Data privacy 101: How does one manage data breaches and security incidents?

When does a data breach need to be reported by a company? Privacy experts explain

We live in an era when personal data is so valuable that many business models and economies are now actually built around its collection and use. To prevent or at least discourage abuse, governments develop laws that aim to regulate this phenomenon. The Philippines has Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), with the National Privacy Commission (NPC) overseeing its proper implementation.

To many, understanding many of the law’s provisions and translating DPA compliance into an organization’s day-to-day operations is a daunting but necessary task.

To remedy this, we’ve gone straight to the source, and signed up two experts – Jam Jacob, the data protection officer of the Ateneo de Manila University and former head of the Privacy Policy Office of the NPC; and Ivy Patdu, Deputy Privacy Commissioner for Policies and Planning of the NPC.

The two will be authoring a series of articles that take up the various compliance elements of the law, as seen from two vantage points, and presented in FAQ form. In this issue, they talk about security incidents. 

What is the difference between a security incident and a personal data breach?

Ivy: NPC Circular No. 16-03, which concerns personal data breach management, defines a security incident as “an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data.”

It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place. The term was adopted from Section 20 of the DPA which requires security measures for correcting and mitigating “security incidents.” Given its current use, it would appear that the term is meant to refer to “information security incidents”, which are defined under the ISO 27000 series as “one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations.”

Meanwhile, the same NPC circular defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” This definition was lifted from the European Union’s General Data Protection Regulation (GDPR) and is read within the context of Chapter V of the DPA. The DPA itself does not define a personal data breach and uses the term “breach” or “security breach”. 

Considering the DPA’s reference to the term and its definition under NPC Circular 16-01, “security incidents” refer to information security incidents. Whether they involve personal data or not does not matter, as long as it is possible for them to compromise the security of information, in general.  On the other hand, personal data breaches refer to an actual breach of security involving personal data. 

What are the different types of personal data breaches?

Jam: There are three main types:

  • Confidentiality breach. This is caused by the unauthorized disclosure of or access to personal data. Hacking a computer system to gain access to the personal data it contains is a common example. Even unintentional disclosures qualify under this category.
  • Integrity breach. This happens when there is unauthorized alteration of personal data, which then renders its correctness, completeness, or reliability doubtful – or worthless even. When part of a digital file containing personal data becomes corrupted, it falls under this category. In that situation, the file and the data it contains remains accessible, but may no longer be reliable.
  • Availability breach. This one results from the loss or destruction of personal data, accidental or otherwise. When computers conk out and there is no backup system in place, they usually lead to this type of breach. 

What kind of personal data breach needs to be reported to the NPC?

Jam: The DPA provides for the conditions that determine which data breaches need to be reported to the NPC (and the affected individuals). The law says these three conditions must all be present:

  • The personal data affected by the breach involves sensitive personal information or any other information that may be used to enable identity fraud. The financial or economic situation of a person, his or her account login data, biometric data, copies of identification documents, licenses, or unique identifiers like government-issued ID numbers are common examples.
  • There is reason to believe that the personal data may have been acquired by an unauthorized person. In other words, if information just got deleted or destroyed, this condition would not be present. 
  • There is reasonable belief that the breach will likely give rise to a real risk of serious harm to any affected individual. This is perhaps the most difficult to evaluate among the three. While the NPC provides additional factors to consider when resolving this dilemma, an organization’s appreciation of the consequences of its action (i.e., notification) and/or inaction usually determines if it will consider this condition as present in a particular breach. 

What should a breach notification to the NPC contain?

Ivy: The notification should include:

  1. Nature of the Breach. It must provide a report detailing the circumstances surrounding the personal data breach, its extent, and likely consequence.
  2. Personal Data Possibly Involved. The notification should describe the type or kind of personal data involved in the breach.
  3. Measures Taken to Address the Breach. What is perhaps most important is that it should feature or demonstrate the actions taken by the reporting party to manage the breach, and the extent by which it was able to mitigate any possible harm or negative consequences to the data subjects.

The specific contents which should be included in the notification are provided in NPC Circular No. 16-03. 

What are some common causes of security incidents?

Jam: Plenty of things could lead to or cause a security incident. Some are man-made. Others are not. Among the notable ones include:  

  • Loss or theft of data or its receptacle. It is common to hear stories about how personal laptops being used for office work – including the storage of personal data – later get stolen after being left at home or in a parked car.
  • Inappropriate or lack of access controls. Access controls are critical in maintaining the security of personal data. Once people start sharing their passwords and keys with co-workers and friends, or leave rooms or cabinets unlocked, access control is practically nonexistent. This would then lead to data breaches and other problems.
  • Equipment failure. Sometimes, computers and other storage devices get the blame. Every now and then, people would lose valuable information they’ve saved in their laptops or thumb drives that suddenly stop working.
  • Human error. Whether it’s an assistant who makes critical mistakes when encoding data into an electronic filing system, or an IT personnel who misconfigures a company’s website or application, human error continues to be one of the leading causes of security incidents. 

What can organizations do to avoid or at least minimize the risk of experiencing security incidents? 

Ivy:  The organization should have a security incident or breach management program. This should not be viewed as referring only to an organization’s incident response procedure, or the actions taken once there is already reason to believe that a breach has occurred.

The program should include preventive and minimization procedures, too. This generally requires the development and implementation of security measures for data protection. It also means the implementation of a privacy management program, which must include data governance, risk assessment, and capacity building.

Strong data processing systems should be built, using both a privacy-by-design and -by-default approach. There should also be processes for regular monitoring, incident response and reporting, and harm mitigation protocols and regular review of the breach management program. These would not guarantee an incident-free environment, but they go a long way in making sure such incidents are few and far between, and do not give rise to serious harm or damage.

Ivy Patdu is a member of the National Privacy Commission, sitting as its deputy privacy commissioner responsible for policies and planning. She is also a member of the e-Health Privacy Expert’s Group and faculty member of the Ateneo de Manila Law School and San Beda College of Law-Alabang. She has worked on data privacy since 2011. 

Jam Jacob (@jamjacob) is the data protection officer of the Ateneo de Manila University. He is also the coordinator for the Privacy and Surveillance Program of the Foundation for Media Alternatives, a civil society organization, and is a consultant to several organizations both in government and the private sector. He previously served as head of the Privacy Policy Office of the National Privacy Commission, and has worked on data privacy since 2011.