong does not have such a requirement, among many other deficiencies. 

Indeed, the Cathay Pacific incident has highlighted the outdatedness and the ineffective reality of our privacy law. First passed and enacted in 1997 before the handover, it was one of the earliest such personal data protection laws in Asia. However, it was conceived just before the Internet age, not to mention the subsequent mobile and smart phone revolutions. Many parts of the law is woefully outdated and ineffective by now. 

Besides the lack of any notification requirements, the Privacy Commissioner’s power is also very limited under the law, He has no power to conduct criminal investigations or prosecute. All he could do in a first occurrence of an data breach incident was to order an investigation, make recommendations for changes and improvements for the organization involved. He could not recommend a prosecution unless the organization refuses to cooperate. He really has no teeth. 

However, data breaches in Hong Kong just keep becoming more and more serious. After the loss of a laptop by the government’s very own Registration and Electoral Office in 2017, involving the personal information of 3.8 million Hong Kong citizens, neither could the Privacy Commissioner nor we in the Legislative Council do anything to find out who would be responsible, let alone pursuing any liability or compensation. 

In the meantime, the rest of the world has moved forward in providing more proper protection for the people in today’s electronic age. The European Union’s General Data Protection Regulation (GDPR) enacted earlier this year has been the shining example as an updated framework for personal data protection in the 21st century with mobile phones and social media. Most notably, in terms of providing punitive damages with significant deterrent effects, the maximum fines under GDPR is 20 million Euros or four percent of the global turnovers of the company involved, whichever is higher, and this law can even be applied globally, as long as EU citizens are affected. 

Unfortunately, since our data protection laws in Hong Kong is backward by at least twenty years, Hong Kong people can only watch as other regulators go after a Hong Kong company, potentially levying hefty fines over that Hong Kong company, and even landing compensation for individual overseas nationals. As an international city, once again we should be ashamed of our outdated laws. 

In the aftermath of the Cathay Pacific incident, the Chief Secretary of the HKSAR has said that the government will look into consulting and revising the law. The Privacy Commissioner also said that he will make legislative recommendations to the Administration soon. One only hopes that our government is serious about this. 

The other lesson to be learned from this incident is that companies in Hong Kong, including some of our largest, must have put less than their proper share of investment and corporate emphasis on information technology and security. It has been known that Cathay Pacific had made considerable cut in its IT workforce in the last two years. This is shamefully short-sighted and grossly irresponsible considering the gamble the company chose to take, risking the safekeeping of its customers’ personal data. 

As Hong Kong aspires to become a Smart City, this kind of attitude must be reversed. Our government can take the lead, by taking a cue from Singapore’s playbook. Following an embarrassing hack of SingHealth, the city state’s public health cluster, earlier this year, the Singapore government has made massive investment into training home-grown talents in cybersecurity. It even invited international and local hackers to hunt for cash bounties, to uncover vulnerabilities in government’s systems in an effort to guard against cyber threats, as well as to hone the skills of the good hackers. 

I hope that the Cathay Pacific incident can serve as a turning point for Hong Kong’s attitude toward information security legislation and technical preparedness. Otherwise, take it from me, next time things will only be a lot worse than this. 

For Radio Television Hong Kong's Letter for Hong Kong, Apr 11, 2018


Post a Comment

<< Home