One of the biggest cybersecurity stories locally in 2018 is the data breach at Hong Kong-based airline Cathay Pacific involving the illegal access of personal data of more than 9.4 million passengers.
Personal data that have been compromised include: passenger name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer program membership number, customer service remarks, and, historical travel information. Furthermore, 403 expired credit card numbers were accessed, and 27 credit cards with no CVV were accessed. The combination of data accessed varies for each affected passenger.
This latest scare that the airline disclosed in September renewed calls from industry insiders to refresh the city’s 22-year-old Personal Data Privacy Ordinance (PDPO), which was updated in 2012.
“It is time for Hong Kong to strengthen our privacy law,” Charles Mok, Hong Kong’s legislative councillor for information technology, told Computerworld Hong Kong (CWHK) after the data breach at the airline became public. Mok has been persistent in the last 12 months in expressing the urgent need for regulators to revise the city’s aging data protection law in the light of recent large-scale data breaches, such as the one involving the personal data of 380,000 customers of Hong Kong Broadband Network reported last April.
With the enforcement of new cybersecurity laws such as the General Data Protection Regulation (GDPR) in the European Union, Mok is advocating for changes that closely aligned to PDPO’s foreign counterpart.
“Hong Kong’s privacy law lacks not only teeth, but updated definitions, obligations for data processing firms, and rights for individuals,” Mok wrote in an opinion piece on CWHK’s website last June.
“Our data protection law must evolve,” he said. “The present PDPO is at least a decade away from the ongoing regulation regime in the EU.”
Review of PDPO is afoot
In April, the head of the city’s data privacy watchdog said in an online program that he would review the PDPO.
“The European Union has a new regulation…and we also see some major data leaks in Hong Kong. I think it is time,” said Stephen Wong, Privacy Commissioner for Personal Data (PCPD).
The current ordinance was based on the EU’s Data Protection Directive which was replaced by the GDPR in May.
Wong also admitted his office’s enforcement power was lower than other regulatory bodies in other countries.
“Lawmakers think our enforcement power has to be increased. I see their point,” he said.
Pressure mounts on PCPD
In the aftermath of the Cathay Pacific data breach, industry insiders not only put more pressure for the revision of the PDPO, they urged the regulatory body to companies more accountable for data breaches, particularly when it surfaced that the airline took seven months to notify the authority of the security incident.
The office of the PCPD was criticized for initiating a compliance check of the airline and not a formal investigation.
A compliance check involves the regulatory body simply alerting a company over its concern about data protection measures, and advising the group to take remedial action. There is no suggestion of criminality.
A formal probe however would mean the commissioner launching an investigation and issuing an enforcement notice to correct any shortcomings. Failure to follow up would constitute a criminal office, and a report would be disclosed to the public.
“Under these compliance checks, the privacy commissioner’s office reviews a company’s data security measures and makes recommendations, the case is closed,” former Privacy Commissioner Allan Chiang, who headed the PCPD from 2010 to 2015, was quoted in media reports. “There is no mention of whether the company has breached any law, and details about how the leak happened may not be disclosed. This kind of lax action is far from serious regulatory measures,” Chiang said.
He added: “An investigation is a regulatory procedure that brings a stronger deterrent effect to prevent future breaches. There is a little harm in taking a more formal approach.”
Chiang alleged that it was not the first time the PCPD under its current leadership had failed to adequately investigate companies in such circumstances as the Cathay Pacific case.
However, Wong hit back at his predecessor in a row played out in the media saying that the comments are “ ungrounded… incorrect and irresponsible.”
Wong said that dating back to the time of Chiang, it was established practice to start a formal investigation only if a compliance check found it necessary.
“It is entirely incorrect and irresponsible to suggest that [the office] will not carry out a detailed compliance investigation of the reported incident at this stage is ill- informed and misleading,” he said.
Wong pointed out that compliance check serve to find out relevant facts. It was also a matter of “procedural fairness” that such a check should precede a compliance investigation, which empowered the commissioner to summon witnesses, seize evidence and conduct public hearings.