- The Security Incident Management Policy
- The Security Incident Response Team
- Annual Reports
- Mandatory Notification
- The Subsequent Investigation
A security incident is any event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.
A data breach is a kind of security incident.
A data breach happens when there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
There are three kinds of data breaches:
- Availability breach. – from the loss accidental or unlawful destruction of personal data;
- Integrity breach. – from the unauthorized alteration of personal data; and
- Confidentiality breach. – from the unauthorized disclosure of or access to personal data.
The Security Incident Management Policy
All personal information controllers and processors must implement a security incident management policy. This policy is for managing security incidents, including data breaches.
In drafting your security incident management policy and personal data breach management procedure, the following must be included:
- Creation of a security incident response team, with members that have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach;
- Implementation of organizational, physical and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident;
- Implementation of an incident response procedure intended to contain a security incident or personal data breach and restore integrity to the information and communications system;
- Mitigation of possible harm and negative consequences to a data subject in the event of a personal data breach; and
- Compliance with the Data Privacy Act, its IRR, and all related issuances by the NPC pertaining to personal data breach notification.
The Security Incident Management Policy must also include measures intended to prevent or minimize the occurrence of a personal data breach. These measures include:
- Conduct of a privacy impact assessment to identify attendant risks in the processing of personal data. It shall take into account the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
- Data governance policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
- Implementation of appropriate security measures that protect the availability, integrity and confidentiality of personal data being processed;
- Regular monitoring for security breaches and vulnerability scanning of computer networks;
- Capacity building of personnel to ensure knowledge of data breach management principles, and internal procedures for responding to security incidents;
- Procedure for the regular review of policies and procedures, including the testing, assessment, and evaluation of the effectiveness of the security measures.
The Security Incident Response Team
The Security Incident Response Team is responsible for:
- Implementing security incident management policy of the personal information controller or personal information processor;
- Managing security incidents and personal data breaches; and
- Compliance by the personal information controller or personal information processor with the relevant provisions of the Act, its IRR, and all related issuances by the Commission on personal data breach management.
Although the functions of the Security Incident Response Team (SIRT) may be outsourced, and there is no precise formula for the composition of the SIRT, its members must, as a collective unit, be ready to assess and evaluate a security incident, restore integrity to the information and communications system, mitigate and remedy any resulting damage, and comply with reporting requirements.
Personal information controllers and processors are required to submit their Annual Report, where all security incidents and personal data breaches must be documented through written reports, including those not covered by the notification requirements.
In the event of a personal data breach, a report shall include: (a) the facts surrounding the incident; (b) the effects of such incident; and (c) the remedial action taken by the personal information controller. For other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation.
Any or all reports shall be made available when requested by the Commission: Provided, that a summary of all reports shall be submitted to the Commission annually, comprised of general information including the: (1) number of incidents and breach encountered; and (2) classified according to their impact on the availability, integrity, or confidentiality of personal data.
Not all data breaches have to be reported to the NPC. Only when these are all present, the personal information controller (or processor, as the case may be):
- There is a breach of sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud;
- The data is reasonably believed to have been acquired by an unauthorized person; and
- Either the personal information controller or the NPC believes that the data breach is likely to give rise to a real risk of serious harm to the affected data subject.
If there is doubt as to whether notification is indeed necessary, consider:
- The likelihood of harm or negative consequences on the affected data subjects;
- How notification, particulary of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred; and
- If the data involves:
- Information that would likely affect national security, public safety, public order, or public health;
- At least one hundred (100) individuals;
- Information required by all applicable laws or rules to be confidential; or
- Personal data of vulnerable groups.
The failure to notify the NPC or the public may make you criminally liable for Concealment of Security Breaches Involving Sensitive Personal Information, which carries a penalty of imprisonment from one year and six months to five years, and a fine of Five Hundred Thousand Pesos (₱500,000.00) to One Million Pesos (₱1,000,000.00).
This crime is committed by those, having knowledge of the security breach and with an obligation to inform the NPC of the fact of such a breach, either intentionally or by omission fails to inform the NPC that the breach has happened.
Aside from notifying the NPC, the personal information controller shall also notify the affected data subjects upon knowledge of, or when there is reasonable belief that a personal data breach has occurred. The obligation to notify remains with the personal information controller even if the processing of information is outsourced or subcontracted to a personal information processor.
The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
Generally, there shall be no delay in notification however, the notification may only be delayed to the extent necessary to determine:
- the scope of the breach;
- to prevent further disclosures; or
- to restore reasonable integrity to the information and communications system.
There can be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In either case, the Commission must be notified within the 72-hour period based on available information.
The full report of the personal data breach must be submitted within five (5) days from notification, unless the personal information controller is granted additional time by the Commission to comply.
The following information must be included in any Data Breach notification:
- Nature of the Breach. – There must be, at the very least, a description of: (a) the nature of the breach; (b) a chronology of events, and (c) an estimate of the number of data subjects affected;
- Personal data involved. – stating the description of sensitive personal information or other information involved.
- Remedial Measures. – there must be: (a) Description of the measures taken or proposed to be taken to address the breach; (b) Actions being taken to secure or recover the personal data that were compromised; (c) Actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident; (d) Action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification; and (d) the measures being taken to prevent a recurrence of the incident.
- Name and contact details. - of the Data Protection Officer or contact person designated by the Personal Information Controller to provide additional information.
Under the Data Privacy Act, The data subject has the right to be notified and in enforcement of such, the Personal data controller MUST:
- Notify the data subject within seventy-two (72) hours upon knowledge of or reasonable belief that a personal data breach has occurred;
- The notification may be made on the basis of available information within the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects;
- The notification shall have the same content as those made to the National Privacy Commission, but shall include instructions on how data subjects will get further information; and
- recommendations regarding how to minimize risks resulting from breach and to secure any form of assistance.
The notification may be supplemented with additional information at a later stage on the basis of further investigation.
The notification of affected data subjects shall be done individually, using secure means of communication, whether written or electronic. And whenever individual notification is not possible or would require a disproportionate effort, the personal information controller may seek the approval of the Commission to use alternative means of notification.
The Notification requirement is not absolute; the NPC can allow the Postponement of notification when it may hinder the progress of a criminal investigation.
The Subsequent Investigation
The NPC will consider these factors in its investigation following the occurrence of a data breach:
- Security measures that have been implemented and applied to the personal data at the time the personal data breach was reasonably believed to have occurred, including measures that would prevent use of the personal data by any person not authorized to access it;
- Subsequent measures that have been taken by the personal information controller or personal information processor to ensure that the risk of harm or negative consequence to the data subjects will not materialize;
- Age or legal capacity of affected data subjects; Provided, that in the case of minors or other individuals without legal capacity, notification may be done through their legal representatives; and
- Compliance with the law and existence of good faith in the collection of personal information.
In investigation of a breach or a security incident, the Commission may investigate, depending on the nature of the incident, or in case of failure or delay in the notification. The investigation includes:
- On-site examination of systems and procedures;
- If necessary, the Commission shall require the cooperation of concerned parties, or compel appropriate action therefrom to protect the interests of data subjects; and
- The investigation shall be governed by the Rules of Procedure of the Commission.