At 3:30 in the afternoon of October 20, COL Financial sent notice to the National Privacy Commission of a possible data breach “that may involve some personal client information.” Not long after, COL Financial also sent a similar notice to its clients.
COL Financial is one of the first brokerage companies to provide their clients direct, online access to their stocks being traded on the Philippine Stock Exchange. By its very nature, and in obedience to Philippine law, COL Financial maintains a formidable trove of data from their clients.
In incidents that involve a breach of personal data that can be used for identity fraud, institutions that maintain vast amounts of personal data should already know what to do when these crisis incidents strike. After all, the Commission actively engages both the private and public sectors in proselytizing the nuances of the different aspects of the Data Privacy Act of 2012, and in explaining its issuances and their implications across several platforms.
Once the institution has determined that a breach of sensitive personal data has occurred, the affected institution must notify the NPC and affected data subjects within 72 hours upon knowledge or reasonable belief that a breach has occurred. This regulation, among others, is included in NPC Circular 16-03(Personal Data Breach Management).
Because the possible breach was detected in the afternoon of October 17, we can say that COL adhered to our guidelines on breach reporting. Included in COL Financial’s notification is a preliminary report that gives us additional details on what occurred that afternoon. To clarify matters even further, we invited COL Financial on to come to us on 23 October to explain several details even further, and COL Financial was very transparent and forthcoming with their information on the incident.
We are, as always, actively monitoring the incident.
What we can say for now is that COL Financial has so far been upfront to us in their handling of this incident. Their response— in adhering to guidelines and managing the incident through established protocols—seems focused on the most vital imperative for any business handling personal information: maintaining their clients’ trust. Within the next few days, the NPC expects more details and documentation on the incident, which will help us more accurately investigate it and decide our further course of action.
Where information is the new oil in a digital economy, as many have said, those who are willing to gain information by any means have become a real threat to our way of life.
Just this week, another strain of ransomware, Bad Rabbit, reared its ugly head in Russia and the Ukraine; it bears similarities with the WannaCry and Petya attacks that paralyzed systems and affected hundreds of thousands earlier this year. We can only expect these threats to the free flow of information to grow in scale and complexity.
The only real answer to these growing threats is resilience—establishing policies, structures, and protocols that work, providing means to data handlers to prevent damage, and to respond quickly and efficiently once any threat to data privacy emerges.
For news and updates, please like the National Privacy Commission’s page on Facebook. Email email@example.com for comments and questions.
Tags: additional details, COL Financial, Data Privacy, National Privacy Commission, Personal Data Breach Management, personal information, Philippine Stock Exchange, Privacy matters, Protocols that Work, sensitive personal data