NPC wants private, public sectors to submit data security incident reports
The National Privacy Commission (NPC) wants companies and government agencies to submit a report on security incidents that have affected the personal data of their consumers, even if these incidents were unsuccessful.
In a statement, the NPC said it is requiring “personal information controllers” (PICs) in both the public and private sector to submit an annual security incident report. The commission opened the submissions on January 3, keeping it open up to the end of March.
According to the implementing rules and regulations of the Data Privacy Act, a personal information controller controls the processing of personal data, or instructs someone else to process the data on its behalf.
The annual report is supposed to contain information on the security incidents that affect personal data under a PIC’s control, including the number of security incidents that affect personal data in each calendar year.
NPC said that PICs must document adverse events that have an impact on the availability, integrity, or confidentiality of personal data, even if these adverse events were unsuccessful.
Article continues after this advertisementThese so-called adverse events range from data breaches to “brute force” attacks in databases. The report, however, does not include cyberattacks that reveal industrial secrets that do not involve the processing of personal data.
Article continues after this advertisementPrivacy Commissioner and Chairman Raymund Enriquez Liboro said the more than three-month window is meant to give PICs ample time to prepare a complete report.
“These reports are an essential signpost of any PIC’s commitment to protecting the personal data of its customers and employees. I encourage the PICs concerned to check the NPC website for further guidance,” Liboro said.
“When properly collated, the data becomes an invaluable management resource that enables a PIC to assess its reaction time for every crucial event,” he added, noting that it would provide information on details surrounding security incidents, from their discovery to the deployment of necessary contingency measures. /jpv