BAUTISTA ‘NEGLIGENT,’ SAYS PRIVACY COMMISSION

Comelec chief liable for hacking

7

COMMISSION on Elections (Comelec) Chairman Juan Andres Bautista is in hot water in connection with the hacking of the poll body’s website last year that left open to identity theft the personal information of more than 55 million registered voters here and abroad.

The National Privacy Commission (NPC) on Thursday ruled that Bautista and the Comelec en banc were criminally liable for the cyber security breach, in violation of Republic Act (RA) 10173 or the Data Privacy Act of 2012.

The NPC is an independent body mandated to administer and implement RA 10173, and to monitor and ensure compliance of the country with international standards for data protection.

In its 35-page decision, the NPC accused Bautista of violating Section 22, which defines his role as head of the Comelec in complying with the security requirements mentioned in the law.


Section 22 states, “All sensitive personal information maintained by the government, its agencies and instrumentalities shall be secured, as far as practical, with the use of the most appropriate standards recognized by the information and communications technology industry, and as recommended by the commission. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein while the commission shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards.”

The en banc, on the other hand, was faulted for violation of Sections 11, 20 and 21 of the same law.

According to the NPC, Bautista and the poll body failed to implement needed security measures to protect data related to the personal information of voters, which include their fingerprints and addresses.

It said that Bautista failed to appoint a data protection officer as provided by law.

“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation and updating of Comelec’s privacy and security policies and practices,” the NPC pointed out.

Bautista, in a statement, denied the accusations against him and the Comelec even as he vowed to contest the ruling.

“With all due respect to the NPC membership, we believe that the NPC decision was based on the misappropriation of several facts, legal points and material contexts,” he said.

The Comelec, through the Office of the Solicitor General, will file a motion for reconsideration with the NPC.

Contrary to the findings of the NPC, Bautista maintained that the Comelec has done due diligence in protecting its data even before the hacking of its website in March 2016 by following generally accepted standards and international best practices with regard to its technology-related activities and services.

The Comelec, according to him, aware of the gravity of the hacking, immediately undertook the necessary actions in response to the security breach even as it was at the height of preparations for the May 9, 2016 national and local polls.

“Comelec, in good faith, cooperated with the proceedings initiated by the NPC despite the absence of Implementing Rules and Regulations (IRR),” Bautista said, adding that the Comelec also submitted as well a compliance report detailing the actions it has taken.

Bautista questioned as well the NPC decision pointing to him as solely responsible for the data breach, saying “these are matters that are best left to information technology [IT] experts.”

“Unlike the NPC, which is run by IT practitioners, the Comelec en banc is currently managed by seven lawyers. Hence, we rely on our IT Department for expert advice on website/data security and privacy and IT-related matters,” he said.

“Following the decision’s logic, if there is a breach of the Supreme Court website, will the Chief Justice be potentially liable?” the poll chief asked.

The Comelec website was hacked and defaced early morning of March 28, 2016.

It was the second time that hackers were able to bypass the website’s defense wall.

According to Internet security provider Trend Micro, the hackers were able to copy the personal information of 1.3 million registered overseas Filipino voters and the fingerprints of 15.8 million other voters, which rendered them vulnerable to identity theft.

Comelec spokesman James Jimenez has admitted that the Comelec website was put up without a strong security firewall, such that the hackers, after a series of attempts, were able to find loopholes in the system.

Share.
.
Loading...

Please follow our commenting guidelines.

7 Comments

  1. Is it true that the top echelon of the Philippine government
    does not know the definition of Harakiri or seppuku?

  2. Is it true that the top echelon of the Philippine government
    does not know the definition of Harakiri or seppuku?

  3. Leodegardo M. Pruna on

    The Comelec Chairman cannot deny the fact that he is guilty of GROSS NEGLIGENCE for not ensuring the confidentiality of millions of personal circumstances being hacked from their files. The fact that even during the election Comelec admitted that it did with Smartmatic “COSMETIC” revision in it server would show how unscrupulous Comelec under Bautista has been. His threat that a recount relative to the protest in the VP post that it will cost two billion pesos is to dissuade government from doing the recount where in fact there is no need for the smartmatic machines which gave garbage as the recount would be manual. Tlhere is a correlation between the hacking and the count for the VP post without one needing a PhD to see it. Mr. Bautista should be tried and charge for ‘GROSS NEGLIGENCE” God bless the Philippines. God save the Philippines from unscrupulous officials who have only themselves to think of.

  4. Let us leave the meek and mild-mannered Comelec Chairman alone. He is a decent,upright, law-abiding and honest lawyer who is only trying to do his best for the country. He has an admirable and praiseworthy record as a law practitioner, member of the Philippine Bar, Dean of the FEU institute of Law, newspaper columnist and PCGG Chairman. What has the country turned into when it is the hacked and not the hacker who is prosecuted? Is someone interested in Chairman Bautista’s position? Is this a case of politicking ? Again, let us leave him alone. He has done a good job in the Comelec. He should be commended instead of denigrated.

  5. Commissioner Andres Bautista, looks clean but behind that face is very corrupt individual, a relative of a useless past President who appoints thieves. Bautista is a true yellow and he should be charged in court for being part of the fabrication of the VP results to favor Robredo.

  6. Spokesman for Comelec admitted that the Comelec website was put out without strong security firewall and therefore Chairman Bautista cannot deny and repudiate that it cannot be hacked. and of course it is the responsibility of the Chairman , because he is in charge and has the over-all responsibility of the whole agency falls on him. Bautista cannot compare his failure of responsibility to the Chief Justice, its entirely a different ball game. Each individual justices including the Chief Justice have different principle and opinion in interpreting the law in every case presented to them, to deliver fair and equal justice for all as final arbiter.