Privacy body finds Comelec chair 'criminally liable' for data breach

THE National Privacy Commission (NPC) has recommended the filing of criminal charges against Commission on Elections (Comelec) Chair Andres Bautista for the leakage of millions of personal voter information during the 2016 polls.

In a decision dated December 28, the NPC said it found the Comelec guilty of several violations of the Data Privacy Act of 2013 for the data leak that occurred between March 20 and 27, 2016.

In its 35-page decision, the NPC said the Comelec violated Sections 11, 20, and 21 of Republic Act 10173 or the Data Privacy Act of 2013.

Comelec chief Bautista was also found to have violated the same sections, as well as Section 22 in relation to Section 26 of the Data Privacy Act.

The NPC criticized Bautista for not acting on the Comelec's need for a stricter cyber security measures and named him as the sole liable for the data breach.

"Data privacy is more than the deployment of technical security. It also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of Comelec's privacy and security policies and practices," the decision read.

As corrective measures, the NPC ordered Bautista to appoint a data protection officer and conduct an agency-wide privacy impact assessment.

The poll body was also ordered to implement organizational, physical and technical security measures in compliance with the Data Privacy Act.

On March 27, 2016, a group of hackers defaced the Comelec's page and exposed the personal information of more than 55 million voters.

Global security software company Trend Micro named the data leak as the "biggest government related data breach in history."

In a statement issued on Thursday, Bautista questioned the decision of the NPC and defended himself and the poll body, as according to him, the one to be punished are the hackers and not the hacked.

"As the head of agency, in areas where I did not have specific expertise, I generally trusted the advice and recommendations of our IT experts," Bautista said.

"And if Comelec IT specialists directly in charge of operating the website were found not liable, what more those who merely oversee their work and in particular, the head of agency?" the Comelec chief added.

Bautista also argued that many private IT companies and government agencies in abroad have also been victims of hacking despite strict security measures. (Sunnex)
style="display:block; text-align:center;"


SunStar website welcomes friendly debate, but comments posted on this site do not necessarily reflect the views of the SunStar management and its affiliates. SunStar reserves the right to delete, reproduce or modify comments posted here without notice. Posts that are inappropriate will automatically be deleted.

Forum rules:

Do not use obscenity. Some words have been banned. Stick to the topic. Do not veer away from the discussion. Be coherent. Do not shout or use CAPITAL LETTERS!