OSG yet to file data breach notification before privacy commission

The Office of the Solicitor General (OSG) may be held liable for possible violations of the Data Privacy Act due to an alleged failure to notify the National Privacy Commission (NPC) about a data breach involving hundreds of thousands of documents which could impact ongoing prosecutions.

NPC representatives said Tuesday that the agency, as of May 4, had yet to receive any breach notification from the OSG.

Asked what penalties could be imposed against the OSG for not notifying the Privacy body, NPC Public Information and Assistance Division chief Roren Marie Chin told reporters “possible violation is concealment of data breach.”

British cybersecurity firm TurgenSec Ltd. said that some 345,000 documents of the OSG have been accessible to anyone with a browser and internet connection until April 28, 2021.

It said the files included staff training documents, internal passwords and policies, staffing payment information, and financial processes and audits.

"This data breach is particularly alarming as it is clear that this data is of governmental sensitivity and could impact on-going prosecutions and national security," TurgenSec said in a writeup on its website.

TurgenSec said it emailed the SolGen and the Philippine government on March 1 and March 24, but it did not receive any response.

With this, Chin said that “the Commission investigates any credible reports of breach. If after five days we have not received any report, there will be a presumption of failure to notify.”

“If upon investigation of the Commission, it was found that the breach is subject to mandatory notification and the PIC (personal information controller) failed to comply its duty to notify, the PIC may be held liable for concealment of security breach under Section 30 of the DPA (Data Privacy Act),” she said.

On its website, the NPC said the failure to notify the public or the NPC made a party liable for “Concealment of Security Breaches involving Sensitive Personal Information.”

The violation carries a penalty of imprisonment from one year to six months and a fine of P500,000 to P1,000,0000.

“This crime is committed by those having knowledge of the security breach and with an obligation to inform the NPC of the fact of such a breach, either intentionally or by omission fails to inform the NPC that the breach has happened,” according to the Exercising Breach Reporting Procedures on the Privacy body’s website.

For its part, the Department of Justice (DOJ) said it had not received official information on the supposed data breach, but it will be ready to assist the OSG which it said is already looking into the reported incident.

"I understand that the OSG is now looking into this alleged data breach. The DOJ has not received any such information through official channels but will be ready to assist the OSG, if necessary," Justice Secretary Menardo Guevarra said on Monday. —NB, GMA News