Lawbytes 128: WARNING TO GSIS PENSIONERS AND MEMBERS: THE E-GSISMO SITE IS NOT SECURE! Attention National Privacy Commission (Copyright by Dr. Atty. Noel Guivani Ramiscal)

I braved the rains last July 26, 2017 to deliver my lecture for the Mandatory Continuing Legal Education (MCLE) Seminar Series for the lawyers of the Government Service Insurance System (GSIS). Since my topic is on the “Operationalization of the E-Data Privacy and Security Requirements Under the Data Privacy Law”, I decided to concentrate on several IT systems and internet innovations that the GSIS have incorporated in its laudable goal of reaching out to its clients online, particularly the retired pensioners who cannot go to GSIS offices around the Philippines and those members who are overseas. As what I have done in all my lectures with government agencies, I zone in on IT issues that implicate the law which concern these entities to give value added service, instead of just merely lecturing on general privacy/legal issues.

The audience was comprised of over fifty lawyers, some of whom came from different parts of the country. I repeatedly requested for a representative of the IT Department, the HR Department, and if possible, the GSIS Data Privacy Officer so that we could have a dialogue regarding some of the issues I prepared to raise with them. The Chief Information Security Officer arrived and we had a productive repartee. The GSIS is one of the most important agencies in the Philippines that serve millions of stakeholders who are government pensioners so I strove to find out from the limited internet resources available, what are the pressing data privacy concerns that implicate the rights of government pensioners and GSIS members.

The GSIS had a “Skype Appointment system” which at the time of this blog’s publication (July 29, 2017) still carried the “Pilipinas Teleserv” (PT) name as the 3rd party provider/facilitator. The appointment system served to connect GSIS with people from all over the Philippines and the world via the Skype, which is offered primarily free by Microsoft as a communication tool/system. The GSIS, through the services of PT, developed a protocol for taking in the concerns of the GSIS members who used the service. PT in its website stated: Pilipinas Teleserv handles an average of 2,000 calls for the GSIS daily. Our total abandonment rate since operations began is remarkably low, coming in at only 3%. We are proud of our consistently excellent deliveries, with our First Call Resolution rate very close to 100% and our performance within a very tight 98%-100% range of the Service Level Agreement [https://teleserv.ph/how-we-do-things/gsis, accessed July 27, 2017].

I learned during my lecture that PT’s SLA just ended and the contract for this type of service was awarded to another bidder. One of the crucial things I pointed out is the obligation of PT, and whoever was awarded the current contract to comply with the requirements of the Data Privacy Law (R.A. 10173). It was not clear from the information I researched and from the information I gathered from the participants the type of arrangement GSIS and PT had with Skype. PT basically operated as a call center for GSIS using the Skype system. It was not clear if PT or GSIS paid Skype for the use of its system. I pointed out that under the policies of Microsoft and the Skype’s Fair Use Policy, anyone who is using the Skype tool as a free service is prohibited from doing any act that would not be considered Legitimate Use, which would include the following:

(i) Using subscriptions for telemarketing or call centre operations; xxxxxx

(iii) Sharing subscriptions between users whether via a PBX, call centre, computer or any other means; xxxxxx

Furthermore, “Skype may at its option, terminate its relationship with you, or may suspend your subscription immediately if it determines you are using your subscription contrary to this FUP or Skype’s Terms of Use”[Fair Use Policy, 19.3].

I asked the attendees if GSIS had any protocol as to the retention and destruction of those Skype video/messages from its clients all those years that PT ran the service. None of them apparently knew. This is actually crucial if any of those e-data became the subject of litigation. Moreover, PT, which was actually considered a personal information processor (PIP) for GSIS, did not have any privacy code or protocol in its website which can explain as to how it handled the privacy issues pertaining to GSIS’ clients. I suggested to the attorneys, particularly those engaged in procurement matters, to include data privacy requirements as part of the terms of reference (TOR) in procuring this type of service in the future.

Since GSIS utilized cloud service providers (CSPs) like Facebook, YouTube/Google and Microsoft/Skype to reach out to its clients, I apprised the audience of several perils in entrusting their clients’ e-data to the cloud. One of the dangers is the commingling of their clients’ e-data with the e-data of other clients of the cloud service providers in the same data files, specially if these different users use the same application in the cloud servers. This now becomes a “one stop shop for hackers”. In using the services of these cloud providers, GSIS and all its clients who use these services to communicate are subject to the untrammelled collection of e-data about them, including information about the computers, mobile phones and other e-devices they use to connect to these services, their locational data, their log-in information, including their phone numbers and the phone numbers of the people in their contact lists, and so on. One of the most notorious features about the CSP provider contracts is that they do not make the CSPs liable to the users of the services, from outages, to losses of e-data, to the introduction of computer malware that harm their IT systems, etc.

E-GSISMO insecurity as shown from an IMGUR posted apparently on January 12, 2017, photo of site by Dr. Atty. Ramiscal taken on July 29, 2017

Without doubt, the most disturbing thing that I raised with GSIS is the fact that its e-GSISMO website is NOT secure. I found an imgur message [https://imgur.com/r/Philippines/peI1L3a, last accessed July 29, 2017] and a Reddit thread [https://www.reddit.com/r/Philippines/comments/5nhbgn/look_gsis_egsismo_online_records_service_is/, last accessed July 29, 2017] pertaining to the insecurity of this website.

E-GSISMO’s insecurity as posted in REDDIT, photo of site taken by Dr. Atty. Ramiscal, July 29, 2017

The e-GSISMO site is quite significant for government retirees/pensioners and GSIS members because it contains their membership records, statement of loan accounts, and in a press release of GSIS last year, it was stated that it will allow members to view tentative computation of retirement and social insurance benefits, dividend payments, claim and loan records, and pensioners’ data.

E-GSISMO’s insecurity with REDDIT COMMENTS, photo taken of website by Dr. Atty. Ramiscal, July 29, 2017

The respondents in the Reddit thread were not specific or detailed in their discussion of what and how this site is insecure. I decided to investigate on my own.

When I accessed the site using MOZILLA FIREFOX, I was confronted with this message, which I showed to the audience:

E-GSISMO as an INSECURE WEBSITE determined by MOZILLA FIREFOX, presentation by Dr. Atty. Ramiscal to GSIS lawyers, July 26, 2017

By clicking on “Advanced” I was able to unearth the “ERROR CODE”.

E-GSISMO Statement of ERROR CODE underlined in yellow ink, presented by Dr. Atty. Ramiscal to GSIS lawyers last July 26, 2017

By clicking on the error code, I got the following message, and the insecure certificate chain:

E-GSISMO contents of the error code from Mozilla Firefox as presented by Dr. Atty. Ramiscal to GSIS lawyers last July 26, 2017

https://egsismo.gsis.gov.ph/
Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain: —–BEGIN CERTIFICATE—–
MIIFhjCCBG6gAwIBAgITBnt0NmDHvT4FazmLK9KYKr2P/DANBgkqhkiG9w0BAQsF ADCBtTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xPTA7BgNV BAMTNFRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTSEEyNTYgQ0Es IExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20wHhcNMTUx MDIzMDIxNzUzWhcNMTgxMDE4MDgxNzUzWjBgMRYwFAYDVQQDDA0qLmdzaXMuZ292 LnBoMQ0wCwYDVQQKDARHU0lTMRMwEQYDVQQHDApQYXNheSBDaXR5MRUwEwYDVQQI DAxNZXRybyBNYW5pbGExCzAJBgNVBAYTAlBIMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA8SpYUBHvWyNPOj06t/HWEem3Zue6bP7vO7TP/gziP+RO0gL3
jE2ObqZHPM+eGgq4+TD+928pJa7jnT05IZxFoJFMF/h6EBWcdKe/sk4r39AgJAf3 ETw2jmNKiChw7fANAfFW0e9nb7UykQjN1h6rN2JaeQW8OpkyujXyswoUHnG1nup/ /e5kOmJXnkSd+RszvhpBfvs6HQ66rowimNq5seWJ+StltuOsxp4XVAvjUnQE2bsk
dZo/rDj1hji++vUblWP/b/dS3cnPVOPhQD9GrtGdjDnxIiC9GSSNs1ynmPqO9kky U0sdvW8uaRmprbTBKrBEXIy0kwelY4Pvpk2aUQIDAQABo4IB4TCCAd0wDAYDVR0T AQH/BAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMBMB0GA1UdDgQWBBTKyN3opKvHsKoieedveTqw/uJojDAfBgNVHSMEGDAWgBTK zh0YA3ceHPN8WLKacKgIgBb0rjBIBgNVHSAEQTA/MD0GDysGAQQBge0YAwMDAwQE AzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3NzbC50cnVzdHdhdmUuY29tL0NBMGwG A1UdEQRlMGOCDSouZ3Npcy5nb3YucGiCC2dzaXMuZ292LnBoghBrZXlzLmdzaXMu Z292LnBoghB3aXNlLmdzaXMuZ292LnBoghB0ZXN0LmdzaXMuZ292LnBogg93d3cu Z3Npcy5nb3YucGgwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC50cnVzdHdh dmUuY29tL09WQ0EyX0wxLmNybDBxBggrBgEFBQcBAQRlMGMwJgYIKwYBBQUHMAGG Gmh0dHA6Ly9vY3NwLnRydXN0d2F2ZS5jb20vMDkGCCsGAQUFBzAChi1odHRwOi8v c3NsLnRydXN0d2F2ZS5jb20vaXNzdWVycy9PVkNBMl9MMS5jcnQwDQYJKoZIhvcN AQELBQADggEBAGamlyW1N+fuR54IdO9o0qw2/09Xppz2j1MDm9IemZDadXJIai6m 7JdPeL2+rTOrzfVDlbsTcBBw0QVkzpFoZLJ1cI9PYSAGXqA1pR8t6DcpnKVRV0yH sThrrKfJZag2FwIA4cns+4qmwf44s6O7LfJ6VoZhTVjIsrbacZrGmaHvsODi9NlW 1wX0rsJA5Hjv58nIKjv/Ptyu5sdl4KmaVyIlPoDtu1Jta+nCYGKF8TJ0X9HwrHzu 3Dt9UqD+jKUDDOe06wqMFy8ME89vE9NHjghv0L5aPrIDE5UAuEBl4lpieQ0Zkv9q
gZiBPcY9hFm9XSQo67FRnqYX4al8AxcdPiM=
—–END CERTIFICATE—–

The concept of a digital certificate is like a passport or an ID that validates the identity of the user to the recipient of a message or e-data, so that they can communicate securely over the internet using the public key infrastructure system. It is not within the scope of my article to give the details of digital certification systems. It suffices for now to say that digital certificates are issued by digital certification authorities (DCAs) to users to attest to their identity, and to provide evidence that a certificate is valid, it is digitally signed by a root certificate belonging to a trusted certificate authority. A receiver of digitally signed/encrypted information from a user can validate the Certification Authority (CA) signature, and can check the additional information in the certificate [e.g. expiration period of certificate] to honor it. Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify certificates that the CAs have issued and signed. In this case, Mozilla Firefox did not recognize the certificate of the e-GSISMO DCA, proving the insecurity of the website.

When I presented the powerpoint slide that shows the Mozilla Firefox message, error code and the report on the false certificate, I asked the people in attendance if the GSIS management knew about this. It was confirmed by an unimpeachable GSIS source during my lecture that the DCA of e-GSISMO did indeed lack certain requirements which made the website insecure. Further, this fact was actually revealed to the GSIS management which was notified of the risks. But the management made a business decision to actually release and continue the website’s operation, despite the risks. This is the core of GSIS e-data and services, because they contain very specific detailed confidential and highly sensitive information about specific GSIS members that cannot be retrieved or accessed in other government websites, including the hacked COMELEC sites and computer. For the GSIS management to have approved the operation of the unsecured e-GSISMO site and to advertise it to be used by all GSIS members and retired pensioners, is a very bad business decision that can harm the privacy rights of GSIS members and pensioners and impact on their well being.

If the continued operation of this insecure site results in the actual harm of any GSIS stakeholder, or in the perpetration of a criminal act against any GSIS stakeholder, the GSIS management can be held accountable. I impressed upon the audience that the members of the GSIS Board of Trustees, and its officers, who were apprised of the risks and yet decided to run the site cannot find refuge in the Directors’ and Officers’ Liability Insurance (DOLI) policy. The policy does NOT cover any claim against the insured:

Where the court, tribunal, or administrative agency finds that the GOCC, acting through its Board of Directors or
Management, has violated its charter or caused unreasonable damage to its identified stakeholders.xxx

Where liabilities arise from the director’s/trustee’s or officer’s fraud, breach of fiduciary duties, or
unethical conduct.

I pointed out that a violation of the pertinent provisions of R.A. 10173 is a criminal offense, and a criminal offense is more than mere unethical conduct.

Under SEC. 34. of this law, if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. One lawyer asked if a cybersecurity insurance policy, which I discussed in connection with the protection of GSIS e-data would cover the members of the BOT, I said that cybersecurity insurance policies generally cover the losses of the corporation itself, like GSIS, due to e-data breaches, not individual corporate officials’ liabilities to the GSIS and to the GSIS members and retired pensioners.

The GSIS and its BOT must be reminded of the NPC decision re: the breach of electorate data kept in the custody of COMELEC, i.e., “the duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action.” In this case, as the unimpeachable source during my lecture confirmed, the GSIS management were already warned of the risks by its own people, and yet decided to continue inflicting this unsecured website on its members and pensioners.

Finally, even if no GSIS member or retired pensioner is actually harmed by the unsecured e-GSISMO website, the BOT members and GSIS officials are still bound by the R.A. 10173 to implement the necessary safeguards to protect the edata of all GSIS stakeholders as a personal information controller (PIC). I apprised the attendees that these measures, together with the cyber hygiene practices that all PICs in the Philippines must observe on a regular basis, should be part of the corporate social responsibility of all PICs. The National Privacy Commission and the Civil Service Commission must look into this matter.

I wrote this article for the sake of millions of GSIS members (I am not one of them) and retired pensioners who may have used the e-GSISMO insecure website. They deserve better service and treatment. Actually, they deserve the best.

As always, I am grateful to God for this opportunity to ferret out matters like this in the interest of public service. Let us hope that the GSIS BOT and all its officials who are connected to safeguarding the privacy rights of the GSIS members do their jobs properly. God bless us!

Lawbytes 127: ADVOCATING FOR THE “RIGHT TO BE (DIGITALLY) FORGOTTEN” OF THE VICTIMS OF REVENGE PORN: ATTENTION NATIONAL PRIVACY COMMISSION! (Copyright by Dr. Atty. Noel Guivani Ramiscal)

In my cyberlaw advocacies concerning the rights of victims of Sexual Orientation and Gender Identity (SOGI) discrimination, I encounter different, ever nefarious, ways of how sexual predators and their cohorts try to manipulate and make their victims suffer. Consider the case of R, a normally smart woman, except when she fell in love. She acceded to her lover’s request of digitally filming their multiple lively sexual congresses, to pacify her lover’s entreaties that he would keep them as a private reminder of their love, when he goes overseas, and as an incentive for him to come back to her.

The fickleness of Fate and her lover’s voracious sexual appetite prevented that from happening. The current sexmate of her lover discovered the recordings and in a jealous fit, posted them on a website that panders to pornography. This site encourages people to post videos of their exes in compromising sexual positions as a way of getting back at them. As an added “attraction” the site has an affiliated “digital reputation” management firm that contacts the victims of the site and offers them the opportunity to have the offending videos deleted for a price, which is usually exorbitant. The offer has an expiry date and if the contacted entity cannot come up with the money to pay the firm, the video stays on the site and it is “shared”, that is, for a price to other pornographic sites. R could not pay, and even if she had the resources to pay the price, there is actually no assurance from the digital reputation firm that the video had not already been previously copied and circulated to other websites. So this is one way of perpetuating online the private intimate details of a victim’s life without the consent and knowledge of the victim.

Prior to the Data Privacy Law, there are two legal remedies that can be invoked against cyber privacy predators in the Philippine context that could assist victims like R. The earliest remedy, which recently got a judicial boost from the ruling of the Supreme Court in the Vivares case is the writ of habeas data. This case established the rule that any person whose information (paper or electronic) is subject to the collection by any entity without the person’s consent can go to court via a writ of habeas data and have the collected information (among others) destroyed. The entity’s purpose or intent in collecting the information is immaterial and it is also not relevant if the entity engaged in this activity for personal enjoyment or as a business concern.

The second, later and more obvious remedy is the Anti-Boso Law, which criminalizes the act of disseminating or distributing in real time or in the internet, (among others) the act of sexual intercourse between two partners without the consent of the parties involved, even if they originally consented to the filming of the act itself.

In my lectures for lawyers and other professionals and SOGI advocates, I offer another legal alternative, i.e., the Intellectual Property Code. If the victim actually produced, acted, or had a hand in making the digital recording, then any unauthorized distribution of that recording, without the victim’s consent, can be considered an infringement on the victim’s copyright. This is considered a criminal offense because under the IP Code, copyright infringements do not only have civil aspects but are crimes as well.

One can also apply the Cybercrime Prevention Act in this regard because in the commission of the crime, a computer and/or computing system/network was definitely utilized. This will increase the criminal penalties of the accused by one degree.

Under the current Data Privacy Law, victims of revenge porn can take refuge in the law’s recognition of the right of any data subject to be “forgotten” or digitally “erased” from the web, or at least certain portions of the Internet. It all started with a Spanish case about (of all people) a lawyer trying to address the damage to his reputation concerning his cases pertaining to his unpaid debts which he already settled. Google Spain continually came up with search lists that included his cases and he sought to have these materials “delinked” to his name, and he succeeded.
The issue with the Philippine Data Privacy Law and its Implementing Rules and Regulations (IRR) promulgated by the National Privacy Commission (NPC) last September 2016, is that they contain no Guidelines or procedure as to how to operationalize or actualize this right.

The NPC as the vanguard of the data privacy rights of data subjects, like victims of revenge porn, must not gloss over this right. The NPC can consider the three legal remedies I have discussed in this article and incorporate them in whatever procedure they will formulate to actualize this right.

What would be truly useful is if NPC can provide assistance to victims who desire to deal with digital reputation management firms in an informal and effective manner, assuming that the victims do not desire to file criminal cases. What is also crucial is if NPC can also clarify the extent of “digital forgetting” as far as search engines go. If for example the offending material appeared in Google search engine, can victims have recourse to Google worldwide or merely Google.ph?

In the meantime, SOGI advocates and legal practitioners who are engaged in procuring redress for revenge porn victims can choose to avail of all these remedies I have discussed and see which one is most effective for their clients.

One final caveat, even though these remedies are available, and the extraterritorial reach of the Data Privacy law and its IRR, (and relatedly the Philippine Cybercrime Prevention Acts and its IRR) can actually cover any state in the entire planet, there is no assurance that any Philippine court or agency, including the NPC, can actually and effectively enforce these remedies against foreign maintainers of revenge porn sites.

Lawbytes 126: OPERATIONALIZING DATA PRIVACY IN LAW FIRMS (Copyright by Dr. Atty. Noel Guivani Ramiscal)

My cyberprivacy advocacy have taken me to some interesting places, including law firms. When UPIAJ invited me to lecture at the ACCRALAW Tower for the ACCRALAW lawyers last June 17, 2017, on data privacy, I jumped at the opportunity of scrutinizing the policies and practices of this law firm which has a long and illustrious history in the Philippine legal industry, and therefore a good benchmark for Philippine law firms, as far as protecting data privacy is concerned. My objective was to perform an informal external audit to see how the firm has complied with some of the most crucial requirements of the data privacy law (R.A. 10173) which is probably one of the most controversial and challenging laws that all Philippine entities that fall within its scope as a “personal information controller” (PIC) must deal with.

The firm’s website has a News & Updates portion which contained an article concerning the deployment of the iManage system that apparently was done last January of this year. The article states:

xxx In iManage, ACCRALAW has deployed a sophisticated Work Product Management system that encompasses document management, email management, knowledge management, analytics, process automation and more.”

In the first few months of going live with iManage Work, ACCRALAW has already experienced significant benefits. iManage Work integrates seamlessly with ACCRALAW’s existing practice management system, so that when a new matter is created, a workspace is automatically generated in iManage Work, without the need of manual intervention. Within minutes, users can start saving and publishing documents to this centralized repository, allowing anyone connected to the matter to search, access, and view the related files — saving valuable time and enabling more efficient collaboration.

iManage Work has been rolled out across all of the Firm’s practice departments. As a result, the Firm can better carry out work on behalf of its clients in areas ranging from Litigation and Dispute Resolution, Corporate and Special Projects and Intellectual Property, to Labor, Tax and other specializations. [ACCRALAW Deploys iManage for Document and Email Management,January 30, 2017, http://www.accralaw.com/news-updates/accralaw-deploys-imanage-document-and-email-management, accessed July 25, 2017]

In my lecture, I asked the over 40 lawyers present several questions including: Were ACCRALAW’s clients informed, and their written consent secured re: their personal information being subject to “processing” thru the iManage system prior to its roll-out? I further asked if there was a Privacy Impact Assessment (PIA) made prior to the deployment of iManage with respect to their clients who are, in all probability, the “data subjects” whose data are inputted in the iManage system. The response was not positive or clear. To be fair, none of the firm’s IT experts, nor the head of the MIS department, nor its Chief Privacy Officer was there to elucidate on this issue.

The article merely mentioned that before “deciding on a Work Product Management system, ACCRALAW exercised due diligence by visiting several legal firms in neighboring Malaysia that were iManage customers, to hear their opinions first-hand.” If its clients’ consent was secured and a PIA was actually done, then these should have been mentioned in the article. Gathering the opinions of iManage users cannot substitute for the firm actually securing their clients’ consent to the iManage system and conducting the actual PIA that are legally mandated and should have been part of the firm’s due diligence. It is also a legal must that the iManage system must be registered with the NPC, as part of the compliance processes that ACCRALAW as a PIC must undergo. I was not able to get any confirmation if iManage was already registered with NPC.

One good thing about the ACCRALAW’s implementation of the iManage system is that the firm does not utilize the hybrid cloud storage and infrastructure services offered by iManage. iManage’s hybrid cloud purportedly services over 1,800 law firms globally. In this connection, I discussed some of the dangers of entrusting clients’ data to cloud services. By choosing not to hand over their clients’ data to iManage’s cloud, and by deciding to develop their internal expertise in managing and dealing with data issues, ACCRALAW will thus avoid the data security breaches that plague the cloud. It is also commendable that the firm is training its own people on e-data management because they can develop the expertise that can be crucial in the electronic discovery of data that is in the iManage system which could be the subject of future litigation.

Another IT system the ACCRALAW is using is the Elite system for its financial records. The firm has an access policy which contains restrictions and delineates the people who are allowed to access these important records and the system. Other records of significance are located off-site. These are crucial procedures and protocols that can further avoid data security breaches. It is not clear though if the Elite system is registered with NPC.

As of the time of this blog’s publication (July 25, 2017), the ACCRALAW website still does not contain any posting of the law firm’s privacy policy or privacy code. I told the audience that they should pose this document on their website as part of their compliance with the NPC directives. One member of the audience said that they are still at work in crafting their policy/code.

I also found out that the firm has no social media policy and no Bring-Your-Own-Device (BYOD) policy which can create problems for the firm. While lawyers are supposed to observe the confidentiality of communications between them and their clients, I told the audience that cases abound in different jurisdictions where lawyers using social media have honoured this professional obligation in the breach. Some of the junior lawyers who brought their mobile phones with them confirmed during my lecture that these devices are owned by them personally. Assuming that they use these e-devices for their professional work as well, complications can arise due to the commingling of personal and professional data on these e-devices, if any of these data become the subject of litigation. Also, lawyers tend to be mobile, increasing the risk of security breaches on these devices. Firm clear policies on these matters, including access policies to the firm’s IT assets, and their effective implementation can actually serve as an insurance and defense for the firm in any future controversy that involve data breach and gross negligence charges levelled against it.

There are a lot of things that lawyers need to know in securing their own data as well as the data of their clients. The Chief Privacy Officer of any organization has their work cut out for them. The Data Privacy Law was passed last 2012. In a seminar I attended last January of this year, NPC Deputy Commissioner Ivy Patdu made the pronouncement that even if the law’s Implementing Rules and Regulations were promulgated over four years after its passage, the NPC operates on the principle that all PICs should have formulated and implemented the necessary policies, safeguards, and protocols that were clearly mandated by the law way back in 2012. All PICS (including law firms like ACCRALAW), as it stands, only have up to September 9, 2017 to comply with the registration requirements under this law. Law firms are particularly placed on the spotlight because they are supposed to be models of legal and regulatory compliance. Here is trusting that all Philippine law firms can duly and timely comply with the NPC requirements.