THE National Privacy Commission (NPC) wants Facebook, Inc. to provide identity theft and phishing insurance for over 750,000 Philippines-based users affected by a data breach last September.
In an Oct. 17 order, the NPC said Facebook’s measures in addressing the effects of the data breach in its website were not sufficient to notify the affected Filipino users in the depth of its impact.
The NPC ordered Facebook to submit a more comprehensive Data Break Notification Report; and notify the affected users.
“(NPC orders Facebook to) provide identity theft and phishing insurance for affected Filipino data subjects, or in the alternative, establish a dedicated help desk/help center for Filipino data subjects on privacy related matters concerning Facebook, located in the Philippines and with a local number, within six months from receipt of this Order,” the commission said.
The NPC also told Facebook to roll out a program to increase awareness on identity theft and phishing among Filipino users.
On Sept. 28, Facebook first reported about 50 million accounts on the website have been affected by a security breach.
The NPC said Facebook informed the commission last Oct. 13 that a total of 755,973 Philippine-based Facebook user accounts may have been compromised.
Information such as e-mail address, phone number, hometown, places recently visited and recent search queries were among those that may have been compromised.
“From the tenor of the document, we now understand that the breach exposed the personal information of persons with accounts… to different degrees. Be that as it may, Facebook contends… there is no material risk of more extensive harm occurring. This Commission does not agree,” the NPC said.
It said Facebook argued the effects of the data breach are only expected to influence a user’s likelihood of getting targeted for professional “spam” operations. But the NPC said Filipinos are not as aware of spam, phishing and identity theft as Facebook users in other developed nations.
Facebook is expected to comply with the demands of NPC in accordance with NPC Circular No. 16-03, which said the full report on the breach should be provided within five days. It also said affected users should be notified within 72 hours. — Denise A. Valdez