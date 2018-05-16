NEWS of further data breaches abound, with the ‘flavor of the month’ seemingly leaning towards fast food chains. Customers as well as employees’ information may have been leaked via the online public facing applications of the various organizations involved. The National Privacy Commission (NPC), exercising its powers and rightfully so, has suspended the online delivery portals of one of these organizations for an indefinite period until they can clean up their act and assure the public that the discovered vulnerabilities are remediated and that the said web applications are fit and safe for use. As of this writing, the portal was no longer taking online delivery requests and has instead advised the public to use its telephone hotline number.

In our field of information security risk management, it is still quite surprising to see organizations which are either or both personal information controller and personal information processor still dilly-dallying over the implementation of the mandated provisions of the Data Privacy Act (DPA), most would give priority to information security management standards, the usual information security systems, and vulnerability assessments. Well in fact, these standards actually require as a requisite, ‘compliance to local legislation’ as a condition to be certified. Standards and certifications are optional and nice to have but abiding by the LAW is not. Yes, there are steep monetary penalties, but mind you, jail time also awaits the violators—this makes our DPA unique when compared with other data privacy laws.

The smarter ones are actually very happy about the law, because despite its obvious focus on data privacy and personal information, it actually is a big boon to their information security efforts in general. The same security systems and policies that the law asks for protecting personal information can actually be applied to the rest of the IT systems. As a matter of fact, expanding the risk assessment to not just cover personal information but to any type of data within the organization will result in the same security measures.

As an example, the current spate of breaches targeting the online facilities of the fast food chains would have been prevented using the usual security solutions, regardless if it were personal information or just the integrity of the website itself. To be specific, a thorough web vulnerability assessment should have been done prior to making it operational and moving it to ‘production’ level, and a web application firewall device or service could have been implemented as well.

IT and information security personnel of an organization should take the law as a ‘blessing’ primarily because now, all of the security systems, processes, and procedures that were very hard to justify to management has now become a need – a requirement for the business to which non-compliance can spell loss of customers and consequently revenue. The difficulty of trying to pin a number or a major justification to the information security investment that has to be made disappears. Risk acceptance is no longer an option as evident in the case of the recent data breaches of these fast food service providers.

It would probably take some added effort and cost to expand the risk assessment and mitigation solutions to the rest of the IT systems but it will be also more cost efficient in the long run. Look beyond just the DPA but rather consider the other parts of your IT ecosystem that could benefit from it.

Another interesting tidbit in the course of consulting for data privacy compliance is that of the government agencies. As one of the Data Privacy Officers (DPO) that we came across as we talked about the recent events, he wondered about the current compliance level of the government agencies. Not that he feels that there seems to be a priority crackdown on private entities but as he articulated quite nicely

– “We can always choose among any other fast food chains as an alternative to get or meal, but we cannot choose any other government agency to provide us with the services and credentials that is mandated upon us.” What if these agencies become victims as well? Does it mean their processing would get suspended too? The Comelec data breach was a good example, but many now wonder about the outcome of the decision? Was any arrest, or penalties meted out?

A very valid inquiry, right? It would augur well for the government to have some sort of compliance metric so that the private sector will not feel that they are the only ones being zeroed into. Taking that further, would a National Data Privacy Office (DPO) be in order and each agency could have a dedicated Compliance Officer for Privacy (COP)?

Yes, the DPA requires a lot. But these are no more than the usual stuff you would work into your organization if you are really serious about protecting your information, regardless of whether it is personal information or otherwise. Don’t treat the DPA as a burden but rather an enabler to help you strengthen your information security efforts. That’s all there is to it!