None of us can deny the damages that cyber security breaches would bring to business, just to name a few, loss of customers, revenue, reputation and litigation from customers. Another paramount concern that business has gradually taken into consideration is mandatory requirements. As a result of the legal aspect of the mandates, companies are now taking steps to ensure compliance.
If you still remember the Cathay Pacific data breach in Oct 2018, the Hong Kong airline revealed belatedly that 9.4 million passengers data had been illegally accessed while the breach was detected in March 2018. Although companies operating in Hong Kong are not required by law to report data breach within certain period of time, the beleaguered airline serving customers from European Union (EU) might be under the jurisdiction of EU’s latest General Protection Regulation (GDPR).
- GDPR protects its EU residents on an international basis and requires companies to disclose breaches within 72 hours. Under GDPR, regulators can levy non-compliance penalties of 20 million euro (US$21 million) or up to 4 % of a company's global revenue, whichever is greater.
It’s not just in Europe. Other countries are also legislating stringent regulations on security breach:
- The Australia's mandatory breach notification law went effective in February 2018 and it requires organizations to report a breach within 30 days. It applies to companies with more than $3 million in annual turnover and government agencies. Regulators can levy fines up to US$297,000 for individuals and $2.1 million for organizations for failing to report a breach.
- In Singapore, with the Cybersecurity Act 2018 in place, the Personal Data Protection Commission also ensures compliance to its personal data and directs the non-complied organizations to pay a financial penalty of up to S$1million (US$ 0.74million).
- Hong Kong government also weighed in saying its Office of the Privacy Commissioner for Personal Data will investigate and review requirements and penalties in the privacy ordinance to enhance data protection. Furthermore, the territory’s Law Reform Commission of Hong Kong commenced its study of the topic of cybercrime in January 2019 to review existing legislation and to recommend possible law reforms.
It’s only a matter of time to make it a statutory requirement for data users to expose their data breach and fortify its cyber security posture. Businesses can no longer sweep the security breaches under the carpet.