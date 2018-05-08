NEW YORK: Yes, the Philippines has the Data Privacy Act, or Republic Act 10173, signed into law on August 15, 2012 and the Cybercrime Prevention Act of 2012, or Republic Act 10175, approved on September 12, 2012. There are other earlier laws but what the country lacks is a cybersecurity framework. There was a National Cybersecurity Plan in 2004 but that has not been updated. The National Security Council has not even buckled down to craft and get the protective policy in place not only on infrastructure and technology but also in terms of telcos, data, systems, risks and accountability for both public and private.

RA 10173 covers personal information as well as trade secrets by multinationals but it does not cover political campaigns when data is the currency for a competitive race. The law “protects all forms of information that are personal, private or privileged. It covers all persons, whether natural or juridical, with particular emphasis to companies or juridical entities involved in the processing of protected information.” The law only protects information that is considered private. Information that has been publicly available or accessible before its enactment continues to the public.

RA 10175 addresses legal issues on online interactions and internet use in the country. It defines and covers cybercrime offenses such as cyber squatting, cybersex, child pornography, identity theft, illegal access to data and libel. “The most criticized provision of the law was criminalizing libel, perceived to be a curtailment of freedom of expression.” On February 18, 2014, the Supreme Court ruled that Section 5 of RA 10175 was constitutional, and that Sections 4-C-3, 7, 12 and 19 were unconstitutional.

The ComeLeak that happened in 2015 remains pending in the bowels of the court. Without a sense of urgency, it looks like it will be covered too deeply in dung that it stinks to high heavens. What has Comelec done to ensure that there will be no recurrence of the same come 2019 or 2022 and beyond?

The National Privacy Commission (NPC) found that the Commission on Elections violated the Data Privacy Act of 2012 and has recommended the criminal prosecution of Chairman J. Andres D. Bautista for the data breach that occurred between March 20 and 27, 2015. In the decision dated December 28, 2016 on NPC Case No. 16-001, the enormity of the situation was described as “the personal data in the breach is contained in several databases kept in the website: a) the voter database in the Precinct Finder web application, containing 75,302,683 records; b) the voter database in the Post Finder web application, which contains 1,376,067 records; c) the iRehistro registration database, with 139,301 records; d) the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and e) the Comelec personnel database, containing records of 1,267 Comelec personnel.” It was said to be the “worst recorded breach on a government-held personal database in the world, based on sheer volume.”

Last week Wendy’s Philippines’ leak of an “estimated 82,150 records were exposed, which included personal details such as names, contact numbers, home addresses, hashed passwords, transaction details, and mode of payment of the company’s customers, loyalty card members, and even job applicants.” The NPC ordered Wenphil Corp. last May 2 to notify the people exposed within 72 hours. But apart from the order to notify, shouldn’t Wenphil Corp. be fined also?

Companies should be required to secure cybersecurity insurance so careless handling of data is mitigated. Companies penalized for data breach are able to manage business continuity covering licenses and potential abuses. Training is also needed so that private and public organizations are able to designate their chief information security officer as well as develop a corps of cyberforensic specialists to handle audit and assess risks.

The loudest thud heard from across the globe is the damaging breach at Equifax (a credit rating agency) in 2017 which affected 145.5 million Americans and 700,000 Brits. Hackers gained access to personal information belonging to 143 million US consumers after exploiting a vulnerability in the company’s website. Equifax (EFX), is one of US’ biggest credit bureaus. The leaked information “includes names, Social Security numbers, birth dates and in some cases driver’s license numbers. Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people also were exposed.” The US Congress is now studying legislation calling for a data breach prevention and compensation.

And then there is the US government ban against Kaspersky in September 2017. Kaspersky is an anti-virus software with broad authority to browse through a computer’s files and to quarantine or remove files that might be infected with malware. The Homeland Security Department ordered the Kaspersky ban. Congress also required Kaspersky to be scrubbed from government systems in legislation that will take effect in October 2018.

And this column is a call for reforms to mandate cybersecurity protocols in political campaigns. Imagine a situation when polls, strategies and tactics are exposed because of phishing or hacking? But imagine there was no phishing or hacking and you just forgot to clean the email list and the fired or resigned campaign staff remains in the email loop!

Cybersecurity in campaigns and elections are today vital process issues since phishing hacking and DDOS are prevalent. The top five rules to be adopted are: take cybersecurity seriously; use the cloud; use two-factor authentication; create long and strong passwords; and plan and prepare.