BREACH MANAGEMENT

“Personal data breach” refers to a breach of security leading to the accidental or

unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise processed.

A personal data breach may be in the nature of:

1. An availability breach resulting from loss, accidental or unlawful destruction

of personal data;
2. Integrity breach resulting from alteration of personal data; and/or
3. A confidentiality breach resulting from the unauthorized disclosure of or
access to personal data.
Common cyber attacks used in data breaches are:

Ransomware

Malware

Phishing

Denial of Service
BREACH MANAGEMENT

1. Security Incident Management Policy

2. Data Breach Response Team
Security Incident Management Policy

These policies and procedures must ensure:

1. Creation of a data breach response team, with members that have clearly defined responsibilities, to ensure
timely action in the event of a security incident or personal data breach;
2. Implementation of organizational, physical and technical security measures and personal data privacy
policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely
discovery of a security incident;
3. Implementation of an incident response procedure intended to contain a security incident or personal data
breach and restore integrity to the information and communications system;
4. Mitigation of possible harm and negative consequences to a data subject in the event of a personal data
breach; and
5. Compliance with the Act, its IRR, and all related issuances by the Commission pertaining to personal data
breach notification.
Sample Security Incident Management Policy

● https://upd.edu.ph/wp-content/uploads/2019/04/Data-Privacy-Security-Incid
ent-Management-Policy.pdf
Data Breach Response Team

one (1) member with the authority to make immediate decisions regarding critical action, if necessary. The team may include the
Data Protection Officer. The team shall be responsible for the following:

A. Implementation of the security incident management policy of the personal information controller or personal information
processor;
B. Management of security incidents and personal data breaches; and
C. Compliance by the personal information controller or personal information processor with the relevant provisions of the Act,
its IRR, and all related issuances by the Commission on personal data breach management.

The team must be ready to assess and evaluate a security incident, restore integrity to the information and communications
system, mitigate and remedy any resulting damage, and comply with reporting requirements. The functions of the Data Breach
Response Team may be outsourced. Such outsourcing shall not reduce the requirements found in the Act, the IRR or related
issuance. The Data Protection Officer shall remain accountable for compliance with applicable laws and regulations. In cases
where the Data Protection Officer is not part of the Data Breach Response Team, the Data Breach Response Team shall submit a
written report addressed to the Data Protection Officer detailing the actions taken in compliance with these Rules.
Data Breach Response Team Composition

Team leader — The Circular basically describes this team member as someone who has authority
to make “immediate decisions regarding critical action, if necessary.” He or she, coordinates all
activities of the team, and keeps the team focused on damage minimization and quick recovery.

Chief investigator — This member is responsible for collecting and analyzing evidence,
determining root cause, and implementing system and service recovery.

Communications head — In charge of messaging and communications with all audiences, the
Communications head prepares the working draft of NPC and data subject notifications, if
needed. He or she should also ensure content coordination for the drafting of the full breach
report.
Data Breach Response Team Composition

Team documenter — This member documents all actions and decisions the data
breach response team for legal and other purposes.

Timeline coordinator — Monitoring the status and progress of the data breach
response, the timeline coordinator generates and updates a reliable timetable the
team can use to structure and coordinate their deliverables, including reportorial
requirements.
GUIDELINES FOR THE PREVENTION OF PERSONAL DATA BREACH

Preventive or Minimization Measures

A security incident management policy shall include measures intended to prevent or minimize the occurrence of a personal
data breach. Such safeguards may include:

A. Conduct of a privacy impact assessment to identify attendant risks in the processing of personal data. It shall take into
account the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
B. Data governance policy that ensures adherence to the principles of transparency, legitimate purpose, and proportionality;
C. Implementation of appropriate security measures that protect the availability, integrity and confidentiality of personal data
being processed;
D. Regular monitoring for security breaches and vulnerability scanning of computer networks;
E. Capacity building of personnel to ensure knowledge of data breach management principles, and internal procedures for
responding to security incidents;
F. Procedure for the regular review of policies and procedures, including the testing, assessment, and evaluation of the
effectiveness of the security measures.
GUIDELINES FOR THE PREVENTION OF PERSONAL DATA BREACH

Availability, Integrity and Confidentiality of Personal Data

A. The security measures should be directed to ensuring the availability,

integrity, and confidentiality of the personal data being processed, and may
include:
B. Implementation of back-up solutions;
C. Access control and secure log files;
D. Encryption;
E. Data disposal and return of assets policy.
GUIDELINES FOR INCIDENT RESPONSE
POLICY AND PROCEDURE

The personal information controller or personal information processor shall implement policies and procedures for guidance of its
data breach response team and other personnel in the event of a security incident. These may include:

A. A procedure for the timely discovery of security incidents, including the identification of person or persons responsible for
regular monitoring and evaluation of security incidents;
B. Clear reporting lines in the event of a possible personal data breach, including the identification of a person responsible for
setting in motion the incident response procedure, and who shall be immediately contacted in the event of a possible or
confirmed personal data breach;
C. Conduct of a preliminary assessment for purpose of:
a. Assessing, as far as practicable, the nature and scope of the personal data breach and the immediate damage
b. Determining the need for notification of law enforcement or external expertise; and
c. Implementing immediate measures necessary to secure any evidence, contain the security incident and restore integrity to the information and
communications system;
D. Evaluation of the security incident or personal data breach as to its nature, extent and cause, the adequacy of safeguards in
place, immediate and long-term damage, impact of the breach, and its potential harm and negative consequences to affected
data subjects;
GUIDELINES FOR INCIDENT RESPONSE
POLICY AND PROCEDURE

E. Procedures for contacting law enforcement in case the security incident or personal data
breach involves possible commission of criminal acts;
F. Conduct of investigations that will evaluate fully the security incident or personal data breach;
G. Procedures for notifying the Commission and data subjects when the breach is subject to
notification requirements, in the case of personal information controllers, and procedures for
notifying personal information controllers in accordance with a contract or agreement, in the
case of personal information processors; and
H. Policies and procedures for mitigating the possible harm and negative consequences to a data
subject in the event of a personal data breach. The personal information controller must be
ready to provide assistance to data subjects whose personal data may have been
compromised.
GUIDELINES FOR INCIDENT RESPONSE
POLICY AND PROCEDURE

Documentation

All actions taken by a personal information controller or personal information processor shall be
properly documented. Reports should include:

A. Description of the personal data breach, its root cause and circumstances regarding its discovery;
B. Actions and decisions of the incident response team;
C. Outcome of the breach management, and difficulties encountered; and
D. Compliance with notification requirements and assistance provided to affected data subjects.
E. A procedure for post-breach review must be established for the purpose of improving the personal
data breach management policies and procedures of the personal information controller or
personal information processor.
GUIDELINES FOR INCIDENT RESPONSE
POLICY AND PROCEDURE

Regular Review

The incident response policy and procedure shall be subject to regular

revision and review, at least annually, by the Data Protection Officer, or any
other person designated by the Chief Executive Officer or the Head of Agency,
as the case may be. The date of the last review and the schedule for the next
succeeding review must always be indicated in the documentation of the
incident response policy and procedure.
PROCEDURE FOR PERSONAL DATA BREACH
NOTIFICATION AND OTHER REQUIREMENTS

Notification shall be required upon knowledge of or when there is reasonable belief by the personal information
controller or personal information processor that a personal data breach requiring notification has occurred, under
the following conditions:

The personal data involves sensitive personal information or any other information that may be used to enable
identity fraud.For this purpose, “other information” shall include, but not be limited to: data about the financial or
economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of
identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar
information, which may be made the basis of decisions concerning the data subject, including the grant of rights or
benefits.

There is reason to believe that the information may have been acquired by an unauthorized person; and

The personal information controller or the Commission believes that the unauthorized acquisition is likely to give rise
to a real risk of serious harm to any affected data subject.
PROCEDURE FOR PERSONAL DATA BREACH
NOTIFICATION AND OTHER REQUIREMENTS

A claim that the data involved in a breach is public information will not
automatically exempt a personal information controller from the notification
requirements. When the level of availability or publicity of the personal data is
altered by a personal data breach, it shall be considered as a personal data
breach requiring notification, subject to the preceding paragraphs.
PROCEDURE FOR PERSONAL DATA BREACH
NOTIFICATION AND OTHER REQUIREMENTS

Discovery of Vulnerability

A discovery of a vulnerability in the data processing system that would allow

access to personal data shall prompt the personal information controller or
the personal information processor, as the case may be, to conduct an
assessment and determine if a personal data breach has occurred
Notification of the Commission

The personal information controller shall notify the Commission of a personal data breach subject to the following procedures:

A. When Notification Should be Done. The Commission shall be notified within seventy-two (72) hours upon knowledge of or the
reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
B. Delay in Notification. Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent
further disclosures, or to restore reasonable integrity to the information and communications system. The personal information
controller need not be absolutely certain of the scope of the breach prior to notification. Its inability to immediately secure or restore
integrity to the information and communications system shall not be a ground for any delay in notification, if such delay would be
prejudicial to the rights of the data subjects. Delay in notification shall not be excused if it is used to perpetuate fraud or to conceal
the personal data breach.
C. When delay is prohibited. There shall be no delay in the notification if the breach involves at least one hundred (100) data subjects, or
the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances, the Commission
shall be notified within the 72-hour period based on available information. The full report of the personal data breach must be
submitted within five (5) days, unless the personal information controller is granted additional time by the Commission to comply.
Content of Notification

The notification shall include, but not be limited to:

1. Nature of the Breach

A. description of how the breach occurred and the vulnerability of the data processing system that allowed the
breach;
B. a chronology of the events leading up to the loss of control over the personal data;
C. approximate number of data subjects or records involved;
D. description or nature of the personal data breach;
E. description of the likely consequences of the personal data breach; and
F. name and contact details of the data protection officer or any other accountable persons.

2. Personal Data Possibly Involved

G. description of sensitive personal information involved; and

H. description of other information involved that may be used to enable identity fraud.
Content of Notification

Measures Taken to Address the Breach

A. description of the measures taken or proposed to be taken to address the breach;

B. actions being taken to secure or recover the personal data that were compromised;
C. actions performed or proposed to mitigate possible harm or negative
consequences, and limit the damage or distress to those affected by the incident;
D. action being taken to inform the data subjects affected by the incident, or reasons
for any delay in the notification;
E. the measures being taken to prevent a recurrence of the incident.
FORM

Notification shall be in the form of a report, whether written or electronic, containing the
required contents of notification: Provided, that the report shall also include the name and
contact details of the data protection officer and a designated representative of the
personal information controller: Provided further, that, where applicable, the manner of
notification of the data subjects shall also be included in the report. Where notification is
transmitted by electronic mail, the personal information controller shall ensure the secure
transmission thereof. Upon receipt of the notification, the Commission shall send a
confirmation to the personal information controller. A report is not deemed filed without
such confirmation. Where the notification is through a written report, the received copy
retained by the personal information controller shall constitute proof of such confirmation.
Notification of Data Subjects

The personal information controller shall notify the data subjects affected by a personal data breach, subject to the following
procedures:

When should notification be done. The data subjects shall be notified within seventy-two (72) hours upon knowledge of or reasonable
belief by the personal information controller or personal information processor that a personal data breach has occurred. The
notification may be made on the basis of available information within the 72-hour period if the personal data breach is likely to give rise
to a real risk to the rights and freedoms of data subjects. It shall be undertaken in a manner that would allow data subjects to take the
necessary precautions or other measures to protect themselves against the possible effects of the breach. It may be supplemented
with additional information at a later stage on the basis of further investigation.

Exemption or Postponement of Notification. If it is not reasonably possible to notify the data subjects within the prescribed period, the
personal information controller shall request the Commission for an exemption from the notification requirement, or the postponement
of the notification. A personal information controller may be exempted from the notification requirement where the Commission
determines that such notification would not be in the public interest or in the interest of the affected data subjects. The Commission
may authorize the postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach,
taking into account circumstances provided in Section 13 of this Circular, and other risks posed by the personal data breach.
Notification of Data Subjects

Content of Notification. The notification shall include, but not be limited to:

1. nature of the breach;

2. personal data possibly involved;
3. measures taken to address the breach;
4. measures taken to reduce the harm or negative consequences of the breach;
5. representative of the personal information controller, including his or her contact
details, from whom the data subject can obtain additional information regarding
the breach; and
6. any assistance to be provided to the affected data subjects.
Exemption from Notification Requirements

The following additional factors shall be considered in determining whether the Commission may
exempt a personal information controller from notification:

1. Security measures that have been implemented and applied to the personal data at the time the
personal data breach was reasonably believed to have occurred, including measures that would
prevent use of the personal data by any person not authorized to access it;
2. Subsequent measures that have been taken by the personal information controller or personal
information processor to ensure that the risk of harm or negative consequence to the data
subjects will not materialize;
3. Age or legal capacity of affected data subjects: Provided, that in the case of minors or other
individuals without legal capacity, notification may be done through their legal representatives.
Failure to Notify

In case the personal information controller fails to notify the Commission or data
subjects, or there is unreasonable delay to the notification, the Commission shall
determine if such failure or delay is justified. Failure to notify shall be presumed if
the Commission does not receive notification from the personal information
controller within five (5) days from knowledge of or upon a reasonable belief that
a personal data breach occurred.
Privacy by Design
The 7 Foundational Principles

is an approach to systems engineering that seeks to ensure

protection for the privacy of individuals by integrating
considerations of privacy issues from the very beginning of the
development of products, services, business practices, and
physical infrastructures. It can be contrasted to an alternative
process where privacy implications are not considered until just
before launch.
Proactive not Reactive; Preventative not Remedia

The Privacy by Design (PbD) approach is characterized by proactive rather than

reactive measures. It anticipates and prevents privacy invasive events before they
happen. PbD does not wait for privacy risks to materialize, nor does it offer
remedies for resolving privacy infractions once they have occurred — it aims to
prevent them from occurring. In short, Privacy by Design comes before-the-fact,
not after.
Privacy as the Default Setting

We can all be certain of one thing — the default rules! Privacy by Design seeks to
deliver the maximum degree of privacy by ensuring that personal data are
automatically protected in any given IT system or business practice. If an
individual does nothing, their privacy still remains intact. No action is required on
the part of the individual to protect their privacy — it is built into the system, by
default.
Privacy Embedded into Design

Privacy by Design is embedded into the design and architecture of IT systems and
business practices. It is not bolted on as an add-on, after the fact. The result is
that privacy becomes an essential component of the core functionality being
delivered. Privacy is integral to the system, without diminishing functionality.
Full Functionality — Positive-Sum, not Zero-Sum

Privacy by Design seeks to accommodate all legitimate interests and objectives in

a positive-sum “win-win” manner, not through a dated, zero-sum approach, where
unnecessary trade-offs are made. Privacy by Design avoids the pretense of false
dichotomies, such as privacy vs. security, demonstrating that it is possible to have
both.
End-to-End Security — Full Lifecycle Protection

Privacy by Design, having been embedded into the system prior to the first
element of information being collected, extends securely throughout the entire
lifecycle of the data involved — strong security measures are essential to privacy,
from start to finish. This ensures that all data are securely retained, and then
securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by
Design ensures cradle to grave, secure lifecycle management of information, end-
to-end.
Visibility and Transparency — Keep it Open

Privacy by Design seeks to assure all stakeholders that whatever the business
practice or technology involved, it is in fact, operating according to the stated
promises and objectives, subject to independent verification. Its component parts
and operations remain visible and transparent, to users and providers alike.
Remember, trust but verify.
Respect for User Privacy — Keep it User-Centric

Above all, Privacy by Design requires architects and operators to keep the
interests of the individual uppermost by offering such measures as strong privacy
defaults, appropriate notice, and empowering user-friendly options. Keep it user-
centric.
Data Privacy Awareness Training Program
Training Content
BOTPA
Do not collect what you cannot protect