[BreachExchange] Cathay Pacific data leak: British-based law firm urges passengers to seek damages through group legal action overseas

Destry Winant destry at riskbasedsecurity.com
Tue Oct 30 23:55:39 EDT 2018


A British-based law firm is planning to seek compensation for Cathay
Pacific Airways passengers through a collective legal action overseas
following the carrier’s massive data leak, but Hong Kong lawyers have
warned this may not be easy for local customers.

SPG Law said the breach by the city’s flag carrier, which affected 9.4
million customers, was “more serious” than British Airways’ data leak
first announced in September. Some 430,000 payment card details had
been disclosed, and the firm had launched a similar action for about
3,000 clients over that incident.

Cathay Pacific only revealed on Wednesday night that the personal
details of affected passengers had been illegally accessed, months
after the breach was detected in March and confirmed in early May.

Compromised data included names, passport numbers, ID numbers, travel
history and credit card numbers.

“You have a right to compensation from Cathay Pacific for this data
leak under Article 82 of the European Union General Data Protection
Regulation (GDPR). You can be compensated for inconvenience, distress
and annoyance associated with the data leak,” the firm said on its

It sought to claim up to £1,500 (HK$15,000) for each person and
possibly more based on individual cases.

Tom Goodhead, a partner and barrister at SPG Law, said in an email
reply to the Postthat the GDPR would be applicable to the Cathay case
despite the regulation only coming into force on May 25.

“Whilst the data breach may have been discovered in March, [customers
were] not notified until after the coming into effect of the GDPR. The
prevailing understanding of the GDPR is that it will apply in such
circumstances,” Goodhead said.

He said the firm would be collating information from their first
claimants over the weekend, and expected “tens of thousands of people
worldwide” to seek representation. Clients were primarily expected to
come from Britain, mainland China, Hong Kong and the United States.

Goodhead explained the firm would file “multiple, separate actions and
then seek to reach settlement with Cathay”. But the group action
planned in Britain would be restricted to EU residents.

“Victims in Hong Kong, [mainland China] and elsewhere will be able to
be represented in proceedings in the Netherlands that we will file,”
he added, without elaborating why.

Legal experts in Hong Kong questioned if the overseas collective
action would mean a better chance of seeking compensation from Cathay.

Craig Choy Ki, convenor of the Progressive Lawyers Group, said it was
unlikely that the GPDR would be applicable, because the detection and
confirmation of the data leak took place before the EU regulation
began being enforced.

“There are significant hurdles to filing a collective action in
Britain,” Choy said, adding that in a recent case there it was ruled
that representative action in a data breach required that victims
suffer actual damage from the incident.

Choy said Hongkongers could also file lawsuits in the city and seek
civil claims on the grounds such as “damage or injury to feelings” if
Cathay was found to have violated the city’s Personal Data (Privacy)

Lawyer Dominic Wai Siu-chung said it would be hard to determine
whether a group action would mean a greater chance to seek claims.

“The damage to an individual may be unique and limited only to his or
her case ... meaning it can’t be handled in a group action,” Wai said.

He added it was possible to seek compensation in Hong Kong under the
ordinance only if the data that was leaked had been stored in the
city, and if claimants could prove they suffered emotionally from the

Some of the affected passengers said taking collective action might
strengthen their cause.

“The power of ordinary citizens is limited. It would be better if
there is collective action by a certain number of people,” said Jenny
Cheng, who had eight data items compromised in the breach.

Another affected passenger, Michael Chan, who suspects he lost 70,000
Asia Miles points in April from the leak, said he was interested to
know more about the collective action.

Simone Chen said individual lawsuits would be costly and
time-consuming, but she would only consider group action if the Hong
Kong government did nothing.

“If the government penalises Cathay and stands up for Hong Kong
people, I will not consider a lawsuit,” she said.

More information about the BreachExchange mailing list