Plugging the loopholes in personal data protection
Cathay Pacific is plagued with an exceptionally serious leak of personal data where the phone numbers, addresses, credit card information, etc. of 9.4 million passengers were illegally obtained by third parties. The delayed disclosure of the incident occurred in March and the absence of effective remedial action has fuelled public discontent. The saga has exposed severe loopholes in data security as well as ineffective supervision of personal data by the enforcing authority, who could not fine or penalize the company concerned. The government and Legislative Council should amend the Personal Data (Privacy) Ordinance as a remedial measure to safeguard personal information of the public.
Cathay Pacific discovered suspicious activities in their operating system in March; they confirmed the leak of customers’ personal data in May. The company explained the delay in disclosure was to avoid causing unnecessary panic among the public. Given that the personal information of nearly 10 million people was leaked, this explanation is hardly acceptable. What should have done to minimize the loss is to make a public announcement in time, notify the affected customers and report to the police and other law enforcement agencies.
Locally there is no law that requires companies or organizations to make compulsory disclosures on the extent of data breaches. Considering the scale of this incident, however, Cathay has a responsibility to inform the government body and the public to reduce costs, losses and damage arising from the leak.
The incident leaves series of questions for Cathay to explain to the public: What remedial measures it has taken during these six months of delayed disclosure period? Are these measures appropriate? What risks will the affected passengers be exposed to? What actions should the law enforcement agencies take? How can the affected passengers safeguard their personal information from misappropriation?
As a result of the advancement in the internet economy and e-finance in the modern society, more and more emphasis is put on the protection of private data. Since i-banking, e-wallet and other e-finance products require personal data to execute the validation process, compromising the confidentiality of this sensitive information would mean putting the assets of affected personnel at risk. In this incident, the names, addresses, passport numbers, ID card numbers and credit card information of passengers were placed in jeopardy. This could cause them to suffer financial losses.
The protection of private data is becoming increasingly important. Nevertheless, whether it is government body and large corporations like Cathay Pacific from the top, who hold a colossal amount of personal data, or down to ordinary citizens, their awareness of personal data protection has failed to keep abreast with the times. The Cathay incident reveals that current laws and regulations are insufficient to protect personal information. The supervising body appears to be a “paper tiger” in monitoring data breaches of corporations and organizations. They can neither penalize the company concerned nor demand it to make mandatory disclosures of the breach. Furthermore, it is equally difficult to conduct in-depth investigations into the leak.
Many countries have expressed concern about the Cathay incident. The European Union has recently established a new law to reinforce the protection of personal data. Some have estimated that if the breach occurred after the relevant EU legislation, Cathay may need to pay a huge fine of up to HK$4 billion. Questions remain on why a Hong Kong-based company, with most of the victims being Hong Kong residents, is not subject to any penalty imposed by the local authority, which will then lead us to consider whether the local law is too lax to safeguard personal data.
Questions that come to the mind of ordinary citizens are: What should I pay attention to when handling personal data? What information can be provided to external parties and what types of personal data should be protected? Consequently, the government has due responsibility to publicize more information in the era of the internet economy so that the public can understand how to protect themselves from any personal data breaches.
The government took the Cathay incident seriously. Chief Secretary for Administration Matthew Cheung Kin-chung said the government would not rule out tightening the Personal Data (Privacy) Ordinance. Reference can be drawn from regulations and cases abroad to assess whether further actions can be taken to better protect the private data of local residents. It is a good sign that the government has declared its intention to better protect private data from being stolen. I hope that adequate remedial measures can be adopted in a prompt manner so as to plug the loopholes in personal data protection.