Image of Manila skyline representing the Philippines National Privacy Commission on the Comeleak data breach
Comeleak allows Philippines National Privacy Commission to Show Teeth

‘Comeleak’ Allows Philippine National Privacy Commission to Show Teeth

The National Privacy Commission in the Philippines is set to file criminal charges against COMELEC Chairman Andres Bautista for his alleged role in ‘Comeleak’, a data breach that risked the personal data of 55 million registered Philippine voters. The National Privacy Commission claims that COMELEC and Bautista violated the Data Privacy Act of 2012 and recommended the filing of criminal charges against the Chairman for  violating Sections 11, 20, and 21 of the Philippine Data Privacy Act of 2012.

Bautista is however not taking the accusation lying down. He claims that he was surprised when he learned of the National Privacy Commission’s decision, as hackers were liable for Comeleak and not the poll body.

‘Hacking happens the world over’

In a statement to CNN on the Comeleak charges, Bautista expressed his confusion over the move by the National Privacy Commission stating: ‘This is surprising because in my opinion, the National Privacy Commission saw mistakes were made. Hacking happens the world over. Even the U.S. Government was hacked. Efforts must be focused on arresting the hackers instead of punishing those who were hacked.’

In addition the COMELEC Chairman also raised questions about the credibility of the National Privacy Commission saying that it was only established in 2016 and had to date not issued any useful rules and regulations which, he claimed is why COMELEC had had ‘no idea’ of what standards to follow. The COMELEC Chairman was also puzzled as to why the IT Department of COMELEC which was in charge of the voters roll website was not found to be at fault for Comeleak, yet a criminal case was being pursued against him.

Bautista was also quick to defend the COMELEC’s reaction to the Comeleak breach; ‘The COMELEC was never negligent. When this happened, we did everything we could to lessen the damage.’

Lessons learned from Comeleak case?

The Comeleak issue appears to be both legally and procedurally complex and the questions being asked by the COMELEC Chairman appear, at least on the face of it to be valid. If we accept this the question then is – why is Bautista being charged for Comeleak? To the layman it might appear to be a case of ‘the buck has to stop somewhere’. The National Privacy Commission seems to claim that Bautista was either unfit for his office or was negligent in his duties when it shone a light on his apparent ‘lack of appreciation” that data protection is more than just the implementation of security measures.

The National Privacy Commission also noted that as chairman of COMELEC, Bautista should have made sure that regular review and evaluation of the poll body’s privacy and security policies were implemented. If this is indeed the cased then it simply raises more questions such as why Bautista was appointed to a position he was ill equipped for and was every effort made to provide him with the support structure and adequately trained personnel that are essential to ensure data privacy?

‘The Chairman is not the custodian of the database’

Bautista said that the COMELEC is ‘currently managed by seven lawyers,’ including himself, who ‘rely on our IT Department for expert advice on website/data security and privacy and IT-related matters.’

‘The Chairman,’ he said, ‘after exercising the diligence required by law in supervising and monitoring all departments under him as in the case of the Heads of other government agencies, is not the collector, processor, and custodian of the database.

‘As the Head of Agency, in areas where I did not have specific expertise, I generally trusted the advice and recommendations of our IT experts,’ he added.

If correct this is a prime example of why C-Suite executives need to be intimately involved with the strategy generation process around issues relating to privacy and security.

It is a global problem

It’s not only voter data that is subject to hackers with malicious intent. The run-up to the election of Donald Trump was characterised by accusations of dirty tricks by both Democrats and Republicans. And Russian hackers were accused of being the players in the background responsible for the leaking of Democratic Party emails to Wikileaks. The Russians were accused by Democrats of efforts to influence the democratic process in favour of Trump. The accusations and counter accusations were fodder for increasingly shrill media reports – and a narrative that Putin is the power behind the Trump throne.

The Trump team (and for that matter Putin and the Russian government) has continuously denied any involvement with the hacks’

Putin is on record as saying: “I wouldn’t know anything about it [hacked emails]. You know, there are so many hackers today and they work with such finesse, planting a trail where and when they need. Not even their own trail but masquerade their actions as those of other hackers acting from other territories, nations. It’s difficult to trace, if even possible. Anyway, we certainly don’t do such things on the state level.”

Most thinking people take this statement with a fairly substantial grain of salt. Russia – often acting through quasi-governmental players has been accused of this sort of action in the past. But it’s important to note that even strong evidence that Democratic email accounts were breached via phishing messages, and that specific malware was spread across DNC computers by a Russian group that has been accused of similar actions in the past s simply conjecture. No one has actually proven that group is in the pay of the Russian government.

Putin’s press secretary denied1 Russian interference in the US election: “Russia will never intervene in the internal affairs, much less electoral process of other countries. Moscow scrupulously avoids any actions or words that could be regarded as direct or indirect interference in an electoral process.”

Marie Le Pen’s admission2 that her party receives campaign funding from Russia makes a mockery of Putin’s claim that Russia does not intervene in foreign elections. As a January 2017 Bloomberg article states the 11 million ($11.5 million) euro in loans that the French National Front took from a Russian bank is to date the most solid bit of proof that Russia is backing nationalist populist political forces in Europe with more than just talk on Kremlin propaganda channels.

Any investigation will not provide a lightbulb of absolute enlightenment. Russian state hackers are far too experienced and street smart. It’s almost certain that neither America nor the rest of the world will know whether it was a state agency, a contractor or freelance hackers.

For Putin, the WikiLeaks emails were a timely gift wrapped present in the form of a narrative that could show that American elections were ultimately controlled by a select group of the powerful. If domestic or international critics complained about the enrichment of Putin’s inner circle, he only need rehash the antics of the Clinton Foundation and the relationship between the Democrats and the mainstream media.

Both organization and commander-in-chief should face penalties

Whatever the reasoning or the culprit, it’s abundantly clear that the hacking knife cuts both ways – and cuts deeply. Private individuals need to be aware of the increasing amounts of data that is being gathered and held by governments – and the fact that other players (including foreign governments) have a vested interest in that data. Those players will go to almost any lengths to obtain that data in order to impose their will on the global community. Your data, be it emails or passwords have the power to reshape the world. It’s more important than ever before that those in control are fully aware of the power of that data and are completely immersed in the strategy involved in protecting it.

But it’s not only the United States authorities who are increasingly concerned about data – and it’s not only government that has been exposed as having significant vulnerabilities due to a lack of strategic buy-in from senior management. In a clear nod to the importance of top management having oversight, or at least a clear picture of the strategic importance of data security a U.K. parliamentary report issued in June 2016 recommended that organisations should face severe penalties for cybersecurity breaches, with the biggest penalties reserved for firms that succumb to “plain vanilla” intrusions, such as the SQL attack on telco TalkTalk3.

The heaviest sanction should be levied against companies that experience ‘continued vulnerabilities and repeated attacks.’

The report also recommended that a ‘portion of CEO compensation should be linked to effective cybersecurity’ and that companies appoint a chief security officer.

If this report is acted upon it sends a clear signal to companies (and C-Suite executives) – and one that governments should heed as well. Firstly, seasoned professionals need to be enlisted to aid in the battle for the high ground of data security. Secondly, all levels of the organisation need to be involved in the development of security protocols and strategies.

The lesson is clear. Government needs to take its cue from private enterprise. In turn private enterprise needs to pay close heed to the parameters for good corporate practice as set out in legislation – if not the penalties are apt to be severe. In addition it’s by no means certain that government itself is not interested in private data – and will go to extraordinary lengths to secure it.  This calls for stronger legislation protecting data – and extra vigilance by companies acting as custodians.

Bautista will keep fighting National Privacy Commission charges

It seems that Bautista will keep fighting the Comeleak charges. “With all due respect to the NPC membership, we believe that the NPC decision was based on misappreciation of several facts, legal points, and material contexts,” he concluded in a recent media interview.

At a press conference at the Rembrandt Hotel in Quezon City in January 2017, Bautista also explained that the COMELEC was not able to comply with the Data Privacy Act because the implementing rules and regulations were not yet in place when he assumed his post.

According to the law, the violation of the Data Privacy Act due to negligence is punishable of three to six months imprisonment, and a fine of P500,000 to P4 million. If a government official is proven guilty of this crime, he or she will be disqualified from public office.

The case against Bautista is interesting in a number of ways. Firstly, it tests the reach and powers of The National Privacy Commission in the Philippines. Secondly, it seems set to provide a case study in just how IT professionals and C-Suite executives should be working together and the importance of knowledge in the realm of data privacy and security even at the highest levels of the organisation. Lastly, it will set the precedent around just how government should be trusted with personal data and what exactly constitutes best practice.