Data breach notification

1. Data Breach Notification

a. 72-hour notice

 [The NPC] and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. (Section 38[a], Rule IX, IRR of the Data Privacy Act)

b. When breach involves sensitive personal information

Notification of personal data breach shall be required when sensitive personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. (Section 38[b], Rule IX, Ibid.)

c. NPC Investigation

Depending on the nature of the incident, or if there is delay or failure to notify, [the NPC] may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures. (Section 38[c], Rule IX, Ibid.)

2. Contents of Notification

The notification shall at least describe the nature of the breach, the personal data possibly involved, and the measures taken by the entity to address the breach. (Section 39, Rule IX, Ibid.)

The n...