The cyberspace is a boon to the need of the current generation for greater information and facility of communication.
It is a system that accommodates millions and billions of simultaneous and ongoing individual accesses to and uses of the Internet.
But all is not well with the system since it could not filter out a number of persons of ill will who would want to use cyberspace technology for mischiefs and crimes.
The Supreme Court noted in the case of Disini v. Secretary of Justice (GR 203335 February 11, 2014) that there are also those ill-motivated who can use the cyberspace, like vandals, to wreak or cause havoc by sending electronic viruses or virtual dynamites that destroy those computer systems, networks, programs, and memories.
Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked device.
Cybercriminals or hackers who want to make money commit most of the cybercrime. However, occasionally, cybercrime aims to damage computers or networks for reasons other than profit. These could be political or personal.
Episode 15 of Extraordinary Attorney Woo series of Netflix involved a case of spear phishing wherein the personal data of around 80 percent of Korean citizens have been stolen from Raon, an online shopping site’s database.
Raon’s computer system was targeted by the malware attack undetectable by anti-malware software because of its format being in a .doc file.
The company is facing a 300 billion won surcharge due to their failure to safeguard the personal data of customers.
The culprit later turned out to be the son of the Chief Executive Officer (CEO) of Taesan law office, which is the rival of Attorney-Woo’s Handaba law firm.
This episode essentially is the scenario used during the workshop of the recent conference organized by the National Association of Data Protection Officers of the Philippines (NADPOP).
“As the world emerges from the pandemic, the incidence of data breaches and cybercrimes will continue to increase as most businesses and individuals were forced to go online,” Sam Jacoba, NADPOP Founding President, said as he called on the public and private sectors to work together to uplift the Data Protection profession in the Philippines.
Republic Act 10173 or the Data Privacy Act was passed in 2012 that aimed to “(1) protect the privacy of individuals while ensuring free flow of information to promote innovation and growth; (2) regulate the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data.
The act states that the collection of personal data “must be a declared, specified, and legitimate purpose” and further provides that consent is required prior to the collection of all personal data.
The law requires a data breach notification within 72 hours upon knowledge of the breach or reasonable belief that it has occurred to the National Privacy Commission and the data subject.
The notification is generally required when the breach involves sensitive personal information or any other information that may be used to enable identity fraud; this information has been acquired by an unauthorized person; and the acquisition is likely to give rise to a real risk of serious harm to the affected data subject.
The law provides for criminal sanctions for violations of its provisions composed of fines ranging from P100,000 to P5,000,000 (about $2,400 to $123,450) and/or imprisonment ranging from 6 months up to 7 years.
Separate counts exist for unauthorized processing, processing for unauthorized purposes, negligent access, improper disposal, unauthorized access or intentional breach, concealment of breach involving sensitive personal information, unauthorized disclosure, and malicious disclosure.
Individuals or “any aggrieved party” may also file civil actions for restitution in court based on the general provisions of the Civil Code (in particular, parties may invoke “abuse of rights” provisions, meddling in privacy and/or quasi-delicts provisions).
The NPC has recently set a ceiling of P5 million on fines imposed on data privacy violators.
Specifically, an administrative fine may be imposed based on the annual gross income of entities like the personal information controllers or personal information processors within the range of 0.25 percent to 3 percent for grave violations and 0.25 percent to 2 percent for major violations.
Atty. Dennis R. Gorecho heads the seafarers’ division of the Sapalo Velez Bundang Bulilan law offices. For comments, e-mail info@sapalovelez.com, or call 0917-5025808 or 0908-8665786.