Philippine Chapter of Getting the Deal Through: Cybersecurity 2018
Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
The Cybercrime Prevention Act of 2012 (CPA) defines the following as cybercrimes:
The Access Devices Regulation Act of 1998 (ADRA)penalises various acts of access device fraud such as using counterfeit access devices. An access device is any card, plate, code, account number, electronic serial number, personal identification number or other telecommunications service, equipment or instrumental identifier, or other means of account access that can be used to obtain money, goods, services or any other thing of value, or to initiate a transfer of funds. Banks, financing companies and other financial institutions issuing access devices must submit annual reports of access device frauds to the Credit Card Association of the Philippines, which forwards the reports to the NBI.
The Data Privacy Act of 2012 (DPA): regulates the collection and processing of personal information in the Philippines and of Filipinos, including sensitive personal information in government; creates the National Privacy Commission (NPC) as regulatory authority; requires personal information controllers to (i) implement reasonable and appropriate measures to protect personal information and (ii) notify the NPC and affected data subjects of breaches; and penalises unauthorised processing, access due to negligence, improper disposal, processing for unauthorised purposes, unauthorised access or intentional breach, concealment of security breaches, and malicious or unauthorised disclosure in connection with personal information.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Enterprises heavily involved in collecting and handling personal data and electronic or online data would likely be the most affected. A good proxy for a ‘most affected sectors’ list are those sectors subjected to mandatory registration with the NPC: business process outsourcing (BPO), banks and financial institutions, insurance, telecommunications and internet service companies, education, healthcare and pharmaceuticals, businesses involved in direct marketing and networking, and government agencies.
Has your jurisdiction adopted any international standards related to cybersecurity?
The Department of Information and Communications Technology (DICT) Memorandum Circular No. 5 (2017) requires government agencies to adopt the Code of Practice in the Philippine National Standard (PNS) ISO/IEC 27002 (Information Technology - Security Techniques - Code of Practice for Information Security Controls) by 14 September 2018, and Critical Information Infrastructures (CII) to implement the PNS on Information Security Management System ISO/IEC 27001 by 14 September 2019. CII sectors include the government, transportation, energy, water, health, emergency services, banking and finance, business process outsourcing, telecommunications, and media. Non-CII sectors may voluntarily adopt PNS ISO/IEC 27002. DICT conducts risk and vulnerability assessment based on ISO 27000 and ISO 31000 and security assessment based on ISO/IEC TR 19791:2010 of CIIs at least once a year. The DICT also issues a Certificate of CyberSecurity Compliance to CIIs based on ISO/IEC 15408 (Information Technology - Security Techniques - Evaluation Criteria for IT Security) and ISO/IEC 18045 (Methodology for IT Security Evaluation).
In prescribing the government’s Cloud First Policy, DICT Circular No. 2017-002 includes ISO/IEC 27001 as an accepted international security assurance control for verifying data that can be migrated to GovCloud or the public cloud, and ISO/IEC 17203:2011 Open Virtualization Format specification as a standard for interoperability of GovCloud workloads.
- Beware Geeks Bearing Gifts - Why Sports' Rights Holders Need to Think Carefully Before Moving Away from 'Traditional’ Broadcasters
- Bank Indonesia's National Payment Gateway Introduced
- Locus Standi of an Infringer as an Aggrieved Party
- Autonomous Cars in Quebec: The Legal Uncertainty is Clarified at Last
WSG Member: Please login to add your comment.