In late October 2018, Hong Kong airline Cathay Pacific announced that it was affected by a data breach which concerned the information of up to 9.4 million people. The major airline further announced that the breach was detected in March and confirmed in early May of this year, some seven months before the incident was reported to the affected individuals.
It gets worse – the breached data included highly sensitive information, including passport numbers, full names of passengers, their nationalities, dates of birth, telephone numbers, email and physical addresses, identity card numbers, and historical travel information.
This recent data breach has caused many to suggest that if a major international airline like Cathay Pacific (with presumably close to the best cybersecurity technology in place) can be affected by this kind of data breach, it is inevitable that other companies will eventually be affected by similar breaches.
Companies should be concerned. Data breaches in one form or another are likely inevitable. Cyber security experts now widely consider that data breaches are not a matter of ‘if’, but ‘when’. It is how businesses protect data and respond in the event of a breach that can prevent businesses from being subject to major penalties under Australian and international privacy laws (and prevent major reputational damage).
Had the airline been subject to Australia’s privacy laws, it would potentially be liable to fines of up to $2.1 million for failing to report the breach within the required period. Under the European Union’s General Data Protection Regulation (‘GDPR’), the potential penalties would be much higher. For example, Facebook may be facing a fine of up to $1.63 billion for recent claims regarding its failure to comply with the GDPR.
It is unclear why Cathay Pacific failed to report the breach within the required time limit and kept its customers in the dark. However, it appears that the airline may escape significant penalties in this instance, as the breach was discovered about three months before the GDPR came into force on 25 May 2018.
Australia’s data breach laws require entities to notify the Office of the Australian Information Commissioner (‘OAIC’) and the affected individuals as soon as practicable after an eligible data breach occurs. The Commissioner suggests that this period should not be more than 30 days. However, in practical terms, it is widely accepted that this period should not be longer than 72 hours after the entity becomes aware of the breach.
This means you need to be prepared for a potential breach and have a plan in place.
What can we learn from Cathay Pacific?
Businesses need to be prepared for a data breach by having the proper policies and procedures in place to prevent a data breach, and how to deal with and mitigate any damage arising from a data breach.
Cathay Pacific recovered from its data security event by focusing on two key stakeholder relationships, being customers and regulators.
Customers
The Cathay Pacific breach isn’t the first major airline data breach, but it is undoubtedly one of the largest. In responding to the breach, the airline created a specific microsite for the data breach and has suggested that customers secure their data by taking precautionary measures, such as changing their passwords and potentially replacing their passports.
In addition to complying with mandatory reporting obligations, these steps also assist with mitigating much of the potential brand damage that can wreak havoc for a business in such a competitive industry.
Regulators
Cathay Pacific alerted regulators around the world in the locations that the affected people are residents.
Many national regulators have the power to impose financial penalties on businesses which are deemed to have failed to take reasonable steps to protect the data they hold.
The risk of penalties means it is more imperative than ever that businesses do not retreat in the event of a data breach. Instead, businesses must actively collaborate with regulators to reduce the damage that could be done with the stolen data and provide as much information as possible for government agencies to detect the party or parties behind the breach.
Key takeaways
- Do not assume that a data breach will not happen to your business and ensure that your business is prepared to deal quickly with such an event;
- At the very least, conduct a privacy compliance audit and prepare a data breach response plan if you haven’t done so recently;
- Be aware of your reporting obligations and be prepared to collaborate with regulators throughout the process in the aftermath of a data breach; and
- Take steps to mitigate damage as soon as possible.
Macpherson Kelley first published a version of this article, and to the extent that elements of this article are the same as or similar to another version, they are published here with permission.
Tags
This content is for reference purposes only and is intended to be current as at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this content.