Data security breaches - a tale of two airlines

Earlier this month, the United Kingdom’s Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine British Airways (“BA”) £183 million under the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) after it admitted that the data of more than 500,000 of its customers was stolen by hackers in August 2018 (for more detail see our previous article).

The fine is equivalent to 1.5% of BA’s worldwide turnover in 2017. Although very high, this is actually significantly lower than the maximum penalty of 2% of worldwide turnover that could have been imposed under the GDPR.

In contrast, on 6 June of this year the Office of the Hong Kong Privacy Commissioner for Personal Data (“PCPD”) published the results of its investigation into a data breach incident by Cathay Pacific Airways (“Cathay”). This breach was discovered by Cathay in March 2018 but only self-reported to the PCPD in October 2018. No penalties were imposed for the breach, which involved the personal data of 9.4 million passengers and registered users of Cathay’s website from over 260 locations globally. Instead, Cathay was given six months to take remedial actions specified in an enforcement notice.

The PCPD found that Cathay had failed to comply with the data protection principles of the Personal Data Privacy Ordinance (“PDPO”) in relation to data security. In particular, Cathay did not have appropriate vulnerability detection systems in place, it did not adopt effective technical security systems, and its data governance measures were lacking as no data inventory had been created or maintained. Cathay was also found to have retained data longer than was necessary for the purpose for which it was collected. The enforcement notice requires Cathy to rectify its practices in relation to these areas.

The enforcement notice does not deal with Cathay’s delay in reporting the breach, as there are no mandatory breach notification requirements in Hong Kong - although best practice recommendations in this regard are contained in a guidance note issued by the PCPD. In contrast, the GDPR requires certain types of personal data breach to be reported to the relevant supervisory authority within 72 hours after a data controller becomes aware of the breach. A failure to do so may attract the maximum fine of the higher of 10 million euros or 2% of global turnover.

Pursuant to the enforcement notice, Cathay must now:

• engage an independent data security expert to overhaul the systems on which personal data is held;
• implement multi-factor authentication to all remote users accessing its IT system and undertake regular reviews of who can access the system remotely;
• carry out vulnerability screenings at regular intervals and whenever significant changes to its IT systems are introduced;
• engage an independent data security expert to conduct reviews/tests of Cathay’s network security at regular intervals;
• develop and comply with a data retention policy so that passengers’ data is stored for no longer than is necessary;
• delete all unnecessary HKID card numbers which have been collected from its Asia Miles membership programme; and
• provide documentary proof that it has taken the above remedial actions within six months, as well as providing a certificate issued by an independent third party in relation to the deletion of the HKID card numbers within three months.

Under the PDPO Cathay will face a financial penalty if it fails to carry out these measures. The maximum penalty for first conviction will only be HK$50,000, although also potentially imprisonment for two years. If non-compliance continues after the initial conviction there will be a daily penalty of up to HK$1,000.

Key takeaways

The differences between the treatment of these two airlines highlights the comparatively lesser penalties that can be imposed by the Hong Kong regulator and the serious risk of very large fines under the EU regime. Notwithstanding the smaller potential penalties, the costs of overhauling systems and engaging independent experts to comply with an enforcement notice issued by the PCDP may still be very significant in practice. Businesses which operate globally need to consider not only where the data is collected, but also where it is stored and where the data subjects are located.

Compliance with the laws of one jurisdiction will not necessarily mean protection from enforcement action by a regulator in another jurisdiction. And, enforcement action by one regulator does not rule out the possibility of penalties being imposed under the laws of another jurisdiction. Indeed, Cathay had earlier notified the regulators of 27 countries of the breach, including the ICO as some of the passengers affected were British citizens. Whether the ICO will also impose penalties on Cathay under the GDPR regime remains to be seen.

BA is likely to make mitigation representations to the ICO in relation to its findings, and the ICO’s response to this will be of interest in future cases. The ICO’s reaction to the Cathay breach will also be relevant to businesses which operate in multiple jurisdictions, as it is not yet known if remedial actions ordered by one regulator will be taken into consideration by another.

It is expected that Hong Kong is headed towards an overhaul of its PDPO following this and other recent high profile personal data breach incidents. Comments made by the PCDP in the Cathay enforcement notice in relation to the principle of accountability are potentially significant. This principle is incorporated into the GDPR and includes requirements to compile personal data inventories and to report data breaches. The PCPD stated that although the principle of accountability is yet to be provided for in the law of Hong Kong, businesses in Hong Kong should be well poised to adopt proactive data management measures now. We agree that the adoption of proactive measures is a sensible strategy. This will not only ensure that a business is better prepared for any future changes to the regime in Hong Kong, but may help to prevent enforcement action in other jurisdictions where the principle of accountability is already enshrined.