The National Privacy Commission in the Philippines is set to file criminal charges against COMELEC Chairman Andres Bautista for his alleged role in ‘Comeleak’, a data breach that risked the personal data of 55 million registered Philippine voters. The National Privacy Commission claims that COMELEC and Bautista violated the Data Privacy Act of 2012 and recommended the filing of criminal charges against the Chairman for violating Sections 11, 20, and 21 of the Philippine Data Privacy Act of 2012.
Bautista is however not taking the accusation lying down. He claims that he was surprised when he learned of the National Privacy Commission’s decision, as hackers were liable for Comeleak and not the poll body.
‘Hacking happens the world over’
In a statement to CNN on the Comeleak charges, Bautista expressed his confusion over the move by the National Privacy Commission stating: ‘This is surprising because in my opinion, the National Privacy Commission saw mistakes were made. Hacking happens the world over. Even the U.S. Government was hacked. Efforts must be focused on arresting the hackers instead of punishing those who were hacked.’
In addition the COMELEC Chairman also raised questions about the credibility of the National Privacy Commission saying that it was only established in 2016 and had to date not issued any useful rules and regulations which, he claimed is why COMELEC had had ‘no idea’ of what standards to follow. The COMELEC Chairman was also puzzled as to why the IT Department of COMELEC which was in charge of the voters roll website was not found to be at fault for Comeleak, yet a criminal case was being pursued against him.
Bautista was also quick to defend the COMELEC’s reaction to the Comeleak breach; ‘The COMELEC was never negligent. When this happened, we did everything we could to lessen the damage.’
Lessons learned from Comeleak case?
The Comeleak issue appears to be both legally and procedurally complex and the questions being asked by the COMELEC Chairman appear, at least on the face of it to be valid. If we accept this the question then is – why is Bautista being charged for Comeleak? To the layman it might appear to be a case of ‘the buck has to stop somewhere’. The National Privacy Commission seems to claim that Bautista was either unfit for his office or was negligent in his duties when it shone a light on his apparent ‘lack of appreciation” that data protection is more than just the implementation of security measures.
The National Privacy Commission also noted that as chairman of COMELEC, Bautista should have made sure that regular review and evaluation of the poll body’s privacy and security policies were implemented. If this is indeed the cased then it simply raises more questions such as why Bautista was appointed to a position he was ill equipped for and was every effort made to provide him with the support structure and adequately trained personnel that are essential to ensure data privacy?
‘The Chairman is not the custodian of the database’
Bautista said that the COMELEC is ‘currently managed by seven lawyers,’ including himself, who ‘rely on our IT Department for expert advice on website/data security and privacy and IT-related matters.’
‘The Chairman,’ he said, ‘after exercising the diligence required by law in supervising and monitoring all departments under him as in the case of the Heads of other government agencies, is not the collector, processor, and custodian of the database.
‘As the Head of Agency, in areas where I did not have specific expertise, I generally trusted the advice and recommendations of our IT experts,’ he added.
If correct this is a prime example of why C-Suite executives need to be intimately involved with the strategy generation process around issues relating to privacy and security.