The possible breach of data privacy and cyber security poses real risks for insurers and their policyholders. Looking out for data-privacy infringement and cyber attacks should both be part of a company’s risk management. The threats of privacy breach and cyber attacks are all too real. While data-privacy breaches need not be done through the Internet or through information-technology infrastructures, more often, data breaches are done electronically or through cyber attacks.
Let us consider the latest figures. As of 2016 malware infections on smartphones grew nearly 400 percent. As of 2017 there were 500,000 unknown cyber threats per day. In 2016 3.7 million Hong Kong voters’ personal data were stolen. In the financial world, also in Asia, 3.2 million debit cards were compromised. The cost of these attacks is astounding. The cyber attack on a Bangladesh Bank resulted to the loss $81 million. For Leonie AG, it was €40 million. According to a PwC Health Research Institute analysis, the estimated cost of a major health-care breach is $200 per patient, while the cost to prevent a breach is only $8 per patient.
Because of this escalating trend worldwide, the Philippines adopted the Data Privacy Act of 2012 (Republic Act 10173), which became effective on November 3, 2012, and the Cyber Crime Prevention Act of 2012. The Data Privacy Act is administered by the National Privacy Commission (NPC). The commission’s concerns focuses on personal data collected within the agency and the data collected by insurance companies. The first concern was addressed by NPC Circular 16-01, re: Security of Personal Data in Government Agencies, and NPC Circular 16-02, re: Data Sharing Agreements Involving Government Agencies.
Under the Data Privacy Act, personal-data controllers and processors have the obligation to protect the personal information collected. They have the duty to secure and protect such information “against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing” (Section 20). Only personal data are covered by the Data Privacy Act. They are to be guided by the principles of transparency, legitimate purpose and proportionality (as opposed to being excessive). Sanctions are imposed for failure to observe the obligations. Personal information has been defined in the law as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual” (Section 3, g). Examples of personal information would include: names, employee number, address, ID photo and e-mail address. Sensitive personal information (Section 3, l) would include the civil status, social security number, a person’s health condition and birth date.
Personal information may only be processed under specific guidelines, such as only for “specified and legitimate purposes,” they must be “processes fairly and lawfully,” they must be “accurate, relevant and, where necessary for purposes for which it is to be used in the processing of personal information, kept up to date,” they must be “adequate and not excessive in relation to the purposes for which they are collected and processed,” they must be “retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained,” and they must be “kept in a form which permits identification of data subjects for no longer than is necessary.” Moreover, processing must be done only with a lawful basis, such as where the data subject has given consent, where the processing is necessary for compliance with a legal or contractual obligation, where the processing is necessary for the protection of the data subject or another person, where the processing is necessary for public purposes and where the processing is necessary to pursue legitimate interests.
****
Dennis B. Funa is the current insurance commissioner. Funa was appointed by President Duterte as the new insurance commissioner in December 2016. E-mail: dennisfuna@yahoo.com.