When the cover-up is the crime
The New York Times reports that the former head of Uber's security team has been charged in a criminal case for concealing a 2016 personal data breach. The breach involved personal information of 57 million Uber drivers and passengers.
What's notable about the case is that, as the New York Times notes, is that "the charges drew an important distinction between failing to protect Uber’s computer network and failing to tell the authorities about it. Prosecutors said that Mr. Sullivan committed two felonies when he didn’t disclose the 2016 incident to federal investigators who were already investigating a similar data breach that had occurred two years earlier."
The Philippines' Data Privacy Act draws a similar distinction, as there is a specific criminal offense for failure to report a security breach involving sensitive personal information (see Section 30 of Republic Act No. 10173 [the "DPA"]). In a number of public statements, officials of the National Privacy Commission have stated that, as a general rule, personal information controllers would not be held liable if they are victimized by a data breach (subject to the usual caveats re accountability for protection the data, of course). However, these controllers may be prosecuted criminally if they fail to comply with the mandatory reporting requirements for personal data breaches.
Unlike in the United States, the parameters for mandatory reporting of personal data breaches in the Philippines are clear. As provided in Section 38 (b) of the Implementing Rules and Regulations of the DPA, reporting to the NPC is mandatory "when sensitive
personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject." The report must be submitted to the NPC within 72 hours upon knowledge or reasonable belief that such a breach has occurred. Note that the data subject must be notified also within the same timeframe.
What is curious for me though is that the criminal offense for concealment under Section 30 refers to concealment of security breach involving sensitive personal information. However, the mandatory reporting requirement under Section 38(b) also refers to mandatory reporting when the subject of the breach is "any other information that may, under the circumstances, be used to enable identity fraud." This is a distinct reporting basis, as NPC Circular No. 16-03 on Personal Data Breach Management defines this "other information" as "shall include, but not be limited to: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits."
Given the distinction, an argument can be made that failure to report a data breach involving other information that may be used to enable identity fraud would NOT give rise to criminal charges for concealment under Section 30 of the DPA. What do you think?