Could Cathay Pacific Airways, Hong Kong’s flag carrier, become one of the first companies to face a hefty fine under the recently introduced GDPR regulations?
Following the revelation that the carrier fell victim to a prolonged hacking attack that affected millions of passengers, experts and other companies are waiting to learn exactly what lies ahead for the iconic airline in terms of regulatory enforcement.
On Wednesday during a Legislative Council of Hong Kong hearing addressing the issue, lawmakers grilled senior staff over the company’s handling of the incident. Cathay has faced increased scrutiny after the airline revealed in a written submission that the data breach had, in fact, lasted longer than previously stated.
“The incident is a crisis,” company chairman John Slosar was quoted as saying by Reuters. “It is the most serious one the airline has faced.”
Under Hong Kong law, Cathay would likely face a penalty of HK$50,000 ($6,400) and receive an enforcement notice from the privacy commissioner for the data breach. Should the company be prosecuted under the European Union-issued GDPR regulations, which came into effect on May 25 and cannot be enforced retroactively, the penalty will be far harsher.
The EU regulations require companies report breaches to supervisory authorities within 72 hours, or face a maximum fine of 20 million euro ($23 million), or four percent of their annual worldwide turnover, whichever is higher.
TIMELINE IS CRITICAL
Paul Haswell, partner and technology specialist at Pinsent Masons, tells Asian Legal Business that because of the threat of EU regulatory action, the timeline of the data breach is critical.
“They should be worried,” Haswell said, noting that should it be established that the airline lost data belonging to members of EU countries after May 25 “and didn’t do everything that was necessary, there is a chance they’ll be subject to a fine under the GDPR.”
“They need to make sure they’re absolutely clear about when this data was taken, what was taken,” he added.
“In Cathay’s favour, and in their defence, although they were late to come clean about the nature of the breach, they have been good about notifying everybody that’s affected. Not just that there’s been a breach but exactly what was compromised,” Haswell said. “But the trouble is the EU won’t care, if you’re late, you still lost the data. They’re still in a position where they can take action against you.”
The EU is not reluctant to impose fines, having pursued Microsoft and Google for data breaches in the past. “There’s every possibility they could be hit with a massive fine,” said Haswell of the Hong Kong carrier.
Reuters reported yesterday that the airline was working with 27 regulators in 15 jurisdictions to investigate the breach.
To contact the editorial team, please email ALBEditor@thomsonreuters.com.