Data privacy and cyber security for insurance companies

The possible breach of data privacy and cyber security poses real risks for insurers and their policyholders. Looking out for data-privacy infringement and cyber attacks should both be part of a company’s risk management. The threats of privacy breach and cyber attacks are all too real. While data-privacy breaches need not be done through the Internet or through information-technology infrastructures, more often, data breaches are done electronically or through cyber attacks.

Let us consider the latest figures. As of 2016 malware infections on smartphones grew nearly 400 percent. As of 2017 there were 500,000 unknown cyber threats per day. In 2016 3.7 million Hong Kong voters’ personal data were stolen. In the financial world, also in Asia, 3.2 million debit cards were compromised. The cost of these attacks is astounding. The cyber attack on a Bangladesh Bank resulted to the loss $81 million. For Leonie AG, it was €40 million. According to a PwC Health Research Institute analysis, the estimated cost of a major health-care breach is $200 per patient, while the cost to prevent a breach is only $8 per patient.

Because of this escalating trend worldwide, the Philippines adopted the Data Privacy Act of 2012 (Republic Act 10173), which became effective on November 3, 2012, and the Cyber Crime Prevention Act of 2012. The Data Privacy Act is administered by the National Privacy Commission (NPC). The commission’s concerns focuses on personal data collected within the agency and the data collected by insurance companies. The first concern was addressed by NPC Circular 16-01, re: Security of Personal Data in Government Agencies, and NPC Circular 16-02, re: Data Sharing Agreements Involving Government Agencies.

Under the Data Privacy Act, personal-data controllers and processors have the obligation to protect the personal information collected. They have the duty to secure and protect such information “against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing” (Section 20). Only personal data are covered by the Data Privacy Act. They are to be guided by the principles of transparency, legitimate purpose and proportionality (as opposed to being excessive). Sanctions are imposed for failure to observe the obligations. Personal information has been defined in the law as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual” (Section 3, g). Examples of personal information would include: names, employee number, address, ID photo and e-mail address. Sensitive personal information (Section 3, l) would include the civil status, social security number, a person’s health condition and birth date.

Personal information may only be processed under specific guidelines, such as only for “specified and legitimate purposes,” they must be “processes fairly and lawfully,” they must be “accurate, relevant and, where necessary for purposes for which it is to be used in the processing of personal information, kept up to date,” they must be “adequate and not excessive in relation to the purposes for which they are collected and processed,” they must be “retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained,” and they must be “kept in a form which permits identification of data subjects for no longer than is necessary.” Moreover, processing must be done only with a lawful basis, such as where the data subject has given consent, where the processing is necessary for compliance with a legal or contractual obligation, where the processing is necessary for the protection of the data subject or another person, where the processing is necessary for public purposes and where the processing is necessary to pursue legitimate interests.


Dennis B. Funa is the current insurance commissioner. Funa was appointed by President Duterte as the new insurance commissioner in December 2016. E-mail:



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous Article

PCC merger review as tool for competitive markets, consumer welfare

Next Article

World faces choice between nuclear war vs new renaissance

Related Posts

Opinion - BusinessMirror
Read more

Let’s help preserve humanity’s lifeblood

The Earth is known as the “Blue Planet” because 71 percent of its surface is covered with water. The oceans hold about 96.5 percent of all Earth’s water. Of the waters occupying the planet’s surface, only 3 percent is considered freshwater. And most of this freshwater reserve is inaccessible to humans — locked up in polar ice caps or stored too far underneath the Earth’s surface to be extracted. Furthermore, much of the freshwater that is accessible has become highly polluted. This leaves us with roughly 0.4 percent of the Earth’s water that is usable and drinkable to be shared among seven billion people.

Column box-Sonny Angara 2
Read more

A big push for micro, small and medium enterprises

Earlier this week, we sponsored a measure that will institutionalize the Shared Service Facilities (SSF) Project of the Department of Trade and Industry (DTI). Through the SSFs micro, small and medium enterprise (MSME) qualified beneficiaries are provided with the appropriate machinery, equipment, and tools under a “shared” system that would address known gaps in the value chain, most notably the lack of adequate and appropriate facilities, which hinder them from elevating their products and services and enabling the creation of export-ready goods.

Read more

Women, economics, and economy

IN 1994, Ms. Universe Sushmita Sen gave her award-winning answer to the question of a woman’s true essence. Ms. Sen said, “Just being a woman is a gift of God that all of us must appreciate. The origin of a child is a mother, who is a woman.” Her reply implies that a woman’s reproductive role centers on being a biological bearer of infants—something that is expected and natural.