COMMISSION on Elections (Comelec) Chairman Juan Andres Bautista is in hot water in connection with the hacking of the poll body’s website last year that left open to identity theft the personal information of more than 55 million registered voters here and abroad.
The National Privacy Commission (NPC) on Thursday ruled that Bautista and the Comelec en banc were criminally liable for the cyber security breach, in violation of Republic Act (RA) 10173 or the Data Privacy Act of 2012.
The NPC is an independent body mandated to administer and implement RA 10173, and to monitor and ensure compliance of the country with international standards for data protection.
In its 35-page decision, the NPC accused Bautista of violating Section 22, which defines his role as head of the Comelec in complying with the security requirements mentioned in the law.
Section 22 states, “All sensitive personal information maintained by the government, its agencies and instrumentalities shall be secured, as far as practical, with the use of the most appropriate standards recognized by the information and communications technology industry, and as recommended by the commission. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein while the commission shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards.”
The en banc, on the other hand, was faulted for violation of Sections 11, 20 and 21 of the same law.
According to the NPC, Bautista and the poll body failed to implement needed security measures to protect data related to the personal information of voters, which include their fingerprints and addresses.
It said that Bautista failed to appoint a data protection officer as provided by law.
“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation and updating of Comelec’s privacy and security policies and practices,” the NPC pointed out.
Bautista, in a statement, denied the accusations against him and the Comelec even as he vowed to contest the ruling.
“With all due respect to the NPC membership, we believe that the NPC decision was based on the misappropriation of several facts, legal points and material contexts,” he said.
The Comelec, through the Office of the Solicitor General, will file a motion for reconsideration with the NPC.
Contrary to the findings of the NPC, Bautista maintained that the Comelec has done due diligence in protecting its data even before the hacking of its website in March 2016 by following generally accepted standards and international best practices with regard to its technology-related activities and services.
The Comelec, according to him, aware of the gravity of the hacking, immediately undertook the necessary actions in response to the security breach even as it was at the height of preparations for the May 9, 2016 national and local polls.
“Comelec, in good faith, cooperated with the proceedings initiated by the NPC despite the absence of Implementing Rules and Regulations (IRR),” Bautista said, adding that the Comelec also submitted as well a compliance report detailing the actions it has taken.
Bautista questioned as well the NPC decision pointing to him as solely responsible for the data breach, saying “these are matters that are best left to information technology [IT] experts.”
“Unlike the NPC, which is run by IT practitioners, the Comelec en banc is currently managed by seven lawyers. Hence, we rely on our IT Department for expert advice on website/data security and privacy and IT-related matters,” he said.
“Following the decision’s logic, if there is a breach of the Supreme Court website, will the Chief Justice be potentially liable?” the poll chief asked.
The Comelec website was hacked and defaced early morning of March 28, 2016.
It was the second time that hackers were able to bypass the website’s defense wall.
According to Internet security provider Trend Micro, the hackers were able to copy the personal information of 1.3 million registered overseas Filipino voters and the fingerprints of 15.8 million other voters, which rendered them vulnerable to identity theft.
Comelec spokesman James Jimenez has admitted that the Comelec website was put up without a strong security firewall, such that the hackers, after a series of attempts, were able to find loopholes in the system.