Data Breach Notification Under the Data Privacy Act

In November 2016, Landbank debit cardholders were warned not to use their Automated Teller Machine (ATM) cards for online transactions.1 This came following reports that some of the bank’s ATM terminals may have been compromised.2 The bank did not provide details of the extent and nature of the attack. However, it did notify its clients of the possible breach. Subsequently, it permanently blocked their debit cards.

Also in 2016, tech giant Yahoo! disclosed that more than a billion user accounts were compromised in a 2013 attack.3 The company attributed the attack to a possible theft of its proprietary code by “state-sponsored” hackers who then used forged cookies to gain access to users’ accounts without the need for a password. This incident, which involved the theft of massive sensitive personal information, is touted as one of the largest known security breaches of a single company’s computer network.4

The attacks launched on Landbank’s and Yahoo!’s systems highlight the breadth and increasing sophistication of cyber-attacks. In both instances, affected users were invariably notified of the incidents as a matter of legal obligation on the part of the entities subject of the breaches.

Data breach notification laws have been around in other jurisdictions since 2002. The purpose of data breach notification is two-fold: First, it puts clients on alert so they can undertake measures designed to safeguard their information or at the very least mitigate the adverse effects in case of actual breach. Second, it allows the entity subject of data breach to take crucial steps to help resolve issues and provide immediate remedy to injuries sustained on account of the breach.

In the Philippines, it was only in 2012 when R.A. 10173, the Data Privacy Act, was passed into law. This law contains provisions obligating personal information controllers – both public and private – to notify their clients, the National Privacy Commission (NPC), and other affected stakeholders if and when an incident of data breach involving sensitive personal information has transpired.

Section 3(k) of the IRR of the Data Privacy Act defines personal data breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” Personal data breaches may range from the theft of physical files to cybercrimes, such as data-stealing malwares, viruses, and cyber-espionage.

This is not to say that all cyber-attacks or system intrusions are personal data breaches. For example, while a denial-of-service attack may result in the disruption of a network resource, it does not, however, cause the loss or theft of personal data, thereby negating the need for data breach notification.

The same is true with port-scanning. This is a technique frequently employed by hackers to probe for weaknesses in a given system in order to initiate a denial-of-service attack. In port-scanning, hackers use active probing techniques to determine a host’s operating system, destination IPs, and timing between packets, among others5 – fields that are not associated with personal data.

In the event of an actual personal data breach, Section 20 provides that the personal information controller should check if sensitive personal information or other information that may be used to enable identity fraud has been obtained by an unauthorized person.

If the controller believes that an unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject, he should promptly notify the NPC and the affected data subjects about said breach. “Prompt” means notification should be made within 72 hours upon knowledge of, or when there is reasonable belief by, the personal information controller or personal information processor that a personal data breach requiring notification has occurred.6

The notification should at least describe the nature of the breach, the sensitive personal information possibly involved, as well as the measures taken by the entity to address the breach. Sec. 39 of the IRR of the Data Privacy Act further provides that the notification shall include the contact details of the personal information controller, from whom the data subject can obtain additional information about the breach and any assistance to be provided to the affected data subjects.

Exemptions from the prompt notification requirement

There are three exemptions from the prompt notification requirement: the first involves statutorily permitted delays in giving notice, while the other two dispenses with the notification requirement altogether.

Under the first exemption, the personal information controller may choose to postpone the giving of notice to the affected parties in order to determine the scope of the data breach, prevent further disclosures, or restore reasonable integrity to the information and communications system.7

In the second exemption, notification may be dispensed with if the NPC believes that the notification may hinder the progress of a criminal investigation related to a serious breach.8

The third exemption removes the notification requirement whenever the Commission determines that such requirement would not be in the public interest or in the interests of the affected data subject.9

Liability for lack of notice

Notwithstanding the foregoing, failure to notify stakeholders of security breaches involving sensitive personal information when required to do so exposes the responsible parties to criminal liability. Section 30 of the Data Privacy Act imposes a penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than five hundred thousand pesos (PHP 500,000.00) but not more than one million pesos (PHP 1,000,000.00) on persons who, after having knowledge of a security breach and of the obligation to notify the National Privacy Commission, intentionally or by omission conceal the fact of such security breach.

Section 34 of the same law provides that if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.

All told, an information-driven world requires a greater degree of privacy-consciousness. If even banking institutions such as Land Bank of the Philippines and tech giants such as Yahoo! are vulnerable to cyber-attacks, it is difficult to imagine the measure of security an ordinary user would need to employ in order to adequately protect himself.

And while it is reassuring to know that security is constantly being intensified to protect data, it is still well within the affected public’s right to be notified promptly should any of their sensitive personal information be compromised.

# # #

1 Land Bank in UP Diliman: ATMs may have been ‘compromised’. (2016, November 2015). Retrieved April 20, 2017, from


3Yahoo hack: 1bn accounts compromised by biggest data breach in history. (2016, December 14). Retrieved April 20, 2017, from

4Yahoo Says 1 Billion User Accounts Were Hacked. (2016, December 14). Retrieved April 20, 2017, from

5 Detection and Characterization of Port Scan Attacks,

6 Sec. 38(a), IRR of R.A. 10173.

7 Sec. 20(f), R.A. 10173.

8 Sec. 20(f)(3), R.A. 10173.

9 Sec. 20(f)(2), R.A. 10173.

J. Batac