WATCH | Comelec chair Bautista criminally liable for 'Comeleak' — NPC
The online news portal of TV5
MANILA — Comelec chairman Andres Bautista is criminally liable for the massive breach in voter database before the 2016 elections, an incident dubbed “Comeleak,” according to the findings of an investigation by the National Privacy Commission.
Part of the the 35-page decision, which will be submitted to the Department of Justice for further investigation, deems Bautista guilty of “gross negligence” in terms of instituting a robust data protection policy that could have prevented Comeleak.
“The wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of million of Filipinos,” the NPC said.
Tons of personal details contained in the Post Finder app — such as name, birthday, gender, passport information, address, etc — are now out in the wild, though the NPC said they found no biometric data. Initially estimated to have covered about 50 million records, NPC’s investigation now places it at about 80 million.
“It is now globally recognized that this incident is the worst recorded breach on a government-held database in the world. The sheer volume of data that Comelec has should have necessitated organizational and technical measures that are above minimum,” NPC commissioner Mon Liboro said in a press conference.
NPC said they found Bautista as directly culpable due to his oversight function as head of the agency.
Comelec also clarified that they found no evidence of the hacking affecting the results of the election.
“We note that the Comelec in fact protected the vote. But the question is that in its zeal to protect the vote, did it fail to protect the voter,” NPC deputy commissioner Dondi Mapa said.
Bautista puzzled by raps
For his part, Comelec chairman Andres Bautista said rules and standards on data privacy were not in place when Comeleak happened.
“The Data Privacy Act was passed in 2012 but the (NPC) was only organized in March 2016 so at that time there were no implementing rules and regulations for data privacy. In terms of standards that we were supposed to comply with, those were not clear,” Bautista said in a press conference.
Bautista also said he cannot understand the recommendation of criminal charges against him.
“The filing or the investigation of the Department of Justice for potential criminal liability is too much. Hindi ba mali yung logic na yun na lahat ng pagkakamali ibibigay sa head of agency?” Bautista said.
“Yung hacking nangyayari ngayon yan kahit na sa mga pinaka-secure na website, like sa America kahit yung Facebook, Google, Twitter lahat na-hack kahit US government. So mahirap talaga magsabi na mayroong pagkukulang ang isang tao o grupo kaya dapat pagtuunan ng pansin is yung remedial measures,” Bautisata said.
Bautista said he will file a motion for reconsideration with the NPC, through the Office of the Solicitor General.
WATCH THE NEW5 VIDEO REPORT BY JOSE BIMBO SANTOS BELOW:
Bautista questions NPC report
“With all due respect to the NPC membership, we believe that the NPC decision was based on mis-appreciation of several facts, legal points, and material contexts,” Bautista said in a statement.
At the same time, the poll body chief questioned the report of the NPC which blamed him as regards to the incident.
He noted that the Commission en banc, which he heads, is composed of seven individuals and is a collegial body.
"While data privacy and security are important topics that need to be taken seriously, these are matters that are best left to Information Technology (IT) experts. Unlike the NPC, which is run by IT practitioners, the Comelec en banc is currently managed by seven lawyers. Hence, we rely on our IT Department for expert advice on website/data security and privacy and IT-related matters,” Bautista said.
He added, "As the head of agency, in areas where I did not have specific expertise, I generally trusted the advice and recommendation of our IT experts. And if the Comelec IT specialists directly in charge of operating the website were found not to be liable, what more those who merely oversee their work and, in particular, the head of agency?”
Likewise, Bautista said that he should not be blamed over his supposed failure to appoint a Data Protection Officer as provided by the Data Privacy Act or Republic Act 10173.
“NPC misappreciated the role of the head of agency in a collegial body. It is the en banc that sets a policy that the head of agency is tasked to implement... Since the law was passed in 2012, the Commission had not appointed one. And if an appointment had to be made, not just the head of agency but the entire en banc will vote on the appointment,” the poll body chief added.
Bautista also questioned the NPC for focusing on the Comelec over the data leak instead of running after those behind the hacking incident.
“Data breach or hacking is not a new phenomenon. Many leading private IT companies and government agencies here and abroad were confronted by data breaches despite putting in place security measures. Given the foregoing, should the focus not be on apprehending the hackers instead of punishing the hacked?” he added.
In its 35-page decision, the NPC said Comelec had violated Sections 11, 20, and 21 of the Data Privacy Act when it failed to protect the privacy of the voters’ data in its role as “personal information controller”.
The ruling issued on Dec. 28 but made public only on Thursday also recommended the criminal prosecution of Bautista due to his "wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence".
The hackers group Anonymous Philippines hacked the website of the Comelec and defaced its contents on March 27, 2016.
The next day, another group, LulzSec Pilipinas, leaked online millions of voter registration data, including names, addresses, and birthdays, among others.