“The incident is a crisis. It is the most serious one the airline has faced.” (Cathay Pacific Airways Chairman, John Slosar)
Last month Hong Kong-based airline Cathay Pacific publically acknowledged that 9.4 million passenger records had been stolen in a data breach that occurred back in March. The airline said in a document submitted to Hong Kong’s Legislative Council that it first detected suspicious activity on its network 7 months ago and that the attack continued and expanded in scope.
Unauthorised individuals gained access to the airline’s private user information, including phone numbers, dates of birth, frequent flier membership numbers, and passport and government ID numbers, as well as information on passengers’ past travels. To date there is no evidence that personal information had been misused and Cathay has been quick to stress that there has been no impact to in flight operations or safety.
The carrier has announced it is working with 27 regulators in 15 jurisdictions to investigate the data breach. Hong Kong’s privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check and thorough investigation into the airline.
Away from the flag carrier’s home base the European Union General Data Protection Regulation (“EU GDPR”) looms large. The regulation introduced new notification requirements and tougher penalties for breaches, as well as enhancing rights for consumers and requirements for companies on the 25th May 2018. Cathay’s board is still to answer repeated questions about whether the airline would compensate all affected customers or if it might face a hefty fine under new European Union privacy regulations, saying it was “too early” to comment.
The Cathay breach comes just a month after British Airways (“BA”) announced that it had suffered a serious data breach. At the time commentators suggested that the BA breach would be one of the first real tests of the GDPR, in terms of assessing a large company’s response to a data breach and calculating the potential fines. The judgement has yet to be released but spells danger for Cathay if it is tough. The BA hack was minor in comparison (380,000 records) and their management notified the regulator in 24 hours instead of 7 months. The maximum fine under the GDPR is 4% of global turnover which would be crippling for Cathay, a firm already in the red.
The hack illustrates the immense pressure that companies, especially big brands like Cathay Pacific, come under when suffering a data breach as they must now scramble to meet strict regulatory notification requirements (72 hours in the case of the GDPR). Cyber insurance is not designed to indemnify for GDPR fines and penalties but it does provide cover for the costs involved in complying with regulatory investigations. These are often significant when a response is required by multiple regulators.
In addition to the threat of penalties, Cathay will have incurred a number of significant costs including; the immediate costs of dealing with the breach and the cost of notifying and potentially compensating customers.
In the aftermath of a breach extensive forensic work is typically required to get to the root cause of the problem. Legal assistance and public relations advice is also required to meet regulatory and customer demands. Cyber policies have a panel of these vendors at the ready, offering 24/7 cover globally.
Cyber events may also require increased resources to deal with customer complaints and enquiries all of which can be recovered under a well drafted policy. According to law firm Pinsent Masons, it is increasingly common for organisations to receive data subject access requests following a data breach incident. As a result, companies like Cathay will need to be prepared to deal with subject access requests in accordance with Article 15 of GDPR.
Fraud is another area where companies can incur substantial costs following a cyber incident. Cathay said that 27 credit card numbers had been obtained, as well as 403 expired credit card numbers. A cyber policy will respond by reimbursing the costs of credit rating monitoring services provided to affected customers for a defined period.
Liability and Litigation
In the wake of the data breach Cathay is facing its first collective legal action after 200 customers expressed their intention to make claims over the leak. "They are mainly from Hong Kong, some from mainland China and some from the United Kingdom," said Tom Goodhead, a partner and barrister at Sanders Phillips Grossman (“SPG”).
SPG set up a compensation website on October 25 following the breach disclosure and the firm said it would file "multiple, separate actions and then seek to reach settlement with Cathay". The group action planned in Britain would be restricted to EU residents. On the website, the firm said the claimants had a right to compensation from Cathay Pacific for the data leak under Article 82 of the EU GDPR.
For other claimants, like those in Hong Kong and mainland China, Mr Goodhead said the firm would file separately in the Netherlands, which "provides a mechanism [by which a] stitching, or a foundation, can represent claimants worldwide on a class action basis".
The law firm is seeking to claim up to USD 2,000 for each person and possibly more based on individual cases. Depending on the outcome of this collective action Cathay could be saddled with a huge bill. Cyber insurance provides third party liability cover which would provide indemnification for defence costs and damages up to the policy limit.
Cyber Insurance uptake amongst airlines
In a world ever reliant on data and the use of operational technology cyber insurance is increasingly becoming a necessity rather than a nicety. Data breaches and cyber triggered business interruption events have affected multiple airline carriers across the world in recent times – think South West Airlines and Delta to name but a few.
At JLT we service the traditional insurance needs of over 30% of the global aviation fleet and are therefore in unrivalled position to comment on current trends we are seeing in terms of cyber uptake, breadth of cover and limits purchased in this growing line of insurance. To learn more please contact our team at FLG@jltasia.com.