Tuesday, April 13, 2021
 

ComeLeak: A year after

 

Latest Stories

Govt officials told: Don’t scrimp in Covid response

President Rodrigo Duterte told government officials to spare no expense if it is for Covid-19 response. “‘Wag kayo matakot mag-gastos...

PH Covid deaths hit 15,000

The country has logged more than 15,000 deaths since the coronavirus disease 2019 (Covid-19) pandemic began, with an additional...

LPA spotted off Mindanao

A low pressure area spotted outside the Philippine Area of Responsibility (PAR) is likely to become a storm in...

Fed chair says cyberattacks main risk to US economy

WASHINGTON, D.C.: Federal Reserve chairman Jerome Powell said he was more worried about the risk of a large-scale cyberattack...

Iran calls on South Korea to release funds frozen under US sanctions

TEHRAN: Tehran urged Seoul on Sunday to release billions of dollars of Iranian funds frozen in South Korea under...

LITO AVERIA

JUST as the ILOVEYOU virus which spread like wildfire in 1999 helped generate awareness on the need to ensure information security and protect against cybercrime, the “ComeLeak” helped generate awareness on the need to protect personally identifiable information and sensitive personal information.

The “ComeLeak” incident, which reared its ugly head on March 28, 2016, involved the illegal copying and unauthorized disclosure of the database of the Commission on Elections (Comelec) by the hacker group, LulSecPilipinas. It has been the favorite example of data privacy and information security breach in various forums discussing the issues of information security and data privacy protection.

The National Privacy Commission (NPC), the agency mandated to implement Republic Act 10173, or the Data Privacy Act (DPA), had just been organized a few weeks before the “ComeLeak” incident and among its mandated tasks was to investigate incidents like the “ComeLeak”.

The DPA had lumped personally identifiable information and sensitive personal information into a class of its own. The DPA mandates the implementation of appropriate measures that will ensure protection of this class of information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.

Information security practice focuses on the protection of information systems against unauthorized access and impairment of their operations as well as ensuring the confidentiality, integrity, and availability of all types of data that is stored in information systems.

 


Information security had, for a long time, been treated as a purely technical matter which was left to be addressed by chief information officers or chief information security officers in organizations, public and private. The DPA had elevated the matter of data privacy protection as a management issue and mandates the designation of a Data Protection Officer who is tasked with the responsibility of ensuring that organizational, physical, and technical measures are in place. Information security matters need to be elevated to the same level as data privacy protection since information security and data privacy protection share the same goals: the preservation and protection of the confidentiality, integrity, and availability of data, otherwise known as the C-I-A triad.

A year after the “ComeLeak” incident, the NPC had generated heightened awareness on the need to ensure that data privacy is protected in organizations, both public and private. It has created a roadmap for compliance with the DPA. The Department of Information and Communications Technology, on the other hand, has been conducting public consultations as part of the process of crafting the national cybersecurity plan.

A year after the “ComeLeak” incident, the Comelec appears to have complied with the order of the NPC. In a press release dated March 28, 2017, the Comelec quoted NPC Chairman Raymond Liboro as saying, “If you ask me, the compliance of the Comelec is malayong malayo na (much improved) from way before (the hacking) happened.”

Prior to this, however, another incident hit the Comelec within a year of the “ComeLeak” incident and following the issuance by the NPC of its decision on the first incident. It was reported that a computer was stolen from Comelec’s local office in Wao, Lanao del Sur last January 11, 2017. The computer contained a copy of the voter registration system, voter search applications, and the Comelec’s database of registered voters. It appeared that the Comelec had not learned its lesson. The NPC has since ordered the deletion of all copies of the database of registered voters that the Comelec had distributed to its local offices. The reason for the distribution of copies of the whole voter registration database remains undisclosed. The second incident highlighted the need for the Comelec to strengthen physical security in its local offices and the need to update local Comelec personnel on the necessity to ensure protection of the database.

The NPC had ordered the Comelec to designate a Data Protection Officer, conduct a privacy impact assessment, create a privacy management program, create a breach management procedure, and implement organizational, physical and technical security measures.

With the NPC’s finding that Comelec’s compliance with the DPA is much improved and assuming that it had followed the orders of the NPC, the question is: Is the Comelec organization ready to embrace its privacy management program, breach management procedure, and the organizational, physical and technical security measures?

Much still has to be done. Citizens have to be made aware of their data privacy rights while organizations, public and private, still have to fully comply with the DPA and issuances of the NPC.

As a response to the NPC guidance for the implementation of organizational, physical, and technical measures to ensure protection of data privacy, there is a need to elevate information security matters as a management concern to the same level that the DPA had brought the need for data privacy protection to the attention of executive management. This will allow organizations to formulate and enforce information security and data privacy policies that are in harmony with the pertinent laws and issuances of the government agencies concerned. Procedures, rules, and guidelines on how information systems will be secured and how data privacy will be protected may take root from these policies. Managers and personnel with the appropriate skills and knowledge may then be assigned to perform the tasks of information security and data privacy protection. Only then can the appropriate technical measures be identified and implemented. A challenging task indeed.




 
 

Weather

Today's Front Page

TRY OUR DIGITAL EDITION
FREE FOR 30 DAYS

ALREADY A SUBSCRIBER?