Data breach notification under the Data Privacy Act

The past few years have seen robust developments in the field of data protection, spawned no doubt by the sheer scale of the problem on data breaches. The bad news, however, is that data breaches remain as pervasive as ever. If even the seemingly impenetrable Pentagon is vulnerable to cyber-attacks, it is difficult to imagine the measure of security an ordinary user would need to employ in order to adequately ward off these kinds of attacks.

Late last year in the Philippines, for example, Landbank debit cardholders were warned not to use their ATM cards for online transactions and to have them temporarily blocked. This came following reports that some of the bank’s ATM terminals may have been compromised. The bank did not provide details of the extent and nature of the attack. However, it did notify its clients of the possible breach. Subsequently, it permanently blocked their debit cards.

It is not hard to postulate that the data breach at Landbank’s ATM terminals may have been due to skimming. A popular data breach scheme, skimming utilizes a card reader stealthily installed in an ATM terminal. The reader then saves users’ card information and replicates the data for theft.

Also in 2016, tech giant Yahoo! disclosed that more than a billion user accounts were compromised in a 2013 attack. The company attributed the attack to a possible theft of its proprietary code by “state-sponsored” hackers who then used forged cookies to gain access to users’ accounts without the need for a password. This incident, which involved the theft of massive sensitive personal information, is touted as one of the largest known security breaches of a single company’s computer network.

The attacks launched on Landbank’s and Yahoo!’s systems highlight the breadth and increasing sophistication of cyber-attacks, as well as the extent that hackers are willing to go through to obtain access to sensitive personal information. In both instances, affected users were invariably notified of the incidents as a matter of legal obligation on the part of the entities subject of the breaches.

Necessity of ‘data breach notification’

Data breach notification laws have been around in other jurisdictions since 2002. In the Philippines, it was only in 2012 when R.A. 10173, or the Data Privacy Act, was passed into law. The said law contains provisions obligating personal information controllers – both public and private – to notify their clients, the National Privacy Commission, and other affected stakeholders if and when an incident of data breach involving sensitive personal information has transpired.

The purpose of data breach notification is two-fold: First, it puts clients on their toes so they can undertake measures designed to safeguard their information or at the very least mitigate the adverse effects in case of actual breach. Second, it allows the entity subject of data breach to take crucial steps to help it get to the bottom of the incident, resolve issues, and provide immediate remedy to injuries sustained on account of the breach.

Section 3(k) of the IRR of the Data Privacy Act defines personal data breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

Following this definition, instances of personal data breach may range from the physical theft of actual files to cybercrime along with its possible iterations, such as data-stealing malwares, viruses, and cyber-espionage.

This definition needs to be taken into account because not all cyber-attacks or system intrusions count as personal data breach. For example, while a denial-of-service attack may result in the disruption of a network resource, it does not, however, cause the loss or theft of personal data, thereby negating the need for data breach notification. The same is true with port-scanning, a technique frequently employed by hackers to probe for weaknesses in a given system in order to initiate a denial-of-service attack. Note that in port-scanning,the weakness hackers look for is one that is not associated with personal data.

In the event of an actual personal data breach, Section 20 provides that the personal information controller should check if sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud has been obtained by an unauthorized person.

Section 3(o) of the IRR of the Data Privacy Act provides an enumeration of what constitutes sensitive personal information. It includes, among others, an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations, health, education, genetic or sexual life, social security numbers, or previous or current health records.

If the controller or the National Privacy Commission believes that an unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject, he should promptly notify the National Privacy Commission and the affected data subjects about said breach. Prompt notification is quantified to mean as within 72 hours upon knowledge of or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach requiring notification has occurred.

Note that the law does not require notification in all instances of data breach. The Data Privacy Act specifically requires notification only when sensitive personal information, or other information that may be used to enable fraud, has been compromised. Such determination is left to the personal information controller and the National Privacy Commission.

If warranted and called for, the notification should at least: (a) describe the nature of the breach; (b) the sensitive personal information possibly involved; and (c) the measures taken by the entity to address the breach.

Sec. 39 of the IRR of the Data Privacy Act further provides that the notification shall also include measures taken to reduce the harm or negative consequences of the breach, the representatives of the personal information controller, including their contact details, from whom the data subject can obtain additional information about the breach, and any assistance to be provided to the affected data subjects.

When notification is delayed, unnecessary

Even though mandated by law to notify affected parties of the data breach at the earliest opportunity possible, the personal information controller may choose to postpone doing so. However, postponement must only be to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.

Delaying the notification is likewise allowed if, in the considered opinion of the National Privacy Commission, the notification may hinder the progress of a criminal investigation related to a serious breach.

It is crucial to note, though, that prompt or even delayed notification is not necessary in all incidents of data breach. The Data Privacy Act provides two instances when the personal information controller is no longer statutorily required to notify its clients of an incidence of breach.

Notification may be dispensed with where, in the Commission’s reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subject.

Notwithstanding the foregoing, failure to notify stakeholders of security breaches involving sensitive personal information when required to do so exposes the responsible parties to criminal liability.

Section 30 of the Data Privacy Act imposes a penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than five hundred thousand pesos (PHP 500,000.00) but not more than one million pesos (PHP 1,000,000.00) on persons who, after having knowledge of a security breach and of the obligation to notify the National Privacy Commission, intentionally or by omission conceal the fact of such security breach.

Section 34 of the same law provides that if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.

All told, an information-driven world requires a greater degree of privacy-consciousness. It also effectively negates a lackadaisical attitude toward personal information. And while it is reassuring to know that security is constantly being beefed up to protect data, it is well within the affected public’s right to be notified promptly should any of their sensitive personal information be compromised.

Disini & Disini Law Office