JUST as the ILOVEYOU virus which spread like wildfire in 1999 helped generate awareness on the need to ensure information security and protect against cybercrime, the “ComeLeak” helped generate awareness on the need to protect personally identifiable information and sensitive personal information.
The “ComeLeak” incident, which reared its ugly head on March 28, 2016, involved the illegal copying and unauthorized disclosure of the database of the Commission on Elections (Comelec) by the hacker group, LulSecPilipinas. It has been the favorite example of data privacy and information security breach in various forums discussing the issues of information security and data privacy protection.
The National Privacy Commission (NPC), the agency mandated to implement Republic Act 10173, or the Data Privacy Act (DPA), had just been organized a few weeks before the “ComeLeak” incident and among its mandated tasks was to investigate incidents like the “ComeLeak”.
The DPA had lumped personally identifiable information and sensitive personal information into a class of its own. The DPA mandates the implementation of appropriate measures that will ensure protection of this class of information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
Information security practice focuses on the protection of information systems against unauthorized access and impairment of their operations as well as ensuring the confidentiality, integrity, and availability of all types of data that is stored in information systems.
Information security had, for a long time, been treated as a purely technical matter which was left to be addressed by chief information officers or chief information security officers in organizations, public and private. The DPA had elevated the matter of data privacy protection as a management issue and mandates the designation of a Data Protection Officer who is tasked with the responsibility of ensuring that organizational, physical, and technical measures are in place. Information security matters need to be elevated to the same level as data privacy protection since information security and data privacy protection share the same goals: the preservation and protection of the confidentiality, integrity, and availability of data, otherwise known as the C-I-A triad.
A year after the “ComeLeak” incident, the NPC had generated heightened awareness on the need to ensure that data privacy is protected in organizations, both public and private. It has created a roadmap for compliance with the DPA. The Department of Information and Communications Technology, on the other hand, has been conducting public consultations as part of the process of crafting the national cybersecurity plan.
A year after the “ComeLeak” incident, the Comelec appears to have complied with the order of the NPC. In a press release dated March 28, 2017, the Comelec quoted NPC Chairman Raymond Liboro as saying, “If you ask me, the compliance of the Comelec is malayong malayo na (much improved) from way before (the hacking) happened.”
Prior to this, however, another incident hit the Comelec within a year of the “ComeLeak” incident and following the issuance by the NPC of its decision on the first incident. It was reported that a computer was stolen from Comelec’s local office in Wao, Lanao del Sur last January 11, 2017. The computer contained a copy of the voter registration system, voter search applications, and the Comelec’s database of registered voters. It appeared that the Comelec had not learned its lesson. The NPC has since ordered the deletion of all copies of the database of registered voters that the Comelec had distributed to its local offices. The reason for the distribution of copies of the whole voter registration database remains undisclosed. The second incident highlighted the need for the Comelec to strengthen physical security in its local offices and the need to update local Comelec personnel on the necessity to ensure protection of the database.
The NPC had ordered the Comelec to designate a Data Protection Officer, conduct a privacy impact assessment, create a privacy management program, create a breach management procedure, and implement organizational, physical and technical security measures.
With the NPC’s finding that Comelec’s compliance with the DPA is much improved and assuming that it had followed the orders of the NPC, the question is: Is the Comelec organization ready to embrace its privacy management program, breach management procedure, and the organizational, physical and technical security measures?
Much still has to be done. Citizens have to be made aware of their data privacy rights while organizations, public and private, still have to fully comply with the DPA and issuances of the NPC.
As a response to the NPC guidance for the implementation of organizational, physical, and technical measures to ensure protection of data privacy, there is a need to elevate information security matters as a management concern to the same level that the DPA had brought the need for data privacy protection to the attention of executive management. This will allow organizations to formulate and enforce information security and data privacy policies that are in harmony with the pertinent laws and issuances of the government agencies concerned. Procedures, rules, and guidelines on how information systems will be secured and how data privacy will be protected may take root from these policies. Managers and personnel with the appropriate skills and knowledge may then be assigned to perform the tasks of information security and data privacy protection. Only then can the appropriate technical measures be identified and implemented. A challenging task indeed.