Part One
THE Data Privacy Act of 2012 would generate increase in the demand for information security, information-technology (IT) security experts observed.
These experts believe the law would open the door to the sector wider, as it requires private and public organizations in the country that collect and store personally identifiable information to safeguard these sensitive data.
The compliance by organizations with the Data Privacy Act ,in effect, would boost the IT security industry as it compels them to take protective technical measures to safeguard data, according to Philippine Computer Emergency Response Team President Lito Averia.
Fellow IT security expert Angel T. Redoble shares Averia’s observation. Redoble, who is also president of nonprofit group Philippine Institute of Cyber Security Professionals, said the Data Privacy Act would benefit the industry as triggers increase in the demand for data protection.
“Now that there’s a law that requires organizations to protect data, the IT security industry in the country foresees more growth,” he said.
Redoble noted that securing data has long been a responsibility among organizations engaged in collecting and storing personally identifiable information.
Dominic Lucenario, one of the software developers at the Filipino and homegrown Pandora Security Labs Inc., also said that with the data-privacy law in place the local demand for IT security would grow.
Controls
ACCORDING to Lucenario, the firm’s development of an enterprise firewall this year is timely since the Data Privacy Act is being implemented aggressively by the National Privacy Commission (NPC).
To give an idea, securing a network may cost up to $1 million, a Kaspersky Lab executive told the BusinessMirror in a recent e-mail interview.
Protecting a network may cost a small organization in the Philippines some $1,000 while a big one $1 million, said Slyvia Ng, general manager at Kaspersky Lab Southeast Asia.
The figures were based on the joint study conducted by Kaspersky Lab and B2B International that engaged some 4,000 business representatives from 25 countries in a survey in 2016.
The cost of damage could be bigger than the amount of money invested by an organization in safeguarding its IT infrastructure when compromised, Ng added.
“The cost of damage can get bigger when the breach remains unnoticed for a long period of time,” she said.
An organization’s extent of vulnerability would determine the cost that entails the application and implementation of the right security measures, Redoble pointed out.
“The cost involved in securing a network depends on the risk level of a particular organization,” he said. “But there are compensating controls that are not expensive.”
Dangers
LUCENARIO and fellow software developers at Pandora Security Labs mentioned in an interview that their company offers network security to organizations at a lower cost than their counterparts do.
The company offers its own security software together with the technical skill and manpower involved in securing network, like monitoring, assessment and the response to block threats to data.
Pandora Security Labs’s security software and pool of technical skills are on board health care, retail, manufacturing and logistics sectors, said Isaac Sabas, its CEO.
According to Averia, personally identifiable information includes the name, address and birthday of a person. “Basically, your name, birthday, address and telephone number taken together could identify you,” Averia said.
When personally identifiable information is compromised, the person to whom these sensitive data belong runs the risk of identity theft, Averia warned.
The Commission on Elections (Comelec) data leak prior the 2016 national and local polls is an example of major data breach, he said.
“The general theory was personally identifiable information belonging to the registered voters might have been used for identity theft,” Averia added. “That’s the basic danger when personally identifiable information
is compromised.”
Breach
THE Comelec data breach last year, which put personal information of 55 million registered voters at risk, made the decision-makers realized the extent of damage when the network is compromised, he pointed out.
Prior to the hacking, the decision-makers used to take for granted information-security issues that technical and competent people had long been trying to make them understand, Averia said.
When a person’s personal and sensitive data are leaked, somebody may use the “credentials or personally identifiable information” in his favor, he explained.
“Persons of ill will can use the data in committing fraud. It happened and there have been [many] cases.”
Averia recalled a new board-exam passer who had fallen victim to identity theft after posting on social media his new identification card, which contains personally identifiable information.
“The information in the identification card were used in applying for loan,” he said.
Personally identifiable information can also be employed by somebody to unauthorized use of a bank account, according to Averia. However, doing so entails a more complex than using the information in applying for a loan, he added.
According to Averia, an individual’s personally identifiable information can also be used by another to apply for a counterfeit credit card.
Freebies
PUBLIC organizations engaged in the collection and storage of personally identifiable information of private individuals includes government agencies like the Comelec, Social Security System and the Bureau of Internal Revenue, Averia explained.
On the other hand, private organizations that collect and store similar data include banks, hospitals and others, he added.
“It is now required that when a public or private organization collect data, there must be disclosure of the purpose of such collection,” he said. “The organization has to secure the consent of the person in collecting them.”
Averia mentioned events where organizers or sponsors are collecting personally identifiable information from guests in exchange of freebies, token gifts or promises of gains.
To be continued
Image credits: Nonie Reyes
1 comment
Data privacy should demand IT security, as this article emphasized. Yet, unless companies protect themselves against attacks like phishing and spoofing attacks, by using cybersecurity tools such as a web application firewall (WAF) – and not just a physical box, they can protect themselves. The ROI is clear once a breach occurs.
The EU is trying to duplicate the Philipines with the GDPR regulation at a much larger scale. Hopefully, this will cause companies to listen.