Cathay Pacific likely to avoid harsh punishment despite taking months to notify passengers about massive data breach
- Privacy Commissioner Stephen Wong says authorities are considering changing rules to require such leaks to be reported promptly
- Airline says reason for delay was to avoid causing unnecessary panic among customers
Cathay Pacific Airways looks set to escape heavy penalties under Hong Kong, United States and European Union privacy laws, even as it faces universal condemnation for keeping a massive data breach secret for seven months.
The city’s flagship carrier revealed late on Wednesday night that personal details of 9.4 million passengers had been illegally accessed by hackers in March, earning a strong rebuke from the privacy commissioner on Thursday while angry passengers complained about being deliberately kept in the dark.
While the European Union’s new General Data Protection Regulation requires such breaches to be reported within 72 hours, corporate lawyers said Cathay may have narrowly escaped punishment, as the breach was discovered about three months before a rule change on May 25.
Under EU law, companies that fail to report such breaches in a timely manner can now be fined 4 per cent of their annual revenue. Laws in certain European nations, including Germany, France and the Netherlands, stipulate penalties for failure or delay in notifying regulators or affected persons.
It is unacceptable to only disclose the incident half a year after it actually happened, and passengers may have missed the opportunity to indemnify themselves from any loss
The majority of US states have passed laws requiring businesses and government departments to notify citizens of data breaches, but have not spelt out the legal consequences for non-compliance.