SEC: Bourses, firms should comply with data privacy law
THE Securities and Exchange Commission (SEC) has ordered listed companies and two exchanges to comply with Republic Act (RA) 10173, or the Data Privacy Act of 2012, to avoid a data hack like that experienced by ABS-CBN last month.
In a letter sent on Friday, the commission told the Philippine Stock Exchange (PSE), the Philippine Dealing Exchange (PDEx) and listed firms that they must observe data privacy and protection regulations to avoid breaches that may impact business operations.
Under RA 10173, companies are mandated to establish policies and implement measures to ensure that personal data under their custody remain secure.
Personal information controllers (PIC) and processors (PIP) are required to register with the National Privacy Commission (NPC), produce a privacy manual and come up with a privacy management program as part of their corporate governance responsibilities.
Under the 2015 Securities Regulation Code, firms are mandated to have a comprehensive information technology (IT) plan; and have their IT, trading, business continuity, disaster recovery and risk management systems reviewed and audited regularly by independent firm, to ensure efficient trading in the market and not interrupted and susceptible to glitches.
The entities are given 30 days upon receiving a report on the steps they must take to comply.
The order came after two of ABS-CBN Corp.’s online shopping sites, ABS-CBN Store and UAAP (University Athletic Association of the Philippines) Store, were hacked on September 19. Data on 213 customers were believed to have been compromised.
Dutch security consultant and researcher Willem de Groot reported the breach on his website and Twitter page, writing that “criminals” had been running a payment skimmer on the sites since August 16, and that the data was sent to Russian servers.
“Personal information and credit cards are intercepted while people shop for merchandise for one of the 90+ television shows. The stolen data is sent onward to a server registered in Irkutsk, Russia. The credit cards and identities are then (presumably) sold on the black market,” de Groot claimed.
Information technology news website ZDNet, owned by the digital arm of the US television network CBS, also reported on the breach, adding that internet browser Google Chrome had flagged the two sites as not secure.
The breach forced the Lopez-led group to an investigation and suspend the websites’ operations.
ABS-CBN said the hack was an isolated case and does not affect its other digital properties.
WITH A REPORT FROM LISBET K. ESMAEL
The post SEC: Bourses, firms should comply with data privacy law appeared first on The Manila Times Online.