BPI says ‘just a glitch’, NPC says ‘wait, not so fast’

June 16, 2017 - 7:24 PM
InterAksyon file photo of a BPI branch.

Originally posted on NEWSBYTES.PH

MANILA, PHILIPPINES | The National Privacy Commission (NPC) bared it is conducting a privacy compliance check on the Bank of Philippine Islands (BPI) after the recent incident that caused the bank’s electronic channels to be temporarily suspended.

The compliance check will evaluate the existing governance, organizational, physical, and technical measures in place and seek to address any gaps especially in the bank’s breach management protocol, with the view of preventing or mitigating similar incidents in the future.

Under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (Data Privacy Act), the NPC is mandated to ensure compliance of institutions with its provisions, which includes data breach notification, management and mitigation.

The NPC has been in contact with the bank since June 7, the first day news about the incident spread on social media. The agency said the high-profile nature of the incident and the potential harm to thousands of data subjects prompted it to immediately coordinate with the bank and its data protection officer to work towards containing the breach and lessening the impact of the incident.

According to NPC commissioner Raymund Liboro; “We appreciate BPI’s efforts to establish communication with the Commission throughout this episode to assuage our concern for the privacy of their depositor’s personal data..

“We believe the BPI management fully understands this, because of our shared goal of ensuring the protection of the privacy rights and interests of their clients” he added.

The privacy agency said the BPI incident involved a breach in security affecting the availability and integrity of information that relates to individuals, considered a personal data breach under NPC’s memorandum circular on personal data breach management.

“First, the BPI incident impacted information which is considered personal under the Data Privacy Act. This includes the processing of data, which is capable of uniquely identifying data subjects, such as the account information of BPI and BPI Family Bank customers contained in BPI’s systems,” Liboro said.

“Second, the nature of the incident impacted both the availability and integrity of personal information considering that the incident resulted in the posting of erroneous account information and the prevention of its access to account holders. Under the law, impacts to availability and integrity of personal information may constitute a breach where loss and/or alteration to personal information occurs, whether accidentally or unlawfully,” he explained.

The National Privacy Commission recently held a general assembly of Data Privacy Officers (DPO) in the banking industry. The event, called DPO2, was conducted in cooperation with banking regulator the Banko Sentral ng Pilipinas (BSP) and the Bankers Association of the Philippines (BAP).

Next to the government, the NPC said the banking and finance sector’s Personal Information Controllers (PICs) are involved in high-risk processing, because of the nature of the data they process and the potential impact of breaches to economic security.