NPC: Victims of data leak may file suit

MANILA, Philippines – The decision of the National Privacy Commission (NPC) finding Commission on Elections (Comelec) Chairman Andres Bautista liable for the March 2016 data breach of the poll body’s voters’ database may be used by private individuals affected and victimized by the breach.

Privacy commissioner Raymund Liboro said the NPC would study the “legal permutations” of the decision, whether affected voters whose personal data were collected by hackers could demand damages.

“We have to study the legal permutations like would it necessitate actual damage to data subjects before any claim for damages can be entertained. We will speed up the study,” Liboro said.

NPC deputy commissioner Avy Patdu, on the other hand, said that while they do not encourage the breach victims to do so, the decision was a public document that could be used by them in pursuing civil action.

“As an independent body, we don’t want to comment...like we’re encouraging people. But know that the decision is there,” Patdu said in the press briefing held by the NPC earlier this week.

“Actually, part of the jurisdiction of the National Privacy Commission is to award indemnity in matters relating to personal data cases,” he said. “A person (affected by the breach) can file an independent cause for damages.”

Patdu pointed out the NPC was set to come out with another decision on a separate complaint filed before them by Jose Ramon Albert, a senior research fellow of the government think tank Philippine Institute for Development Studies.

In his private capacity, lawyer Romel Bagares, of the Center for International Law (Centerlaw), joined the complaint.

“On that case…the reliefs demanded are different. It’s a different case. It tackles the same topic but that... case involves an individual complainant. The issues touch on the same case but they are not identified,” Patdu said. 

“(On) that one, we’ll probably release the decision next week,” he said. 

Patdu said the Comelec breach had unquantifiable adverse effects on Filipino voters whose personal data had been accessed by hackers.

“I think you have to accept the fact that our personal data is already out there. And the impact of this will not be immediately apparent now. Years from now, we could still feel its adverse effects,” Patdu said.

“It can be in the form of someone having a copy of our passport – fake passport, fake identification. It could affect our application for visa. It can cause something (unimaginable). Imagine if your personal ID is found in a crime scene. It can be felt years from now,” Patdu said.

He said the NPC ruling against Bautista should be a wake-up call, not just for other government agencies, but also for the private sector, to get serious about protecting data they collect from their clients or customers.

“This is the opportunity to tell everyone that data privacy is not just about cyber security. It starts from the time of collection of data, from the use of the data, to the storing of the personal data,” Patdu said.

“We keep focusing on cyber security, or getting the best firewalls, or having the best encryption. That’s not the complete picture. Because you can protect data from the start, from what you collect whether it’s what is necessary, from what you use, to what you store. If you don’t need the data, you should not store it. Because the more data that government collects that it doesn’t need, the greater the risk for data subjects,” he said.

Patdu said the data breach controversy should guide the government to formulate legislation and policies to prevent further compromising data.

All should be held liable

Bagares, in his complaint, said the NPC should impose administrative sanctions against the rest of the Comelec commissioners as well for the massive voters’ data leak.

He said the Data Privacy Act of 2012 provides for other remedies that the NPC can impose against individuals or bodies found to have violated the law.

Bagares explained his complaint, along with that of Albert, calls for the NPC to impose administrative actions “against all responsible officers.” 

Bagares said the decision of the NPC released on Thursday did not tackle all the issues that they raised in their complaint.

For instance, Comelec spokesman James Jimenez should also be held liable for downplaying the data breach and the subsequent leak in March 2016.

Jimenez – who, along with other Comelec officials, was cleared in the NPC decision – previously said that the compromised data are already public information.

He later apologized for the leak when a “searchable” version of the database was released by the suspected hackers.

In his complaint, Albert said the Comelec failed to comply with the Data Privacy Act when it failed to disclose the nature of the breach.

He also noted the poll body did not notify those who were affected by the breach as mandated by the law.

“The Comelec failed to designate the officials that are responsible for the breach,” read the complaint.

“Said officials should be held administratively accountable not only for exposing 55 million voters, including myself, to various security-related crimes, but also for the violation of our privacy.”

In its 35-page decision, the NPC singled out Bautista as the only poll official liable for the leak, pointing to his negligence in securing the data of the voters.

It recommended that the Department of Justice initiate his criminal prosecution, as well as conduct further investigation for possible violation of the cybercrime prevention law.

The NPC also ordered Comelec to designate a data protection officer, conduct a privacy impact assessment, create a privacy management program and conduct an independent security audit of all its data processing systems. 

Election watchdog Kontra Daya welcomed the findings of the NPC, saying the data breach could be grounds for the impeachment of Bautista.

“If proven guilty, this could be a ground for Bautista’s impeachment, especially considering that the leak was initially reported by TrendMicro on April 6 and the Comelec at that time failed to disclose the extent of the breach,” Kontra Daya said.

“The dereliction of duty is even more magnified by the fact that the Comelec website itself was defaced on March 27, thus putting into question the integrity and security of the commission’s information technology apparatus,” the group said.

Bautista challenged the ruling, stressing that he is not an information technology expert and that he has taken all the necessary precautions to secure the data of voters.

“The NPC decision conveniently points to the head of the agency as solely responsible for the data breach. While data privacy and security are important topics that need to be taken seriously, these are matters best left to information technology experts,” he said.

Over 72 million voter data records were stolen from the Comelec website following the breach. – Janice Mateo, Rodin Villanueva