LEGAL AND ETHICAL ASPECTS

OF INFORMATION SECURITY
IN THE PHILIPPINES
AIS 7 CHAPTER 3
 INTRODUCTION TO INFORMATION
SECURITY IN THE PHILIPPINES
Overview:
Importance of information security in the digital age
The role of legal and ethical frameworks in ensuring secure
information management
Protects privacy, intellectual property, and prevents
cybercrime
 INTRODUCTION TO INFORMATION
SECURITY IN THE PHILIPPINES (CONT...)
 INTRODUCTION TO INFORMATION
SECURITY IN THE PHILIPPINES (CONT...)
 INTRODUCTION TO INFORMATION
SECURITY IN THE PHILIPPINES (CONT...)
 5 NOTABLE DATA BREACHES IN THE
PHILIPPINES - YONDU
Comelec Data Breach (2016)
A month before the 2016 national elections, the Commission on Elections
(Comelec) suffered a large-scale attack many consider the most
significant government-related data breach. It involved hackers accessing
and compromising data from roughly 70 million people—more than half of
the country's population—including Fingerprint data; Passport information;
Email addresses; Postal addresses; Birthplace; Height and weight; Gender;
Marital status; and Parents' names
The hacker group Anonymous Philippines claimed responsibility for the
attack, which amounted to a data dump of 340 GB. For its part, Comelec
continues to beef up the security of its website and database.
 5 NOTABLE DATA BREACHES IN THE
PHILIPPINES - YONDU (CONT...)
Wendy's Philippines (2017)
On April 23, 2017, hackers infiltrated the fast food chain Wendy's
Philippines' website, exposing over 82,000 customer and employee records,
including names, email addresses, postal addresses, and resumes. In
response, the National Privacy Commission (NPC) obliged the company to
notify those affected.
Upon further investigation, the NPC also found the attackers had
compromised account passwords, transaction details, and modes of
payment. The Commission required Wendy's Philippines to perform a
cybersecurity assessment to identify vulnerabilities and prevent further
incidents.
 5 NOTABLE DATA BREACHES IN THE
PHILIPPINES - YONDU (CONT...)
Cebuana Lhuillier Marketing Server Branch (2019)
Pawnshop and remittance company Cebuana Lhuillier became a data
breach victim in January 2019. The incident occurred when hackers
infiltrated one of Cebuana's email servers for its marketing activities,
compromising the data of roughly 900,000 clients, which is 3% of its total
clientele. The company also traced unauthorized downloads dating back to
August 2018.
In its official statement, Cebuana Lhuillier revealed that the data dump
included customer birthdays, addresses, and sources of income.
Fortunately, financial transaction details were safe from the attack. The
company collaborated with the NPC to perform an internal investigation
and improve its cybersecurity following the incident.
 5 NOTABLE DATA BREACHES IN THE
PHILIPPINES - YONDU (CONT...)
UCPB Independence Day Cyber Attacks (2020)
The government-controlled United Coconut Planters Bank (UCPB) lost
millions of pesos through numerous online transfers and automated teller
machine (ATM) withdrawals during the three-day holiday in June 2020. In
one case, the culprits made 57 withdrawals from a single ATM, taking out its
entire ₱4 million stock. The total losses amounted to ₱167 million.
A bank official reported that the hackers held UCPB accounts, which they
used with other local banks to transfer and withdraw the money. Based on
theories, the culprits might have had inside help and could be a part of a
larger syndicate operating in the local banking system.
 5 NOTABLE DATA BREACHES IN THE
PHILIPPINES - YONDU (CONT...)
PhilHealth Medusa Attack (2023)
The recent attack on the Philippine Health Insurance Corporation
(PhilHealth) has far-reaching implications for the government's
cybersecurity capabilities. As of October 10, hackers have begun releasing
stolen data on the dark web, including confidential memos and member
data (i.e., addresses, phone numbers, and insurance IDs). They demanded
$300,000 (₱17 million) in exchange for the stolen information.
The hacker group, which the government calls Medusa, accessed the data
on September 22 after restricting PhilHealth staff from accessing their
system. The insurance corporation shut it to prevent further damage, but
the hackers had already secured 734 GB of files. PhilHealth has 59 million
direct and indirect contributions.
 WHAT IS A LAW?
Laws are rules that mandate or prohibit certain societal
behavior.

Information Security Law is the body of legal rules, codes, and standards that
require you to protect that information and the information systems that
process it, from unauthorized access.
 POLICIES VERSUS LAW

Policies are body of expectations that describe acceptable and unacceptable

employee behaviors in the workplace
Policies function as laws within an organization; must be crafted carefully to
ensure they are complete, appropriate, fairly applied to everyone
Difference between policy and law: ignorance of a policy is an acceptable
defense.
 POLICIES VERSUS LAW (CONT...)

Criteria for policy enforcement:

Dissemination (distribution) – The organization must be able to
demonstrate that the relevant policy has been made readily available for
review by the employee. Common dissemination techniques include hard
copy and electronic distribution.
Review (reading) - The organization must be able to demonstrate that it
disseminated the document in an intelligible form, including versions for
illiterate, non English reading, and reading-impaired employees. Common
techniques include recordings of the policy in English and alternate
languages.
 POLICIES VERSUS LAW (CONT...)

Comprehension (understanding) – The organization must be able to

demonstrate that the employee understood the requirements and content
of the policy. Common techniques include quizzes and other assessments
Compliance (agreement) – The organization must be able to demonstrate
that the employee agrees to comply with the policy, through act or
affirmation. Common techniques include logon banners which require a
specific action (mouse click or keystroke) to acknowledge agreement, or a
signed document clearly indicating the employee has read, understood, and
agreed to comply with the policy.
Uniform enforcement – The organization must be able to demonstrate that the
policy has been uniformly enforced, regardless of employee status or
assignment.
 TYPES OF LAW IN THE PHILIPPINES

Civil law - private rights and obligations, dealing with relationships between
individuals. The main source of civil law is the Civil Code of the Philippines
(Republic Act No. 386), which codifies rules governing the legal rights and
obligations of individuals in private transactions.
Family Law: Marriage, divorce (limited to certain grounds), legal separation,
child custody, and adoption.
Contract Law: The rules that apply to the formation, execution, and
enforcement of contracts.
Property Law: Governs ownership and rights to property, including real and
movable property.
Succession: Deals with the distribution of a deceased person's estate,
whether through a will or by intestate succession laws.
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
Criminal law - Criminal law deals with acts considered offenses against the
state or society at large. The Revised Penal Code (Act No. 3815) is the primary
source of criminal law in the Philippines. It defines crimes, classifies them
according to severity (felonies, misdemeanors), and prescribes corresponding
penalties. Crimes range from serious offenses like murder, rape, and theft to
minor infractions like public disturbance or illegal possession of firearms.
The main objectives of criminal law are to punish offenders, prevent crimes,
and protect society. Criminal cases are prosecuted by the state,
represented by public prosecutors.
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
Commercial law - or business law regulates business and commercial
transactions in the Philippines. It covers a wide array of legal issues, including
the formation and operation of companies, negotiable instruments,
bankruptcy, and the regulation of trade.
The Corporation Code of the Philippines (Batas Pambansa Blg. 68) is one of
the foundational statutes for commercial law, along with other laws such
as:
Securities Regulation Code: Regulates securities transactions.
Insurance Code: Governs the insurance industry.
Negotiable Instruments Law: Defines the legal framework for negotiable
instruments like checks, promissory notes, etc.
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
Administrative law - Administrative law governs the organization and
functioning of government agencies, including their decision-making
processes and their ability to regulate certain activities. In the Philippines,
administrative bodies are created by statute and are granted specific powers to
enforce and implement laws within their jurisdiction.
An example is the National Telecommunications Commission (NTC), which
regulates the telecommunications industry in the country. Administrative
decisions can be challenged in court if they are found to violate legal
principles or exceed the authority granted to the agency by law
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
Labor law - governs the employer-employee relationship in the Philippines.
This includes regulations on wages, working hours, conditions of employment,
employee benefits, and the process for resolving labor disputes.
The Labor Code of the Philippines (Presidential Decree No. 442) is the
cornerstone of labor law. It provides protections for workers, including
minimum wage laws, maternity and paternity leave, and rules on employee
dismissal and resignation.
Labor laws also recognize the right of employees to form unions and engage
in collective bargaining. In case of disputes between employers and
employees, the Department of Labor and Employment (DOLE) and other
specialized labor tribunals handle the resolution process.
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
Tax Law - governs the collection of taxes, the obligations of taxpayers, and the
administration of tax policies in the Philippines. The National Internal Revenue
Code (Republic Act No. 8424), along with amendments, is the primary source of
tax law, and it defines the various taxes levied on individuals and businesses.
There are several types of taxes in the Philippines, including:
Income Tax: Levied on the earnings of individuals and corporations.
Value-Added Tax (VAT): A consumption tax imposed on the sale of
goods and services.
Estate Tax: Tax imposed on the transfer of estate upon death.
Donor’s Tax: Tax on gifts or donations.
The Bureau of Internal Revenue (BIR) is responsible for enforcing tax laws
and ensuring compliance.
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
Environmental law - aimed at conserving and protecting the country's natural
resources. Laws such as the Philippine Environmental Code (Presidential Decree
No. 1152) and the Clean Air Act (Republic Act No. 8749) establish rules and
regulations for pollution control, waste management, and natural resource
conservation.
Regulatory bodies like the Department of Environment and Natural
Resources (DENR) enforce environmental laws and set penalties for
violations such as illegal logging, mining, and other activities that harm the
environment.
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
International law - governs the country's obligations under treaties,
conventions, and other international agreements. International law principles
also govern issues like human rights, diplomatic relations, and international
trade. The Philippines adheres to international law principles, especially as
ratified through treaties like the United Nations Convention on the Law of the
Sea (UNCLOS), which governs maritime disputes and rights.
Customary and Indigenous Law - The Indigenous Peoples' Rights Act (Republic
Act No. 8371) recognizes and protects the rights of indigenous peoples to their
ancestral lands, customs, traditions, and governance systems.
In many instances, these customary laws coexist with national laws, and
conflicts between them may require resolution through legal or
administrative processes.
 TYPES OF LAW IN THE PHILIPPINES
(CONT...)
Constitutional law - At the pinnacle of the Philippine legal system is the 1987
Constitution. Constitutional law governs the fundamental principles by which
the state operates. It defines the structure of government, the rights and duties
of citizens, and the limitations of governmental power. Constitutional law is
paramount, and no other law can supersede or contradict it.
For example, the Bill of Rights guarantees freedoms such as freedom of
speech, the right to due process, and the right to equal protection under the
law. If a law or government action violates these constitutional rights, the
courts have the power to declare them unconstitutional.
Source: https://www.respicio.ph/dear-attorney/different-law-philippines
 SOURCES OF LAW IN THE PHILIPPINES

The Constitution - the fundamental and supreme law of the land

Statutes - including Acts of Congress, municipal charters, municipal
legislation, court rules, administrative rules and orders, legislative rules and
presidential issuances
Treaties and conventions - these have the same force of authority as statutes
Judicial decisions - Art 8 of the Civil Code provides that ‘judicial decisions
applying to or interpreting the laws or the Constitution shall form a part of the
legal system of the Philippines’. Only decisions of its Supreme Court establish
jurisprudence and are binding on all other courts.
 SOURCES OF LAW IN THE PHILIPPINES
(CONT...)
To some extent, customary law also forms part of the Filipino legal system. Art
6, para 2 of the Constitution provides that ‘the State shall recognize, respect,
and protect the rights of indigenous cultural communities to preserve and
develop their cultures, traditions and institutions’.

The primary sources of Muslim law / Shariah are the Quran, Sunnaqh, Ijma and
Qiyas.
WHAT IS A PRIVACY?
Privacy is a “state of being free from unsanctioned
intrusion” - lacking effective or authoritative approval or
consent.
The state or condition of being free from being observed or disturbed by other
people.
 KEY LEGAL FRAMEWORKS IN THE
PHILIPPINES
Data Privacy Act of 2012 (Republic Act No. 10173):
Protects personal data and ensures privacy
Governs how personal data is collected, processed, and stored
Establishes the National Privacy Commission (NPC) to oversee compliance
Cybercrime Prevention Act of 2012 (Republic Act No. 10175):
Addresses offenses such as hacking, cybersex, identity theft, and online
libel
Establishes penalties for those found guilty of cybercrimes
 KEY LEGAL FRAMEWORKS IN THE
PHILIPPINES (CONT...)
Electronic Commerce Act (Republic Act No. 8792):
Legal recognition of electronic documents and signatures
Aims to promote and regulate electronic commerce in the Philippines

The Intellectual Property Code of the Philippines (R.A. 8293):

It shall protect and secure the exclusive rights of scientists, inventors, artists
and other gifted citizens to their intellectual property and creations,
particularly when beneficial to the people.
The use of intellectual property bears a social function.
DATA PRIVACY ACT OF 2012 (REPUBLIC
ACT NO. 10173)
Key Provisions:
Consent: Collection of personal data requires the explicit consent of the
individual.
Rights of Data Subjects: Individuals have the right to access, correct, and erase
their personal data.
Security Requirements: Organizations must implement security measures to
protect data.
Breach Notification: Organizations must notify the NPC and data subjects if
there is a data breach.
Penalties for Non-Compliance:
Fines ranging from Php 500,000 to Php 5,000,000
Imprisonment ranging from 1 year to 3 years
CYBERCRIME PREVENTION ACT OF 2012
(REPUBLIC ACT NO. 10175)
Key Provisions:
Cybercrime offenses: Includes hacking, online fraud, cyberbullying, identity
theft, cybersex, and online libel.
Penalties: Ranges from fines to imprisonment, depending on the offense.
Scope of Law: Extends jurisdiction beyond the Philippines, allowing action
against crimes involving Filipino citizens, even if committed outside the
country.
Cybercrime Investigation and Coordination Center (CICC): Acts as the central
agency for cybercrime prevention.
Legal Challenges:
Concerns over online libel and potential abuse of laws affecting free speech.
ELECTRONIC COMMERCE ACT (REPUBLIC
ACT NO. 8792)
Key Provisions:
The Electronic Commerce Act of the Philippines, enacted in 2000, aims to
facilitate electronic transactions, recognize the authenticity of electronic data
messages, and promote the development of electronic commerce in the
country, while establishing guidelines and penalties for its regulation.
 PHILIPPINE LAWS ON INTELLECTUAL
PROPERTY
R.A. 8293
An Act prescribing the Intellectual Property Code and establishing the
Intellectual Property Office, providing for its powers and functions, and for
other purposes
R.A. 165
An Act creating a patent office, prescribing its powers and duties, regulating
the issuance of patents, and appropriating funds therefor
 PHILIPPINE LAWS ON INTELLECTUAL
PROPERTY (CONT...)
R.A. 166
An Act to provide for the registration and protection of trade-marks, trade-
names, and service marks, defining unfair competition and false marking and
providing remedies against the same, and for other purposes

Presidential Decree No. 49

Decree on the protection of intellectual property

For IP related laws: https://www.ipophil.gov.ph/intellectual-property-code-

implementing-rules-and-regulations/
 WHAT IS ETHICS?
Ethics defines right and wrong actions in specific
situations and is fundamental to society.

In the cyber realm, ethics serves as a guidepost for cybersecurity

professionals.
It helps identify the type of online behavior and conduct that harms
individuals and businesses.
Ethical considerations in cybersecurity involve ensuring privacy, fairness,
transparency, and accountability in handling data, implementing security
measures, and responding to threats.
 THE TEN COMMANDMENTS OF
COMPUTER ETHICS
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid (without
permission).
Thou shalt not use other people's computer resources without authorization or proper
compensation.
Thou shalt not appropriate other people's intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system
you are designing.
Thou shalt always use a computer in ways that ensure consideration and respect for other
humans.
 ETHICAL ISSUES IN INFORMATION
SECURITY
Privacy:
Ensuring individuals' data is protected from unauthorized access, use, or
disclosure.
Balancing security needs with privacy rights.
Confidentiality:
Maintaining the confidentiality of sensitive information, especially in corporate
and healthcare sectors.
Preventing unauthorized access to proprietary information.
 ETHICAL ISSUES IN INFORMATION
SECURITY (CONT...)
Integrity:
Ensuring that data is accurate, complete, and has not been tampered with.
Ethical responsibility to maintain data integrity for decision-making processes.
Transparency:
Clear policies on how data is collected, used, and protected.
Ethical consideration in disclosing the impact of security policies on
individuals and organizations.

Three general causes of unethical and illegal behavior: ignorance, accident, intent
 ETHICAL DILEMMAS IN INFORMATION
SECURITY
Data Breach Disclosure:
Should organizations disclose data breaches immediately or after some time?
Ethical implications of delaying breach notifications to avoid reputation
damage.
Employee Monitoring:
Ethical considerations of monitoring employees' digital activities.
Striking a balance between protecting company assets and respecting
employee privacy.
Use of Personal Data:
Ethical challenges in using personal data for marketing or business operations.
Ensuring individuals' informed consent is obtained and maintained.
 CHALLENGES IN ENFORCEMENT

Lack of Awareness:
Many businesses and individuals are unaware of the full scope of the Data
Privacy Act and Cybercrime Prevention Act.
Technological Advancements:
Constant evolution of technology creates challenges in enforcing outdated
laws.
Cybercrimes often outpace legal reforms.
Jurisdictional Issues:
Cybercrimes often cross national borders, making it difficult to pursue
international perpetrators.
INTERNATIONAL COLLABORATION AND
COMPLIANCE
Regional Cooperation:
The Philippines is a member of the Asia-Pacific Economic Cooperation (APEC),
which promotes cross-border cooperation in cybersecurity and data privacy.
Global Compliance Standards:
Many companies in the Philippines must comply with international standards,
such as the General Data Protection Regulation (GDPR) for handling data of EU
citizens.