When to Report a Data Breach

Cathay Pacific Airways, the official flag carrier of Hong Kong, recently disclosed that it suffered a major data breach. The data breach announcement was, however, made 7 months after the cyber incident was discovered by the company.

Cathay Pacific’s delayed data breach disclosure highlights the question on when is the right time to report a data breach. To date, the data breach at Cathay Pacific is the world’s biggest airline data breach, affecting 9.4 million people – more than the total population of Hong Kong.

The airline, in a statement, said that passenger data, including name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number and historical travel information were accessed without authorization.

The company added that 403 expired credit card numbers and 27 credit cards without card verification value (CVV) number were accessed without authorization.

Cathay Pacific told Reutersthat it discovered suspicious activity on its network in March 2018. Paul Loo, Cathay Pacific’s chief customer and commercial officer, told broadcaster RTHK that the reason for the delay in the data breach disclosure was for the company to “understand very well how each customer has been affected” and the company “didn’t want to create an unnecessary scare”.

Cathay Pacific isn’t the only company that disclosed data breach on a much later date after discovering the cyber incident. Both Yahoo and Facebook (Cambridge Analytica data controversy) took years to disclose its respective data breach after discovering the cyber incidents.

Yahoorecently agreed to pay $50 million to data breach victims, following massive data breaches that took place in 2013 and 2014, affecting all of Yahoo’s 3 billion users. The settlement payout to Yahoo’s data breach victims has yet to be approved by the court. In April this year, the U.S. Securities and Exchange Commissionannounced that Yahoo agreed to pay $35 million to settle charges before the commission that it misled investors by failing to disclose the massive data breaches.

The United Kingdom’s Information Commissioner’s Office, meanwhile, fined Facebook over the Cambridge Analytica controversy for failing to keep its information secure, resulting to the harvesting of Facebook data of up to 87 million people worldwide, without their knowledge.

Data Breach Reporting Time Limit

Countries and political and economic unions have different requirements when it comes to data breach reporting time limit.

In the case of Hong Kong, where Cathay Pacific is based, an organization that suffers a data breach doesn’t have a legal obligation to report a data breach. According to Stephen Kai-yi Wong, Hong Kong’s Privacy Commissioner for Personal Data (PCPD), reporting of data breach is voluntary on the part of the affected organization. While organizations that suffered data breaches aren’t required to report the cyber incidents, Wong said, these organizations are encouraged to notify the PCPD so that the concerned organizations and PCPD can work together “to minimize the potential damage to clients”.

“Cathay should have sent notifications as soon as suspicious activities were detected to seek solutions together,” Wong told the South China Morning Post. He said he would consider seeking tougher rules to avoid a similar scenario.

Data Breach Notification Under GDPR

The General Data Protection Regulation (GDPR), a European Union (EU) regulation which has been enforced since May 25 this year, requires an organization that suffered a data breach involving personal data of EU residents to report to appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.”

Failure to notify the appropriate supervisory authority within the prescribed period will subject the concerned company of a fine of up to €20 million or 4% of annual global turnover, whichever is greater.

Cathay Pacific, which processed personal data of its EU customers, may have escaped heavy fine from the EU as GDPR came only into effect on May 25, 2018, while the data breach at Cathay Pacific was discovered in March this year.

Data Breach Notification Under Canada’s Digital Privacy Act

To date, Canada is like Hong Kong when it comes to data breach notification. Data breach notification is voluntary on the part of a private organization that suffered a data breach. This coming November 1, however, data breach notification is no longer voluntary on the part of the concerned private organization as starting this date, it’ll be mandatory for every Canadian private organization to notify the Privacy Commissioner of Canada and the affected individual in the event that such data breach poses a “real risk of significant harm” to any individual.

On April 18, 2018, the Canadian Government published in the Canada Gazettean order fixing November 1, 2018 as the day on which the data breach notification becomes mandatory in Canada, in pursuant to Canada’s Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA).

As to the required period within which a private organization has to notify the Privacy Commissioner of Canada and the affected individual, the Digital Privacy Act provides that it must be “as soon as feasible” after the organization determines that the breach has occurred.

Under Canada’s Digital Privacy Act, failure to notify the Privacy Commissioner of Canada and the affected individual will subject the concerned company of a fine of up to $100,000. Under the said Act also, failure to keep data breach records or the deliberate destruction of data breach records will subject a private organization to a fine of up to $100,000.

When you need help preventing data breaches, give us a call at (416) 920-3000. Our security experts will help you to better protect your data.