Breach, breach, brace for impact!

(Part 1 of 2)

Lui is a sassy yuppie from Makati who loves to shop. A patron of the high-end stores in Greenbelt, Lui frequently buys stuff using her favorite Bank X Platinum credit card. A ballpark estimate puts her monthly credit card purchases at around P50,000, but Lui religiously pays her credit card balance in full a week before its due date. One day, while she was sipping her latte and swiping through her Bank X mobile app, Lui almost passed out when her latest credit card bill displayed a whopping P200,000! Not a minute later, #BankXHacked trended at No.1 on Twitter.

Lui’s story, although made-up, is a financial horror we could only hope we never experience for real. Given the advancements in information technology, we would think organizations have enough cyber battle gear to combat data breaches. Alas, recent statistics show that data security is, and continues to be, a cause for concern in the digital world.

A data breach study sponsored by IBM in 2017 indicates that the global average cost of a data breach declined by 10 percent to $3.62 million; the average cost per lost or stolen record of sensitive and confidential information in 2017 was $141, down from $158 recorded in 2016. However, the same study showed that, while the total cost and unit cost decreased, the average size of data breach grew by 1.8 percent (to an average of more than 24,000 affected records).

In the Philippines, the Commission on Elections voter database breach that exposed the sensitive personal information of about 78 million voters in 2016 was one of the worst large-scale breaches in recent years. Its occurrence over Holy Week that year underscores one realization: Digital criminals do not rest, even on holidays. And neither should any organization’s data security safeguards.

We live in a world where every entrepreneurial pursuit is driven by data. This is not surprising, given that terms such as “data mining,” “data analytics,” “data analysis,” “data science” and “big data” have become a staple on business tables and in published articles. Businesses now realize that effective decision-making is truly dependent on data that is succinctly analyzed and communicated in a quick, paperless fashion.

High-technology applications enable faster data gathering and processing but, if not properly secured, also pose a far more unsettling risk – data loss. Any piece of information not readily available to the public, such as confidential company information and sensitive personal data, getting into the wrong hands can spell doom for a business or an individual. The endless possibilities of what can be done with stolen personal data are scary.

Thus, in its mission to protect its citizens from harm caused by unauthorized access or use of personal data, the Philippine government put Republic Act No. 10173 into law, also known as the Data Privacy Act of 2012 (DPA).

The DPA’s scope is limited to personal data, which is any type of personal information that, on its own or combined with other information, can reasonably and directly ascertain an individual’s identity. The DPA also emphasizes protecting sensitive personal data, which includes any information about the race, ethnic origin, marital status, age, color, affiliations (religious/philosophical/political), health, education, genetic, or sexual life of a person, and government-issued identifiers (e.g., social security numbers, health records, licenses, and tax returns).

The DPA has been a hot topic this year due to the gone-unnoticed September 2017 Phase I registration target date and the approaching March 8, 2018 deadline for Phase II of the registration process with the National Privacy Commission (NPC). Sections 9 to 11 of NPC Circular 17-01 provide a brief overview of the two phases and their respective requirements, with the designation of a Data Protection Officer (DPO) and the submission of an application for registration being the two high-priority Phase I requirements. Section 47 of the DPA’s Implementing Rules and Regulations (IRR) likewise reiterated that required businesses (identified in Section 5 of NPC Circular 17-01) must submit 10 items to the NPC as part of the Phase II registration. One of the policies required in the IRR related to data governance, data privacy and information security is a reporting policy on how to deal with data breaches.

Breach or not?

The IRR emphasizes two terms related to breach reporting: security incident and personal data breach. A security incident is an event that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. When there are no measures in place (or the measures in place are inadequate) to prevent or mitigate a security incident, the risk of harm rises and the security incident may result in one, or a combination of, the following types of personal data breaches:

Availability breach – loss, accidental, or unlawful destruction of personal data; Integrity breach – alteration of or unauthorized changes to personal data; and Confidentiality breach – unauthorized disclosure of or access to personal data.

Now that Bank X has confirmed the breach of the personal data of millions of its credit cardholders, what must it do to comply with the DPA requirements for reporting an actual breach? Whom should Bank X notify about the actual breach, and how?

(Part 2 next week)

Mark Anthony Basa is a managing consultant, Advisory Services Division of P&A Grant Thornton. P&A Grant Thornton is one of the leading Audit, Tax, Advisory, and Outsourcing firms in the Philippines, with 21 partners and over 850 staff members. We’d like to hear from you! Tweet us: @PAGrantThornton, like us on Facebook: P&A Grant Thornton, and email your comments to mark.basa@ph.gt.com or pagrantthornton.marketscomm@ph.gt.com. For more information, visit our Website: www.grantthornton.com.ph.

As published in The Manila Times, dated 28 February 2018