Sometime in October 2017, when news of a possible data breach involving its clients was made public, COL Financial – the largest online stock broker in the Philippines with about 225,000 registered investors – was quick to assuage the fears of its customers by assuring them that none of their portfolios and positions were affected. It likewise notified the public that the matter had been promptly reported to the National Privacy Commission (NPC) pursuant to the Data Privacy Act of 2012.
But while it is true that COL Financial was not remiss in its duty to report the security incident to NPC immediately following the alleged breach, the company’s obligation to report does not end there.
Section 46 of Rule XI of the Implementing Rules and Regulations (IRR) of the Data Privacy Act requires private and public organizations to submit an annual report of documented security incidents and personal data breaches as part of their registration and compliance. Circular 16-03 issued by the NPC on December 15, 2016, further clarifies that the annual report should contain “a summary of all reports x x x submitted to the [NPC], comprised of general information including the number of incidents and breach encountered, classified according to their impact on the availability, integrity, or confidentiality of personal data.”
The submission of such report, officially known as the Annual Security Incident Report or ASIR, is one of the duties of the Personal Information Controller or “PIC”. Section 3(h) of the Data Privacy Act defines a PIC as “a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.”
‘Invaluable management resource’
In admonishing organizations to file their respective ASIRs, NPC Commissioner and Chair Raymund Enriquez Liboro emphasized in a statement issued January 2018 that “When properly collated, the data becomes an invaluable management resource that enables a PIC to assess its reaction time for every crucial event. From the moment an incident occurred to its discovery, and to the time it took for the internal breach response team to properly diagnose the situation, decide on an action, deploy contingency measures and notify the NPC if necessary.” He added that “the PIC must find ways to reduce time lags whenever possible; it amounts to mitigating potential harm to data subjects.”
According to Sec. 3 of the IRR of the Data Privacy Act, a security incident is “an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place.”
The problem with this definition is that it tends to be too broad in scope, virtually everything today has the potential of affecting data protection. As such, the question of what to consider as a security incident becomes subject to varying interpretations.
In a press release, the NPC clarified the kinds of attacks that are to be properly considered as security incidents and which need to be reported. These include brute force attacks into a database containing personal information, even though such attack is stopped by a timely intervention on the part of the personal information controller, as well as alterations in a database that alter the personal records of individuals.
The same statement provided an example to illustrate what not to report or include in the ASIR. The NPC noted that “a cyberattack that successfully uncovers industrial secrets that do not involve the processing of personal data is not considered as a security incident under Philippine data privacy laws, and as such, does not need to be included in the Annual Security Incident Report.” Thus, even if the breach has been consummated, if such breach does not result in the compromise of personal information said incident need not be reported to the NPC or included in the ASIR.
The prompt reporting of security incidents and the filing of the ASIR to the NPC are mandatory, violation of which would result in potential criminal liability. Section 30 of the Data Privacy Act imposes the penalty of imprisonment of one year and six months to five years and a fine of not less than Php500,000 but not more than Php1,000,000 on persons who, after having knowledge of a security breach and of the obligation to notify the NPC, intentionally or by omission conceal the fact of such security breach or fail to notify the NPC. Section 35 provides further that should the personal information of at least 100 persons be harmed, affected or involved by such concealment, the maximum penalty shall be imposed.
ASIRs are filed within a period immediately following the year covering the report. By way of example, for 2017, the NPC has set the submission period from January 3 to March 31, 2018. According to the NPC, the submission period is intended to give organizations sufficient opportunity to “audit their privacy program and improve their organization’s efficiency in the way they manage their security incidents.”
PICs may submit their respective ASIRs by email on or before the deadline to firstname.lastname@example.org.
# # #