In data circles, it's referred to simply as "the Octopus case." And it's at the center of why data-protection laws in Asia are getting so tough, so fast.
Consumers in Hong Kong use a payment method called an Octopus card to buy everything from public-transport tickets to fast food. Like the eight-armed sea creature, the cards have reach.
But in 2010, Octopus Holdings acknowledged making millions of dollars by selling off cardholders' personal data -- without their permission -- to companies including insurance firms.
Amid the public outcry, Hong Kong went from relaxed data-protection laws to strict ones. Marketers now need clear consent from consumers to send materials to them. And marketers who use data that was improperly obtained can face up to three years in prison and a $65,000 fine.
It's a trend spreading across the region, as countries that didn't worry much about data protection tighten their laws, sometimes suddenly. That's leaving marketers exposed as they try to learn more about consumers in countries with fast-growing economies.
The Philippines, Indonesia and Malaysia have or are preparing to enact data-protection laws providing for fines and prison time for violators. China and Singapore are in flux, too.
"It's a bit of a nightmare to keep up and be compliant -- there's a sentiment in these countries that the practical execution of these things is really tough," said Kitty Kolding, CEO of Infocore, which helps Fortune 500 marketers navigate international rules for acquiring data.
Scott Thiel, co-chair of the DLA Piper law firm's data-privacy group in Asia, said there's a "real risk for businesses looking to acquire databases of potential customers."
At issue is whether that data was acquired with appropriate consent.
"What we're seeing is the need for not just relying on someone saying, 'Yes, I did get consent,' or even a contract that says, 'I got consent,' but actually being involved, saying 'Show me the process. How did you gather this information? I'd like to see an audit trail,'" he said.
Singapore "has gone from zero to hero" with a law going into effect in July, Mr. Thiel said. It has the toughest financial penalties in Asia, with fines up to $800,000.
In the Philippines, where regulations are designed to reassure marketers that its call centers will handle data safely, a foreigner convicted of breaking the law might be liable for prison time, then expulsion.
In credit-card-loving South Korea, a data theft just affected more than 100 million cards. In February, the financial regulator shut down some operations of three card-issuers -- KB Financial Group, NongHyup Financial Group and retailer Lotte Group.
China's rules were piecemeal before, and its new guidelines are still vague and have yet to be enforced, Mr. Thiel said. That's making it difficult for companies to know where to focus compliance dollars. And "because it's not been the subject of extended legislative dialogue like you get in democratic countries, that's caught a lot of businesses unaware," he said. However, new rules from the Standing Committee raise the possibility that Western businesses operating in China might see their business licenses canceled as a penalty, he said.
Marketers are waiting to see how strictly new Asian laws will be enforced. In the past year, Hong Kong's privacy commissioner has referred 20 complaints to the police, Mr. Thiel said. Fourteen relate to direct marketing.
"What it clearly points to is a genuine, meaningful application of these new laws," he said.
Meanwhile, the Direct Marketing Association of Singapore has a two-and-a-half-day program to help companies prepare for changes coming in three months. Marketers have shown goodwill about getting compliant, but "there's no question many are not yet ready," said Lisa Watson, the association's chairwoman.