“Should the focus not be on apprehending the hackers instead of punishing the hacked?”
The head of the Commission on Elections (Comelec) questioned on Thursday the findings of the National Privacy Commission (NPC) that he was solely responsible for the data breach of the poll body’s website last year.
Comelec Chair Andres Bautista disputed the privacy commission’s finding that he was grossly negligent and criminally liable for the leak of millions of voters’ data from the Comelec website.
In a statement, Bautista said the commission’s finding “was based on misappreciation of several facts, legal points and material contexts.”
He explained that as head of the Comelec, he “generally trusted the advice and recommendation of IT experts” in areas where he did not have specific expertise.
“If the Comelec information technology (IT) specialists directly in charge of operating the website were found not to be liable, what more those who merely oversee their work and the head of agency?” he said.
Tweets
Bautista also took to his Twitter account (@ChairAndyBau) to express his disappointment.
“I’m saddened by the recent NPC pronouncements placing the entire blame on me, in my capacity as Comelec chair,” he said.
Bautista maintained that he faithfully complied with the duties and responsibilities entrusted to him as head of the poll body.
“I would just like to make it clear that the hacking incident is not related to the results of the 2016 elections,” he added.
In a decision dated Dec. 28, 2016, the privacy commission recommended the filing of criminal charges against Bautista for gross negligence under the Data Privacy Act of 2012.
In March 2016, the Comelec website was hacked and defaced, leaking voters’ data, such as their full names, addresses and birthdays to another website that has since been taken down.
Hackers’ groups
The hackers’ group Anonymous Philippines was reportedly responsible for defacing the website, while another group, LulzSec Pilipinas, leaked millions of voter registration data online.
The privacy commission said the Comelec did not have basic data privacy principles, as it had no existing policy covering data privacy. It noted that the poll body neither had a data protection officer.
As corrective measures, the privacy commission ordered the Comelec to appoint a data protection officer within one month, conduct an agency-wide privacy impact assessment within two months, and create a privacy management program and breach management procedure in three months.
The commission also recommended that the Department of Justice investigate its finding that a computer used in the so-called Comeleak had an IP address registered with the National Bureau of Investigation.
In his defense, Bautista said the Comelec did all it could to respond to the security breach and identify, locate and arrest the perpetrators.
Task force
He cited the poll body’s actions of creating a task force to probe the data breach, designating Comelec resource persons for the NPC, and instructing the Comelec executive director to comply with the reportorial requirements of the Data Privacy Act.
A Voter Care Center was established months after Comeleak, with the Comelec claiming it had not yet received any call or inquiry into the data leak.
Bautista noted that the Comelec, in good faith, cooperated with the commission’s proceedings despite the lack of the implementing rules and regulations (IRR) guiding NPC actions, since the IRR was implemented only in August 2016.
The Comelec chair pointed out that the commission conveniently pointed to the head of the poll body as “solely responsible for the data breach.”
IT expertise
Bautista argued that although data privacy and security were important topics that needed to be taken seriously, “these are matters that are best left to IT experts.”
Unlike the privacy commission, which is run by IT practitioners, the Comelec en banc is managed by seven lawyers, he said.
“Hence, we rely on our IT department for expert advice on website/data security and privacy and IT-related matters,” he said.
Bautista added: “Following the decision’s logic, if there is a breach of the Supreme Court website, will the Chief Justice be potentially liable?”
The Comelec chair maintained that he should not be blamed for the supposed failure to appoint a data protection officer as mandated by the Data Privacy Act.
He explained that the Comelec en banc set the policy that the head of the agency was tasked to implement.
“The NPC misappreciated the role of the head of agency in a collegial body. It is the en banc that sets a policy that the head of agency is tasked to implement,” he said.
No data protection officer
He noted that since the Data Privacy Act was passed in 2012, the Comelec had not appointed a data protection officer. He said the entire en banc would have to vote on the appointment of a data protection officer.
Bautista also asked why the privacy commission was focusing on the Comelec in the data leak instead of going after the perpetrators of the hacking incident.
Motion for reconsideration
“Many leading private IT companies and government agencies here and abroad were confronted by data breaches despite putting in place security measures. Given the foregoing, should the focus not be on apprehending the hackers instead of punishing the hacked?” he said.
The Comelec will submit a motion for reconsideration to the privacy commission through the Office of the Solicitor General, although it intends to implement the security recommendations of the commission.