ABSOLUTELY, THEY SHOULD, AND HERE’S WHY:
On September 22nd, the Philippine Health Insurance Corp. (PhilHealth) fell victim to a cybersecurity attack when malicious hackers targeted its website and online application. This cyberattack resulted in a 24-hour disruption, as the hackers unleashed the Medusa ransomware, infecting 72 workstations and causing havoc in crucial systems, including the e-claims system, member portal, and collection system. To deal with this crisis, PhilHealth was forced to temporarily shut down its website operations and resort to manual processing of services. Fortunately, no personal or medical information of PhilHealth members was compromised. As of yesterday morning, PhilHealth's website, member portal, and e-claims submission system are up and running again. However, some application servers are still in the process of being restored.
Emmanuel Ledesma Jr., PhilHealth's chief, expressed confidence in the preparedness of their information technology and information security departments to handle such attacks. Nonetheless, they have taken a proactive approach by working closely with the Department of Information and Communications Technology (DICT) and the National Privacy Commission (NPC) while also establishing coordination with the National Bureau of Investigation (NBI) to address the situation.
From this incident, it becomes abundantly clear that data privacy compliance should never be taken lightly. If our company is not as prepared as PhilHealth and lacks the support of other companies during a crisis, the consequences can be devastating for both the company and its people. The delays would have already cost the company, more money, time, and effort, with the flag of compliance farther out on the horizon, still.
The risk of higher penalties too would have escalated by now. Non-compliance can result in criminal acts punishable in the data privacy law or the Data Privacy Act (DPA) 2012. Penalties for non-compliance, are enforced by the National Privacy Commission (NPC) thru its Implementing Rules and Regulations (IRR) released in 2016.
“Responsible officers” of a corporation, shall be recommended for prosecution by the NPC if thru their participation in or by their gross negligence, allow the commission of a criminal act penalized under the DPA 2012. Penalties for crimes under the DPA could go as high as Php5 million in fines and up to 7 years imprisonment.
What constitutes gross negligence?
Extreme indifference to or reckless disregard for the protection of personal data by the company’s leadership could be taken as gross negligence when applied to data privacy. That includes the continuing inaction of any Data Protection Officer or DPO as the appointed lead to meet the company’s compliance goals and objectives as required by law.
For the company’s management, gross negligence could be the consistent failure to take drastic action towards compliance over the past 4 years of the DPAs existence; and the NPC’s insistence on corporate accountability for data privacy compliance from all organizations in the private and government sectors.
Data privacy compliance is not easy. And that is the reason companies should tap the best resources available, whether in-house or from the outside to meet this new challenge. And to undertake this data privacy compliance as a major project that has to be done, not in another 4 years, but if possible, in the next 4 months.
The National Privacy Commission (NPC) has painstakingly laid out more than enough guidelines and advisories to help companies comply. Companies should just get their people to step up: to understand, comply and implement these guidelines and procedures to comply with the 5-Pillar proof of compliance that the NPC has provided since 2017.
Should companies take data privacy compliance seriously? That is no longer the question.
The question now is can they find a way to get their compliance? SOONEST!
Data Privacy Advocate and Consultant
Repost from our July 2021 Insight Post:
Other DPA Insight posts you might find informative: