Hong Kong Privacy Commissioner Investigates Cathay Data Breach

In late October 2018, Cathay Pacific Airways, Hong Kong’s flagship carrier, disclosed a cyber-breach, which compromised the personal data of 9.4 million customers worldwide. The stolen personal records included name, nationality, date of birth, passport, and credit card numbers. The announcement came seven months after Cathay initially discovered suspicious activity in March and confirmed the breach in early May.

In response, Hong Kong’s Office of the Privacy Commissioner for Personal Data (Privacy Commissioner) has launched an investigation into Cathay’s data security practices to determine whether Hong Kong law has been violated. The Privacy Commissioner will examine the measures Cathay took to safeguard personal data and Cathay’s data retention policy and practice. If the Privacy Commissioner concludes that Cathay took effective steps to safeguard data security, Cathay could be absolved of responsibility, despite Cathay’s untimely disclosure of the breach, which has drawn immense criticism from the public. The Privacy Commissioner has recently advocated that companies not conduct operations to meet minimum standards, but to comply with the released guidance on “Data Stewardship Values.”

Under Hong Kong’s Personal Data (Privacy) Ordinance, companies are only required to safeguard the privacy rights of its clients; there is no mandatory reporting of any data breaches imposed upon data holders to the regulator. In comparison, other jurisdictions such as the EU, U.S., and Canada have strict laws on data breach notification requirements. Failure to meet these international data breach requirements exposes companies to substantial fines. Given the international reach of Cathay’s business, the privacy regulations of other jurisdictions requiring timely notification of data breaches of personal information may be implicated.

TIP: Companies should proactively monitor evolving cyber-threats and update their security measures and policies to reasonably safeguard personal data. Global companies must also understand the cross-border, multi-jurisdictional, landscape of the privacy laws that affect their businesses.

Associate, Winston & Strawn (Hong Kong)

Partner, Winston & Strawn (Houston)

Partner, Winston & Strawn (Hong Kong and Chicago)