1. Data Breach Notification
a. 72-hour notice
[The NPC] and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. (Section 38[a], Rule IX, IRR of the Data Privacy Act)
b. When breach involves sensitive personal information
Notification of personal data breach shall be required when sensitive personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. (Section 38[b], Rule IX, Ibid.)
c. NPC Investigation
Depending on the nature of the incident, or if there is delay or failure to notify, [the NPC] may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures. (Section 38[c], Rule IX, Ibid.)
2. Contents of Notification
The notification shall at least describe the nature of the breach, the personal data possibly involved, and the measures taken by the entity to address the breach. (Section 39, Rule IX, Ibid.)
The notification shall also include measures taken to reduce the harm or negative consequences of the breach, the representatives of the personal information controller, including their contact details, from whom the data subject can obtain additional information about the breach, and any assistance to be provided to the affected data subjects. (Ibid.)
3. Delay of Notification
Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. (Section 40, Rule IX, Ibid.)
a. Compliance and good faith
In evaluating if notification is unwarranted, [the NPC] may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal data. (Section 40[a], Rule IX, Ibid.)
b. Exemption from notice
[The NPC] may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest, or in the interest of the affected data subjects. (Section 40[b], Rule IX, Ibid.)
c. Postponement
[The NPC] may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach. (Section 40[c], Rule IX, Ibid.)
4. Breach Report
a. Contents of notice
The personal information controller shall notify [the NPC] by submitting a report, whether written or electronic, containing the required contents of notification. The report shall also include the name of a designated representative of the personal information controller, and his or her contact details. (Section 41[a], Rule IX, Ibid.)
b. Security incidents
All security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements. (Section 41[b], Rule IX, Ibid.)
In the case of personal data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the personal information controller. (Ibid.)
In other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation. (Ibid.)
These reports shall be made available when requested by the Commission. A general summary of the reports shall be submitted to [the NPC]. (Ibid.)
5. Procedure for Notification
The Procedure for breach notification shall be in accordance with the Act, these Rules, and any other issuance of [the NPC]. (Section 42, Rule IX, Ibid.)
