Tougher laws pushed after massive Cathay data breachTop News | Charlotte Luo 29 Oct 2018
Whatever Cathay Pacific has done to protect the privacy of its passengers is simply not enough. So information technology sector lawmaker Charles Mok is stepping in to demand laws that meet with the international level of cyber security.
Mok's demand is part of the continuing outcry over Cathay's handling of the massive theft of data involving 9.4 million of the airline's clients.
Mok said in a radio program that an investigation must be open to the public. He hopes the Office of the Privacy Commissioner for Personal Data would find out more information after further investigation.
At this stage, the most important thing for the Legislative Council is to require the government to amend the laws so Hong Kong can meet with the international level of cyber privacy security, he said.
These amendments must cover many directions, including defining what is sensitive personal data, setting the retention period of personal data, the responsibility of contractors, penalties and time limits for notification, he said.
Mok said the European Union's 72-hour notification period is reasonable, but whether it can be increased by one or two days is subject to discussion by parties involved. But the notification period cannot exceed seven days.
Cathay Pacific has been criticized for not announcing the data leak until seven months after its discovery.
Passengers affected must change their password and credit cards as soon as possible, said Wilson Wong Ka-wai, head of the Hong Kong Computer Emergency Response Team Coordination Centre at the Hong Kong Productivity Council.
Wong said some criminals might use the data for "phishing," so passengers need to pay attention to transactions made online and on the phone and verify clearly.
The chairman of the Cloud Security Alliance Hong Kong and Macau Chapter, Claudius Lam, said SAR enterprises usually spend money buying security systems or equipment but omit relevant training for their staff.
Lau Wing-cheong, associate professor in the department of information engineering at Chinese University, said it should be compulsory for companies to report data leaks.
Lau said the punishment could follow the European Union's standard, which depends on the company's revenue.
On Friday, British law firm SPG Law offered to all those affected by the Cathay Pacific breach to seek compensation overseas. But the statement has since been removed.