Not many companies can survive a triple whammy. Global airline Cathay Pacific, already dogged by the double whammy of anti-Hong Kong government protests and the corunavirus epidemic, narrowly escaped a third whammy on March 4, 2020 when it dodged a potentially crushing privacy penalty.

Room for Luck in Privacy Law?

Is there room for luck and fortuitous circumstances to operate in the high stakes world of privacy management and compliance? Consider this. One would think that a cyber attack launched against two similarly situated companies using the same malware virus would likely result in roughly similar administrative penalties under the applicable privacy law. Also, one would think that a company that loses 9.4 million customer records would get penalized significantly more than a company that loses 500,000 customer records. In the curious case of the UK privacy regulator ICO’s recent March 4, 2020 penalty against Cathay Pacific, none of those conventional wisdom played out. What happened? Did Cathay Pacific have a better legal & compliance team or just lucked out?

To get to the bottom of this, let’s compare the ICO’s penalties against two similarly situated airlines: British Airways and Cathay Pacific, two leading airlines of the world.

Last summer, the ICO issued a fine of £183 million against British Airways under the GDPR for failing to take appropriate security measures to ensure that its customers’ personally identifiable information remain secure. British Airways lost about 500,000 customer records in cyber-attacks that began in June 2018. Hackers used the same attack vector & computer malware to penetrate Cathay Pacific’s systems and managed to steal about 9,400,000 customer records during a longer period of attack. Given the egregious loopholes that the UK ICO found in Cathay Pacific’s cybersecurity protocols (and failure to disclose the breach for about 3 years!) and the significant amount of customer data compromised (about 9.4 million worldwide), one would think that the resulting fine would at least be more than the fine issued against British Airways which lost 500,000 records. Well, the ICO’s penalty issued against Cathay Pacific totaled £500,000, a drop in the bucket when compared to the whopping £183 million provisionally assessed against British Airways (which by the way is still subject to further adjustment upwards pending review by all EU privacy regulators).

The Hong Kong-based airline Cathay Pacific was hit hard by the anti-government protests of 2019 plus the recent corunavirus global emergency that significantly reduced demand for its flights. This ICO decision could have been much worse than £500,000 and could have placed Cathay Pacific into dire financial difficulties had an additional “0” or two been added to the fine. What happened? Did the legal team for Cathay Pacific do a fantastic job in damage control?

Like all things in life, luck played a major role in the fortunes of Cathay Pacific. The earliest known date cyber-attacks against its systems occurred from October 2014 and the last day of breach was May 11, 2018, which was 14 days before the effective date of the EU’s GDPR on May 25, 2018. Since the last breach occurred a mere 14 days before the effective date of the GDPR, Cathay Pacific basically lucked out and narrowly dodged a potentially financially crippling fine of up to 4% of its total revenue (already significantly depressed by political protests & corunavirus factors) leviable under the new EU wide privacy regime.

But wait you may be thinking, after Brexit, why is the UK still enforcing an EU law? Well, depending how cynical you may be, the reason may simply be mercenary. Why would the UK ICO walk away from the power to assess penalties up to 4% of a company’s total revenue that can fill the UK Treasury coffers so nicely? The official position of the UK ICO on this issue is that it will eventually after the Brexit “transition date” tack on the GDPR provisions directly into the UK’s privacy law called the Data Protection Act 2018.

The ICO was required to apply the pre-GDPR regime on privacy under the so called Data Protection Act 1998 which capped the maximum penalty at £500,000. It found that Cathay Pacific failed to undertake "appropriate technical and organizational measures” against unauthorized processing and loss of personal data. While the ICO did not conclude that the violation was “deliberate”, it did conclude that Cathay Pacific was “negligent” for failing to comply with its own internal policies, ignoring fundamental “best practices” and failing to implement timely remedial measures. One can infer from the tone of the decision, that the ICO would have imposed a much heftier penalty were it not for the statutory cap under the old privacy regime which applied to the facts of Cathay Pacific’s breach.

As the saying goes, one company’s penalty amount is another’s educational tuition amount. The ICO’s decision against Cathay Pacific contains valuable insights as to the nature of violations which warranted a finding of breach and the remedial actions recommended. These insights will greatly assist privacy practitioners, legal & compliance teams in determining the extent and sufficiency of their own respective company’s cybersecurity & privacy protocols to better protect customer data and mitigate both the likelihood and seriousness of a cyber breach.

Valuable Lessons Learned

The ICO found the following deficiencies that companies should avoid. I’ve re-worded these deficiencies into recommendations for ease of learning.

1) Encrypt Customer Data! This is pretty basic yet for some reason not done. The ICO found that Cathay Pacific also failed to comply with its own internal policy in this regard.

2) Monitor Publicly Known Exploits. Also basic folks. If they haven’t been doing so already, make sure your IT team is periodically checking publicly known cybersecurity vulnerabilities and implementing instructions provided to ward off such attack vectors. A widely used resource is the “Common Vulnerabilities & Exposures” (CVE) system available here. Cathay Pacific dropped the ball here by failing to applying a fix against a cyber vulnerability publicly reported back in 2007(!!) which required “very little knowledge or skill” to exploit. They didn’t get the “memo” even though it was publicly circulated online since 2007…

3) Administrator Access Belongs Behind a Firewall. Cathay Pacific allowed consoles with administrator privileges to be accessible from the internet, a big no-no. It should have placed these consoles behind a firewall using basic router/switch technologies. The ICO noted that the airline failed to conduct necessary risk assessment tests. But this deficiency runs afoul basic IT principles. One does not need to conduct fancy risk assessments to figure this one out.

4) Use Only Updated Equipment. Softwares and hardwares require periodic patches such as security updates that incorporates the latest fix against known vulnerabilities. Components that are out-dated do not receive regular patches or fixes.

5) Document Preventative Actions. Cathay Pacific failed to provide evidentiary documentations that it removed unnecessary applications, features, ports and services in the internet-facing server which was attacked.

6) Use MFA. The ICO found that had Cathay Pacific required the use of multi-factor authentication, the hackers would not have been able to use the stolen credentials, thereby obviating the data breach.

7) Use Anti-Virus Protection. One of the servers compromised failed to have any anti-virus protection. This is beyond belief…

8) Conduct Effective Patch Management. The sloppy management of patch updates render any network vulnerable to exploits. Again, this is a combination of both human error, poor compliance processes and plain negligence.

9) Retain Evidence. The UK ICO seemed to express its disappointment that Cathay Pacific had destroyed some of the hacked servers after the airline had conducted forensic analysis on them. The ICO noted that it would have discovered more information had these servers not been destroyed. Such destruction is highly suspicious in my opinion. (Companies especially based overseas must be mindful that U.S. civil litigation rules allow a court to levy serious sanctions for deliberate spoliation of evidence, including an adverse holding on the issue or entire case against the offending party.)

10) Grant Administrator Privileges Sparingly. Cathay Pacific failed to comply with its own guidelines to grant limited administrator-level privileges to several of the compromised user accounts. The ICO noted that compliance with the best practices of “just enough administration” (giving an account such tools as would be sufficient to allow it to perform its own admin tasks) and “just in time administration” (limiting the time for such permissions), could have prevented the hacker from taking over the most privileged account to access other internal networks.

11) Conduct Adequate Penetration Testing. The ICO hinted that penetration testing should be conducted annually and after any major network changes. Cathay Pacific could not demonstrate that it was periodically conducting adequate penetration testing.

12) Retain Data For Limited Time. One of the fundamental principles of privacy is that data collectors should not retain data beyond a time than is necessary for the stated purpose. Here, the ICO found that Cathay Pacific effectively retained customer data indefinitely.

Overall, the ICO did not seem to be impressed with Cathay Pacific’s corporate governance over its data privacy policies & procedures noting in numerous instances that the airline failed (in some cases negligently) in following its own best practices.

Particularly, the ICO was also not impressed with the “mitigating” actions taken by Cathay Pacific. While the ICO noted that Cathay Pacific acted “promptly and forthrightly” after it became aware of the breach (albeit after 3 years), the ICO flatly rebuked the airline by holding that such mitigating actions were “what could be expected” of a large and well-resourced company. For companies wishing to demonstrate mitigating actions in the hopes of reducing penalties, this case shows that exceptional actions are required going beyond “what could be expected” of an international firm.

Cathay Pacific Dodged the Wrecking Ball by Dumb Luck

It’s not good for any company to be penalized by a privacy regulator because it undercuts corporate branding & reputation. Although £500,000 is a large sum for most small and medium size firms, it is a relatively small sum for Cathay Pacific to pay given the glaring IT, cybersecurity and corporate governance deficiencies found (most of which were extremely basic to execute). It narrowly dodged a potentially crushing fine, not by legal agility or acumen or pre-planning, but by dumb luck. The last known breach occurred a mere 14 days before the effective date of the GDPR. Cathay Pacific dodged a crushing fine with that fact alone in its favor. With the California Consumer Privacy Act already in effect this year (a law that expressly permits American-style private class actions against offending companies, unlike the EU’s GDPR), there is no more room for dumb luck to favor the unprepared.