Out-Law Analysis 7 min. read
21 Nov 2018, 2:20 pm
The scale of the challenge was highlighted recently when the chief executive of airline Cathay Pacific, Rupert Hogg, revealed that the company had provided details of a data breach the business first disclosed last month to 27 different authorities spanning 15 jurisdictions.
The case is an example of how the discovery of data breaches can trigger a duty to notify those breaches to not only data protection authorities and impacted customers, but financial regulators and financial markets too.
Engaging with so many authorities presents both logistical and compliance issues, with failure to get communications right liable to expose businesses to stiff financial penalties, reputational damage and third party claims.
On 24 October 2018, Cathay Pacific published statements drawing attention to a "data security event". Cathay Pacific disclosed that there had been "unauthorised accessed" to personal data belonging to some of its customers, and those of sister airline Cathay Dragon. It said "up to 9.4 million people" had their data compromised.
At the time the company said the affected data included a combination of some or all of the name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks, and historical travel information for passengers. In addition, it said 403 expired credit card numbers were accessed and 27 credit card numbers without the 'CVV' security codes were also accessed.
The airline said that it had first "discovered suspicious activity" on its company network in March 2018, and "took immediate action" at that stage "to contain the event, to commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures". It added that it had "confirmed in early May" that there had been "unauthorised access to certain personal data", and subsequently analysed the data to "identify affected individuals and to determine whether the data at issue could be reconstructed".
Cathay Pacific said there was "no evidence of misuse" of the data, but warned it was possible that the data compromised could be used for purposes such as fraud or identity theft. The company engaged Experian to provide ID monitoring services to "affected passengers" and issued further security advice.
Cathay Pacific confirmed that it had already notified, or was in the process of notifying, "relevant authorities" and the Hong Kong police.
The Cathay Pacific data breach has come in for scrutiny in Hong Kong, where the airline is based. The data breach is being investigated by the city's privacy commissioner Stephen Wong. He has said there are "reasonable grounds to believe that there may be a contravention of a requirement under the law" – Hong Kong's Personal Data (Privacy) Ordinance.
According to statements issued by the privacy commissioner's office, the breach has been the subject of public debate, including on Hong Kong radio, and spurred more than 100 complaints to the watchdog. The watchdog said that one of the issues that "appeared to be a major public concern" was the "timing of notification".
Cathay Pacific addressed the topic of why its internal investigation – spanning approximately seven months from initial discovery of the security breach to disclosure on 24 October – had "taken so long" in a written submission made to three panels of the Legislative Council of Hong Kong. The written submission was published before the appearance of senior executives from the company at a meeting of the panels on 14 November, where the breached data was discussed.
The airline said its investigation and response to the breach involved "three sequential and overlapping phases", with the first phases encompassing "investigation, containment and remediation", the second "confirming which data had been accessed and whether it could be read by the attacker(s)", and the third "determining the types of personal data that pertain to each affected passenger and notification".
It confirmed that during the investigation phase its systems were subject to a series of cyber attacks "which were at their most intense in March, April and May but continued thereafter". The attacks "expanded the scope of potentially accessed data, making the challenge of understanding it more lengthy and complex in phase two of the investigation", with the company only able to reach conclusions from the second phase in "mid-August". The company went on to say that it was not until 24 October – the date of first disclosure – that it was able to complete "the identification of the personal data that pertained to each individual passenger", and thus complete phase three.
Hong Kong's Personal Data (Privacy) Ordinance does not require organisations to report data breaches to the privacy commissioner in the city. However, Cathay Pacific said it notified Wong, as well as the Hong Kong police and the Hong Kong Stock Exchange, of the breach on 24 October.
The company's written submission to the Legislative Council said "other applicable regulators and affected passengers" were notified "shortly thereafter", and it later confirmed in the submission that it "commenced notifying the affected passengers from 25 October".
According to a Reuters report, the company revealed at the meeting of Legislative Council panel members and Cathay Pacific executives on 14 November that it was working with a total of 27 regulators in 15 jurisdictions in relation to the data breach.
Among the overseas authorities to have taken an interest in the incident is the National Privacy Commission in the Philippines, which has reportedly asked the company to explain the delay in notifying it of the data breach. The Philippine Star reported that more than 100,000 people from the Philippines were impacted by the breach.
The UK's Information Commissioner's Office (ICO) confirmed to Out-Law.com that Cathay Pacific had notified it of the data breach too and that it is "making enquiries".
Out-Law.com has asked Cathay Pacific to share the names of all 27 authorities it has reported the incident to, and asked the ICO whether it is acting as the 'lead authority' within the EU on scrutinising the incident.
Under EU data protection laws, organisations are under a general obligation to notify EU data protection authorities about personal data breaches. The mandatory data breach notification regime is set out in the General Data Protection Regulation (GDPR).
The GDPR obliges organisations to disclose any breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
Businesses can be fined up to 2% of their annual global turnover, or €10 million, whichever is higher, for failing to adhere to the reporting requirement when it is triggered, and can face fines of up to 4% of their turnover, or €20m, whichever is higher, should authorities determine that a personal data breach stemmed from a failure to adhere to basic principles of data processing set out in the GDPR, including in respect of ensuring appropriate security of the data.
Like in the case of the British Airways data breach, there is a question over whether the Cathay Pacific data breach falls subject to the GDPR. The Regulation only began to apply on 25 May this year. According to the information disclosed by Cathay Pacific, the company discovered a suspected security breach prior to that date in March this year and first confirmed there had been a breach of personal data in "early May".
It remains to be seen whether the ICO, and any other data protection authorities in the EU that are investigating the breach, deem the incident subject to consideration under the GDPR or the data protection regime that preceded it.
For regulated businesses, reporting a data breach can be complicated further by rules requiring them to report those breaches to sector regulators.
Financial services companies operating in the UK, for example, are subject to sector-specific regulations for handling of customer data which are set out in the Financial Conduct Authority (FCA) Handbook. Those requirements can be read together with rules that require the companies to notify the FCA "immediately" when they become aware of "any matter which could have a significant adverse impact on the firm's reputation" or on their " ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm", among other prescribed circumstances.
There is no upper limit on the level of fines that the FCA can impose, so there is a need for organisations to understand any sector-specific reporting obligations they are under as well as their duties under the GDPR's data breach notification regime.
Engaging with different authorities with different remits in different jurisdictions raises a number of challenges.
Listed companies, like Cathay Pacific, must ensure that they meet disclosure rules when notifying major incidents to the financial markets. Different information may be sought by data protection authorities and sector-specific regulators as part of any investigations they undertake.
Even within the community of data protection authorities, businesses may find themselves dealing with investigators focused on different parts of the data, with national authorities likely to be interested to have a breakdown of the data compromised on local citizens and to understand the sensitivity of the data concerned.
Investigations can also move at different paces, posing a challenge for authorities to ensure they make consistent disclosures.
In the EU, the GDPR can streamline the notification process by allowing organisations to report incidents to one lead supervisory authority which is obliged to then share information relevant to a cross-border incident with the other supervisory authorities. However, outside the EU, it can be unclear just how much information is shared between data watchdogs at a global level, so businesses may find themselves answering repeat questions as investigations move along through parallel but distinct processes. Similarly, it is possible that different authorities could reach different conclusions from the same information disclosed to them.
A further risk that arises concerns the growing trend towards group data protection claims. There is evidence of group claims for breach of contract or breach of data protection laws being raised against businesses based on regulatory findings from data breach investigations. That further emphasises the need for businesses to tread carefully when informing markets, regulators, data protection authorities and affected data subjects about data breaches.
Ian Birdsey is a cyber risk expert at Pinsent Masons, the law firm behind Out-Law.com.