Philippine Chapter of Getting the Deal Through: Cybersecurity 2018
The CPA appointed the National Bureau of Investigation (NBI) and Philippine National Police (PNP) as enforcement authorities and regulates their access to computer data, creating the Cybercrime Investigation and Coordinating Center (CICC) as an inter-agency body for policy coordination and enforcement of the national cybersecurity plan, and an Office of Cybercrime within the Department of Justice (DOJ-OC) for international mutual assistance and extradition.
Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
The Cybercrime Prevention Act of 2012 (CPA) defines the following as cybercrimes:
- offences against the confidentiality, integrity and availability of computer data and systems (illegal access, illegal interception, data interference, system interference, misuse of devices and cybersquatting);
- computer-related offences (computer-related forgery, computer-related fraud and computer-related identity theft); and
- content-related offences (cybersex, child pornography, unsolicited commercial communications and libel).
The Electronic Commerce Act of 2000 (ECA) provides for the legal recognition of electronic documents, messages and signatures for commerce, transactions in government and evidence in legal proceedings. The ECApenaliseshacking and piracy of protected material, electronic signature or copyrighted works, limits the liability of service providers that merely provide access, and prohibits persons who obtain access to any electronic key, document or information from sharing them. The ECA also expressly allows parties to choose their type or level of electronic data security and suitable technological methods, subject to the Department of Trade and Industry guidelines.
The Access Devices Regulation Act of 1998 (ADRA)penalises various acts of access device fraud such as using counterfeit access devices. An access device is any card, plate, code, account number, electronic serial number, personal identification number or other telecommunications service, equipment or instrumental identifier, or other means of account access that can be used to obtain money, goods, services or any other thing of value, or to initiate a transfer of funds. Banks, financing companies and other financial institutions issuing access devices must submit annual reports of access device frauds to the Credit Card Association of the Philippines, which forwards the reports to the NBI.
The Data Privacy Act of 2012 (DPA): regulates the collection and processing of personal information in the Philippines and of Filipinos, including sensitive personal information in government; creates the National Privacy Commission (NPC) as regulatory authority; requires personal information controllers to (i) implement reasonable and appropriate measures to protect personal information and (ii) notify the NPC and affected data subjects of breaches; and penalises unauthorised processing, access due to negligence, improper disposal, processing for unauthorised purposes, unauthorised access or intentional breach, concealment of security breaches, and malicious or unauthorised disclosure in connection with personal information.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Enterprises heavily involved in collecting and handling personal data and electronic or online data would likely be the most affected. A good proxy for a ‘most affected sectors’ list are those sectors subjected to mandatory registration with the NPC: business process outsourcing (BPO), banks and financial institutions, insurance, telecommunications and internet service companies, education, healthcare and pharmaceuticals, businesses involved in direct marketing and networking, and government agencies.
Has your jurisdiction adopted any international standards related to cybersecurity?
The Department of Information and Communications Technology (DICT) Memorandum Circular No. 5 (2017) requires government agencies to adopt the Code of Practice in the Philippine National Standard (PNS) ISO/IEC 27002 (Information Technology - Security Techniques - Code of Practice for Information Security Controls) by 14 September 2018, and Critical Information Infrastructures (CII) to implement the PNS on Information Security Management System ISO/IEC 27001 by 14 September 2019. CII sectors include the government, transportation, energy, water, health, emergency services, banking and finance, business process outsourcing, telecommunications, and media. Non-CII sectors may voluntarily adopt PNS ISO/IEC 27002. DICT conducts risk and vulnerability assessment based on ISO 27000 and ISO 31000 and security assessment based on ISO/IEC TR 19791:2010 of CIIs at least once a year. The DICT also issues a Certificate of CyberSecurity Compliance to CIIs based on ISO/IEC 15408 (Information Technology - Security Techniques - Evaluation Criteria for IT Security) and ISO/IEC 18045 (Methodology for IT Security Evaluation).
In prescribing the government’s Cloud First Policy, DICT Circular No. 2017-002 includes ISO/IEC 27001 as an accepted international security assurance control for verifying data that can be migrated to GovCloud or the public cloud, and ISO/IEC 17203:2011 Open Virtualization Format specification as a standard for interoperability of GovCloud workloads.
To continue reading this article please click here.