Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
The Cybercrime Prevention Act of 2012 (CPA) defines the following as cybercrimes:
- offences against the confidentiality, integrity and availability of computer data and systems (illegal access, illegal interception, data interference, system interference, misuse of devices and cybersquatting);
- computer-related offences (computer-related forgery, computer-related fraud and computer-related identity theft); and
- content-related offences (cybersex, child pornography, unsolicited commercial communications and libel).
The CPA appointed the National Bureau of Investigation (NBI) and Philippine National Police (PNP) as enforcement authorities, and regulates their access to computer data, creating the Cybercrime Investigation and Coordinating Center (CICC) as an inter-agency body for policy coordination and enforcement of the national cybersecurity plan, and an Office of Cybercrime within the Department of Justice (DOJ-OC) for international mutual assistance and extradition.
The Supreme Court’s Rule on Cybercrime Warrants (AM No. 17-11-03-SC) governs the application and grant of court warrants and related orders involving the preservation, disclosure, interception, search, seizure or examination, as well as the custody and destruction of computer data, as provided under the CPA.
The Electronic Commerce Act of 2000 (ECA) provides for the legal recognition of electronic documents, messages and signatures for commerce, transactions in government and evidence in legal proceedings. The ECA penalises hacking and piracy of protected material, electronic signature or copyrighted works, limits the liability of service providers that merely provide access, and prohibits persons who obtain access to any electronic key, document or information from sharing them. The ECA also expressly allows parties to choose their type or level of electronic data security and suitable technological methods, subject to the Department of Trade and Industry guidelines.
The Access Devices Regulation Act of 1998 (ADRA) penalises various acts of access device fraud such as using counterfeit access devices. An access device is any card, plate, code, account number, electronic serial number, personal identification number or other telecommunications service, equipment or instrumental identifier, or other means of account access that can be used to obtain money, goods, services or any other thing of value, or to initiate a transfer of funds. Banks, financing companies and other financial institutions issuing access devices must submit annual reports of access device frauds to the Credit Card Association of the Philippines, which forwards the reports to the NBI.
The Data Privacy Act of 2012 (DPA) regulates the collection and processing of personal information in the Philippines and of Filipinos, including sensitive personal information in government; creates the National Privacy Commission (NPC) as a regulatory authority; requires personal information controllers to implement reasonable and appropriate measures to protect personal information and notify the NPC and affected data subjects of breaches; and penalises unauthorised processing, access due to negligence, improper disposal, processing for unauthorised purposes, unauthorised access or intentional breach, concealment of security breaches and malicious or unauthorised disclosure in connection with personal information.
The Philippines acceded to the Convention on Cybercrime, effective on 1 July 2018.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Transportation, energy, water, health, emergency services, banking and finance, business process outsourcing, telecommunications, media and the government sectors are considered critical information infrastructures (CII), and are required to observe information security standards by the Department of Information and Communications Technology (DICT).
Has your jurisdiction adopted any international standards related to cybersecurity?
The DICT Memorandum Circular No. 5 (2017) requires government agencies to adopt the Code of Practice in the Philippine National Standard (PNS) ISO/IEC 27002 (Information Technology - Security Techniques - Code of Practice for Information Security Controls) by 14 September 2018, and CII to implement the PNS on Information Security Management System ISO/IEC 27001 by 14 September 2019. Non-CII sectors may voluntarily adopt PNS ISO/IEC 27002. DICT conducts risk and vulnerability assessment based on ISO 27000 and ISO 31000 and security assessment based on ISO/IEC TR 19791:2010 of CIIs at least once a year. The DICT also issues a Certificate of CyberSecurity Compliance to CIIs based on ISO/IEC 15408 (Information Technology - Security Techniques - Evaluation Criteria for IT Security) and ISO/IEC 18045 (Methodology for IT Security Evaluation).
In prescribing the government’s Cloud First Policy, DICT Circular No. 2017-002 includes ISO/IEC 27001 as an accepted international security assurance control for verifying data that can be migrated to GovCloud or the public cloud, and ISO/IEC 17203:2011 Open Virtualization Format specification as a standard for interoperability of GovCloud workloads.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
The specific obligation to keep informed of the adequacy of cybersecurity results from general obligations. Under the DPA, the employees, agents or representatives of a personal information controller who are involved in the processing of personal information are required to operate and hold personal information under strict confidentiality if the personal information is not intended for public disclosure, even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. Also, diligence in preventing the commission of offences under the DPA are required of responsible company officers. If they participated in, or by gross negligence, allowed the commission of an offence, they may be penalised by a fine and imprisonment.
The CPA requires persons with leading positions in a corporation who act or decide on its behalf to exercise sufficient supervision or control within the corporation to prevent cybercrime offences. If they fail this duty, the corporation may suffer a fine and hold them responsible under the corporation’s internal rules.
The Central Bank of the Philippines (BSP) Manual of Regulations for Banks requires directors of BSP-supervised institutions (BSI) to understand the BSIs’ IT risks and ensure that they are properly managed. BSIs include banks, non-banks with quasi-banking functions, non-bank electronic money issuers and other non-bank institutions subject to the BSP’s supervision.
How does your jurisdiction define cybersecurity and cybercrime?
The CPA defines ‘cybercrime’ as those offences listed in question 1, while it defines ‘cybersecurity’ as the collection of tools, policies, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organisation and user’s assets, where ‘cyber’ refers to a computer or a computer network, the electronic medium in which online communication takes place.
‘Data privacy’ is a DPA term that refers to personal information only as data. Thus, cybersecurity covers other kinds of data but data privacy covers environments other than cyber.
There are no regulations specific to ‘information system security’ that may be compared with cybercrime enforcement.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
The DPA requires personal information controllers and their processors to include in their reasonable and appropriate organisational, physical and technical security measures against accidental or unlawful processing and natural or human dangers:
- safeguards to protect its computer network against accidental, unlawful or unauthorised usage or interference with or hindering of their functioning or availability;
- a security policy with respect to the processing of personal information; and
- a process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.
The NPC requires all digitally processed personal data to be encrypted, preferably with AES-256, and passwords to be enforced through a policy and a system management tool. For onsite and online access by government agency or contractor personnel to sensitive personal information, the DPA requires security clearance from the head of the source agency, a secure encrypted link for access and multifactor authentication of identity, and middleware for full control over the access. For off-site access, the agency head must approve within two business days of a request for, at most, 1,000 records at a time, and the most secure encryption standard recognised by NPC is used. Agencies must use full-disk encryption when storing personal data on laptops and send passwords in a separate email.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
The ECA penalises piracy or the unauthorised copying, reproduction, dissemination, distribution, importation, use, removal, alteration, substitution, modification, storage, uploading, downloading, communication, making available to the public or broadcasting of protected material, electronic signature or copyrighted works, including legally protected sound recordings or phonograms, or information material on protected works, through the use of telecommunication networks, such as, but not limited to, the internet, in a manner that infringes intellectual property rights, with a fine and imprisonment.
The CPA penalises cybersquatting or the acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation and deprive others from registering the same if such a domain name is:
- similar, identical or confusingly similar to an existing trademark registered with the appropriate government agency at the time of the domain name registration;
- identical or in any way similar to the name of a person other than the registrant, in the case of a personal name; and
- acquired without right or with intellectual property interests in it.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
The CPA imposes a stiffer fine and prison term for offences against the confidentiality, integrity and availability of computer data systems if done against critical infrastructure. This refers to the computer systems, networks, programs, computer data and traffic data vital to the Philippines, whose destruction, incapacitation or interference with would have a debilitating impact on national or economic security, national public health and safety, or any combination of these.
DICT Memorandum Circular No. 5 (2017) prescribes policies and rules on CII protection based on the National Cybersecurity Plan 2022 (NCP2022). Aside from requiring compliance with international standards, the Circular requires each CII to have a computer emergency response team (CERT), which shall report cybersecurity incidents within 24 hours from detection to DICT as the National CERT, telecommunications operators and ISPs to conduct cyber hygiene on their networks, CII websites to obtain a DICT seal of cybersecurity, covered organisations to implement a disaster recovery plan and business continuity plan, and DICT to conduct annual CII cyber drills. Also, DICT Memorandum Circular No. 7-17 implements DICT’s Programme on CyberSecurity Education and Awareness for CII.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
The DICT CERT Manual for creating the CERT for each organisation provides a communication procedure aimed at ensuring that sensitive or critical information is not disclosed when communicating and coordinating with parties and groups outside the National CERT. The procedure requires the written approval of management for disclosure of information to the media and of the CyberSecurity Bureau for communicating and sharing information with law enforcement agencies.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
Question 1 describes the CPA cybercrimes and offences under the DPA, ECA and ADRA that may cover cyberactivities relevant to organisations as they may either be committed by organisations or committed against organisations (as possible targets).
How has your jurisdiction addressed information security challenges associated with cloud computing?
They are mainly addressed through a general cybersecurity framework, regulations specific to the banking and government sectors, and participation in cybersecurity initiatives as a member of the International Telecommunications Union.
The BSP requires the prior approval of a BSP-supervised financial institution’s (BSFI’s) use of cloud services on the conduct of due dilgence on the cloud service provider (CSP), the service’s compliance with data security, confidentiality and disaster recovery requirements, and mandatory provisions in the service contract. The BSP’s 2017 Enhanced Guidelines on Information Security Management also requires BSFI management to ‘fully understand the nature of the cloud technology in line with business requirements and satisfy themselves as to the level of security and compliance to data privacy and other relevant rules and regulations’, and to oversee the cloud service provider’s ‘adherence to security, performance and uptime, and back-up and recovery arrangements contained in the contract/agreement’.
Apart from implementing a cybersecurity awareness campaign, the DICT issued Department Circular No. 2017-002 to regulate the security of government-contracted cloud services with data migration through international security assurance controls and industry-accepted encryption; baseline and optional security controls for CSPs to host classes of government data; and logical security audit on data access and continuous security monitoring to ensure data confidentiality, integrity and availability.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
The regulatory obligations for domestic and foreign organisations doing business in the Philippines are the same.
Also, the DPA applies extraterritorially on an organisation’s acts or practices outside of the Philippines if:
- the act, practice or process relates to personal information about a Philippine citizen or a resident;
- the organisation has a link with the Philippines; and
- the organisation is processing personal information in the Philippines, or even if the processing is outside the Philippines, as long as it is about Philippine citizens or residents.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
As mentioned in question 1, the DICT recommends optional security controls for CSPs to host classes of government data. With respect to government agencies that process the personal data records of more than 1,000 individuals, the NPC recommends the use of ISO/IEC 27002 as the minimum standard to assess any gaps in the agency’s control framework for data protection.
How does the government incentivise organisations to improve their cybersecurity?
Under the NCP2022, the DICT aims to raise the business sector’s awareness of cyber risks, security measures and possible public-private partnership on improving cybersecurity. The government has yet to especially incentivise organisations to improve their cybersecurity.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
See question 3.
Are there generally recommended best practices and procedures for responding to breaches?
BSP Circular No. 1019 (2018) prescribes technology and cyber-risk reporting and notification requirements for BSFIs. The Circular provides procedures for reporting to the BSP major cyber-related incidents, such as those involving significant data loss or massive data breach, and disruptions of financial services and operations.
NPC Circular No. 16-03 provides guidelines for personal data breach management, requiring organisations to implement a security incident management policy to ensure:
- the creation of a data breach response team, which will be responsible for implementing the policy;
- implementation of organisational, physical and technical security measures, and of policies to prevent or minimise personal data breaches and assure timely discovery of the same;
- implementation of an incident response procedure;
- mitigation of negative consequences to data subjects; and
- compliance with all laws and regulations on data privacy.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
None as of yet. But the NCP2022 aims to use organisation reports to develop cybersecurity measures and to promote the sharing of information between the government and private sector.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The DICT is creating technical working groups to review existing and develop new cybersecurity courses to integrate these courses into the curriculum of engineering, computer science, information technology, law and criminology. The NCP2022 includes establishing and creating programmes among CERTs, law enforcement, academia and industries as one of the government’s key initiatives.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Only a few insurance companies so far offer insurance for data security breaches, network interruption and cyber extortion as well as fines resulting from breach of administrative obligations relative to cybersecurity.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The NBI Cybercrime Division, PNP Anti-Cybercrime Group, DOJ-OC, CICC, BSP and NPC enforce various rules related to cybersecurity.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
The CPA authorises the NBI Cybercrime Division and PNP Anti-Cybercrime Group to investigate cybercrimes. The DOJ prosecutes cybercrimes and its DOJ-OC coordinates international mutual assistance and extradition. The CICC CERT provides assistance to suppress real-time commission of cybercrimes and facilitates international cooperation on intelligence, investigations, suppression and prosecution. Law enforcement authorities may collect or record traffic or non-traffic data in real time upon being authorised by a court warrant.
The New Central Bank Act (Republic Act No. 7653) confers on the BSP the power to supervise the operations of banks and exercise such regulatory powers under Philippine laws over the operations of finance companies and non-bank financial institutions performing quasi-banking functions and institutions performing similar functions.
The NPC (i) enforces, monitors compliance of government and private entities with, and investigates and recommends to the DOJ, the prosecution of violations under the DPA; (ii) facilitates cross-border enforcement of data privacy protection; and (iii) can issue cease-and-desist orders, or impose a temporary or permanent ban on the processing of personal information upon finding that the processing will be detrimental to national security or public interest, or both.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
The NCP2022 sets out the following key programme areas to address the need for increased awareness and capacity-building for both the public and private sectors:
- the protection of CII through cybersecurity assessment and compliance, national cyber drills and exercises, and a national database for monitoring and reporting;
- the protection of government networks through a national computer emergency response programme, a capacity building and capability development programme, a pool of information security and cybersecurity experts, the Threat Intelligence and Analysis Operations Center, protection of electronic government transactions, and the update of licensed software;
- the protection for supply chain through a national common criteria evaluation and certification programme; and
- the protection of individuals through the acceleration of learning skills and development, a cybersecurity outreach project, a national cybersecurity awareness month, equipping the government and programmes for local and international cooperation.
Also, the Supreme Court has addressed the need for procedures for securing court warrants specifically for investigating and prosecuting cybercrimes.
The issue of enforcement against cybercrimes committed by actors or on online platforms outside Philippine territory is being addressed by forging closer international cooperation with agency counterparts in other jurisdictions, as the country’s accession to the Cybercrime Convention this year demonstrates.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
In general, the penalties consist of fines and imprisonment.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
BSIs that fail to report breaches in information security, especially incidents involving the use of electronic channels, may be penalised with fines, suspension of the BSI’s privileges or access to the Central Bank’s credit facilities, as well as revocation of a quasi-banking licence. Internet service providers and internet hosts that fail to promptly report child pornography to police authorities may be penalised with fines and imprisonment. As to breaches related to personal information, the NPC has yet to provide penalties specific to the failure to report.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
The DPA entitles data subjects the right to be indemnified for any damage sustained owing to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorised use of personal information. Claims for indemnity may be filed with the NPC.
Parties may provide for redress in a contract and claim damages for breach of contract. Philippine tort law allows claims for damages resulting from acts or omissions involving negligence or those involving violations by private entities or individuals of the constitutional rights of other private individuals. Claims may be filed in court or through alternative dispute resolution mechanisms.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
A CERT that will respond to cyberattacks is required of every bureau, office, agency and instrumentality of the government.
For personal data protection, the NPC requires organisations to create a security incident management policy, which shall include:
- conduct of a privacy impact assessment to identify attendant risks in the processing of personal data, which should take into account the size and sensitivity of the personal data being processed, and impact and likely harm of a personal data breach;
- a data governance policy that ensures adherence to the principles of transparency, legitimate purpose and proportionality;
- the implementation of appropriate security measures, which protect the availability, integrity and confidentiality of personal data being processed;
- regular monitoring for security breaches and vulnerability scanning of computer networks;
- capacity building of personnel to ensure knowledge of data breach management principles and internal procedures for responding to security incidents; and
- a procedure for the regular review of policies and procedures, including the testing, assessment and evaluation of the effectiveness of the security measures.
Security measures are required to ensure the availability, integrity and confidentiality of the personal data being processed, such as implementation of backup solutions, access control and secure log files, encryption, data disposal and return-of-assets policy.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
The NPC requires all actions taken by a personal information controller or personal information processor to be properly documented by the designated data protection officer, should a personal data breach occur.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
BSIs must report breaches in information security, especially incidents involving the use of electronic channels. Depending on the nature and seriousness of the incident, the BSP may require the BSI to provide further information or updates on the reported incident until the matter is finally resolved. BSFIs must report major cyber-related incidents, such as those involving significant data loss or massive data breach, and disruptions of financial services and operations, to the BSP.
The Anti-Child Pornography Act requires internet service providers and internet hosts to notify the police authorities when a violation is being committed using its server or facility and preserve evidence of such violation.
The DPA requires personal data breach notification to the NPC.
What is the timeline for reporting to the authorities?
BSFIs must submit a report to the BSP within two hours of discovery of major cyber-related incidents and disruptions of financial services and operations, and a follow-up report within 24 hours from discovery. Companies engaged in the business of issuing access devices must submit an annual report to the Credit Card Association of the Philippines about access device frauds. Internet service providers and internet hosts must report any form of child pornography in their system to the police authorities within seven days of discovery. The NPC must be notified within 72 hours upon knowledge of, or the reasonable belief by, the personal information controller or personal information processor that a personal data breach has occurred.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Apart from the personal data breach notification to the data subject required by the NPC, there are no rules for reporting threats or breaches to others in the industry, customers or the public.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Since Philippine cybersecurity laws are relatively new, the lack of awareness on the need for cybersecurity and the relevant laws and regulations remains the principal challenge for authorities. The NCP2022 will continue to dictate the changes in policies and regulations over the next few years as it progresses from capacity-building to corrective enforcement. Collaboration with the government by private companies on rule-making and compliance, to help deal with the constant cybersecurity threats to their operations and the potential financial risks, should encourage a favourable regulatory environment.