Data Breach Response Plan: The 72-Hour Rule Every Philippine Business Must Know
Imagine this: It’s Monday morning, and your IT team discovers that your customer database was accessed by an unauthorized party over the weekend. Customer names, email addresses, and possibly payment information have been compromised. What do you do next?
Under the Data Privacy Act of 2012 (RA 10173), you have 72 hours to report the breach to the National Privacy Commission—and the clock started the moment you became aware of it, not when you finish investigating.
Most Philippine businesses have no plan for this scenario. And when a breach happens, panic, delays, and poor decisions can turn a manageable incident into a catastrophic compliance failure with multi-million peso fines and irreparable reputational damage.
This guide will help you create a practical data breach response plan that ensures your business can respond quickly, correctly, and in full compliance with Philippine law.
What is a Data Breach?
Under NPC Circular No. 16-03, a personal data breach is:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Common Types of Data Breaches
1. Cyberattacks
- Hacking or unauthorized access to systems
- Ransomware attacks encrypting your data
- Phishing attacks compromising employee credentials
- SQL injection or website vulnerabilities
2. Human Error
- Accidentally emailing customer data to the wrong recipient
- Employee accessing data they shouldn’t
- Leaving documents in a public place
- Misconfiguring cloud storage permissions
3. Physical Theft or Loss
- Stolen laptop containing unencrypted employee records
- Lost USB drive with customer information
- Stolen paper files from an office
- Discarded hard drives not properly destroyed
4. Insider Threats
- Employee intentionally stealing customer data
- Departing employee downloading company records
- Contractor misusing access privileges
5. Third-Party Breaches
- Cloud service provider compromised
- Payroll processor data leak
- Marketing platform breach exposing customer lists
The 72-Hour Rule: NPC Reporting Requirements
When Must You Report?
You must report to the NPC within 72 hours if the breach involves:
1. Sensitive Personal Information
- Health records, medical data
- Government-issued IDs (SSS, TIN, passport)
- Financial information (bank accounts, credit cards)
- Biometric data (fingerprints, facial recognition)
2. Real Risk of Serious Harm Even if not “sensitive,” if the breach could cause:
- Identity theft
- Financial loss
- Reputational damage
- Physical harm
- Discrimination
3. Large Number of Affected Individuals The larger the breach, the higher the likelihood of NPC reporting requirements.
What Happens If You Miss the 72-Hour Deadline?
Penalties for Late Reporting:
- Administrative fines up to ₱5,000,000
- Criminal charges (imprisonment of 1-6 years)
- Mandatory public disclosure
- NPC-mandated compliance audits
- Reputational damage and loss of customer trust
The clock starts when you become aware of the breach, not when you finish investigating.
Building Your Data Breach Response Plan
A good data breach response plan has four phases:
- Preparation (before a breach happens)
- Detection & Containment (0-4 hours)
- Assessment & Notification (4-72 hours)
- Recovery & Lessons Learned (post-breach)
Phase 1: Preparation (Do This NOW)
Assemble Your Breach Response Team
Designate roles and responsibilities:
| Role | Responsibilities | Who |
|---|---|---|
| Incident Commander | Overall coordination, final decisions | CEO, General Manager, DPO |
| IT/Security Lead | Containment, investigation, forensics | IT Manager or external IT security |
| Legal Counsel | Legal compliance, regulatory coordination | In-house lawyer or external attorney |
| Communications Lead | Messaging, media response, customer notifications | Marketing/PR Manager |
| DPO | NPC liaison, compliance assessment | Data Protection Officer |
Create Contact Lists
- Internal: Key personnel with 24/7 contact numbers
- External: NPC hotline, IT security consultants, legal counsel, forensics experts
- Vendors: Cloud providers, payment processors, any third parties processing data
Implement Detection Systems
- Intrusion detection systems (IDS)
- Log monitoring and alerts
- Employee reporting procedures
- Regular security audits
Document Your Baseline
- What personal data do you process?
- Where is it stored?
- Who has access?
- What security measures are in place?
Phase 2: Detection & Containment (0-4 Hours)
Immediate Actions When a Breach is Discovered:
Hour 0-1: Detect & Confirm
- Verify the breach - Is this a real incident or false alarm?
- Alert the Incident Commander and DPO immediately
- Document everything - Start a breach log with timestamps
Hour 1-4: Contain the Breach 4. Stop the bleeding:
- Isolate compromised systems
- Change passwords and access credentials
- Disable compromised accounts
- Shut down affected servers if necessary
- Secure physical areas if applicable
-
Preserve evidence:
- Don’t delete logs or files
- Take screenshots
- Document all actions taken
- Maintain chain of custody for forensics
-
Initial assessment:
- What data was compromised?
- How did the breach occur?
- How many individuals are affected?
- Is it still ongoing?
Critical: Do NOT publicly announce anything yet. First contain, then assess, then communicate.
Phase 3: Assessment & Notification (4-72 Hours)
Hour 4-24: Investigate & Assess
Determine the Scope:
- What personal data was involved?
- How many individuals are affected?
- Is it sensitive personal information?
- What is the real risk of harm?
Assess the Risk:
| Risk Level | Criteria | NPC Reporting Required? |
|---|---|---|
| High | Sensitive personal information + significant harm likely | YES - Immediate |
| Medium | Personal information + possible harm | YES - Within 72 hours |
| Low | Minimal personal information, unlikely harm | Possibly - consult DPO |
Prepare Your NPC Report (If Required):
The NPC requires the following information:
1. Description of the breach
- What happened
- When it was discovered
- How it occurred
2. Personal data involved
- Categories of data (names, IDs, financial info, etc.)
- Estimated number of affected individuals
3. Likely consequences
- Potential harm to data subjects
- Risk assessment
4. Measures taken or proposed
- Immediate containment actions
- Mitigation measures
- Prevention of recurrence
5. Contact information
- Name and contact details of DPO or point of contact
Hour 24-72: Report to NPC
How to Report:
- Email: complaints@privacy.gov.ph
- NPC Hotline: 8234-2228
- Online form: https://privacy.gov.ph
Subject Line: “Data Breach Notification - [Your Company Name]”
Include:
- Completed NPC breach notification form
- Incident timeline
- Initial assessment report
- Contact details for follow-up
Notify Affected Individuals (If Required):
If the breach poses real risk of serious harm, you must notify affected individuals:
What to include in notification:
- What happened (simple, clear explanation)
- What data was compromised
- When it occurred
- What you’re doing about it
- What they should do (change passwords, monitor accounts, etc.)
- How to contact you for questions
- Apology and commitment to improvement
Methods of notification:
- Email (preferred for large numbers)
- SMS (for urgent, high-risk breaches)
- Direct phone calls (for small numbers of high-risk individuals)
- Public notice (if individual contact is impossible)
Sample Customer Notification:
Subject: Important Security Notice - [Your Company Name]
Dear [Customer Name],
We are writing to inform you of a data security incident that may have affected your personal information.
What Happened: On [Date], we discovered that an unauthorized party gained access to our customer database between [Date] and [Date].
What Information Was Involved: The compromised data includes names, email addresses, and phone numbers. Your payment information was NOT affected as we do not store credit card details.
What We’re Doing: We have immediately secured our systems, engaged cybersecurity experts to investigate, and reported this incident to the National Privacy Commission. We are implementing additional security measures to prevent future incidents.
What You Should Do:
- Be cautious of phishing emails or suspicious calls asking for personal information
- Monitor your accounts for unusual activity
- Change your password if you use the same password on other websites
We sincerely apologize for this incident and any concern it may cause. Your privacy is our priority.
For questions, contact us at: [contact information]
Sincerely, [Name] [Title]
Phase 4: Recovery & Lessons Learned (Post-Breach)
Immediate Recovery (Week 1-2):
- Complete forensic investigation - Hire external experts if needed
- Implement fixes - Patch vulnerabilities, strengthen security
- Monitor for further incidents - Heightened vigilance period
- Respond to NPC requests - Provide additional information as requested
Short-Term Actions (Month 1-3): 5. Conduct post-incident review - What went wrong? What went right? 6. Update security measures - Address identified weaknesses 7. Retrain staff - Security awareness, breach response procedures 8. Review third-party contracts - Ensure vendors meet security standards
Long-Term Prevention (Ongoing): 9. Update breach response plan - Incorporate lessons learned 10. Regular security audits - Quarterly or annual reviews 11. Continuous monitoring - Implement ongoing threat detection 12. Annual breach response drills - Practice makes perfect
Data Breach Response Plan Template
Here’s a simple template you can customize:
# [Company Name] Data Breach Response Plan
## Breach Response Team
- Incident Commander: [Name, Contact]
- IT/Security Lead: [Name, Contact]
- Legal Counsel: [Name, Contact]
- DPO: [Name, Contact]
- Communications Lead: [Name, Contact]
## Phase 1: Detection & Containment (0-4 Hours)
1. Verify breach and alert Incident Commander
2. Assemble breach response team
3. Contain the breach (isolate systems, change passwords)
4. Preserve evidence
5. Begin incident log
## Phase 2: Assessment (4-24 Hours)
1. Determine scope (what data, how many individuals)
2. Assess risk level
3. Document timeline and actions taken
4. Prepare NPC notification (if required)
## Phase 3: Notification (24-72 Hours)
1. Report to NPC within 72 hours (if required)
2. Notify affected individuals (if serious harm risk)
3. Prepare public statement (if necessary)
## Phase 4: Recovery (Post-Breach)
1. Complete investigation
2. Implement security fixes
3. Conduct post-incident review
4. Update response plan
5. Retrain staff
## Key Contacts
- NPC Complaints: complaints@privacy.gov.ph | 8234-2228
- IT Security Consultant: [Name, Contact]
- Forensics Expert: [Name, Contact]
- Legal Counsel: [Name, Contact]Common Breach Response Mistakes
1. Delaying NPC Notification
Mistake: Waiting to “fully investigate” before reporting.
Solution: Report within 72 hours, even if investigation is ongoing. You can provide updates later.
2. Hiding the Breach
Mistake: Hoping no one finds out.
Solution: NPC can impose massive fines for failure to report. Transparency is always better than cover-up.
3. No Evidence Preservation
Mistake: Employees deleting logs or “cleaning up” affected systems.
Solution: Preserve everything for forensic analysis.
4. Poor Communication
Mistake: Vague, legalistic notifications that confuse customers.
Solution: Be clear, honest, and empathetic.
5. No Follow-Through
Mistake: Reporting the breach but not fixing the vulnerability.
Solution: Implement corrective measures and document them.
Industry-Specific Breach Scenarios
Healthcare
Scenario: Ransomware encrypts patient records
- Risk Level: High (sensitive health information)
- NPC Reporting: Required within 72 hours
- Patient Notification: Required
- Additional Steps: Report to DOH if applicable
Retail/E-Commerce
Scenario: Website hacked, customer payment data exposed
- Risk Level: High (financial information)
- NPC Reporting: Required within 72 hours
- Customer Notification: Required immediately
- Additional Steps: Notify payment processor, offer credit monitoring
BPO/Call Center
Scenario: Employee downloads client database before resigning
- Risk Level: High (large-scale, possible harm)
- NPC Reporting: Required within 72 hours
- Client Notification: Notify client immediately (contractual obligation)
- Additional Steps: Legal action against employee
Getting Professional Help
When to Hire External Experts:
- Large-scale or complex breaches
- Sensitive personal information involved
- Criminal activity suspected
- Regulatory investigation likely
- Lack of internal expertise
Who to Hire:
- Forensic Investigators - Determine how breach occurred
- Cybersecurity Consultants - Implement fixes and monitoring
- Legal Counsel - Navigate regulatory requirements
- DPO Consultant - Manage NPC reporting and compliance
- PR/Crisis Communications - Manage public messaging
As a TÜV Certified Data Protection Officer, I help Region 8 businesses:
- Prepare breach response plans before incidents occur
- Coordinate breach response and NPC reporting
- Conduct post-breach compliance assessments
- Implement corrective security measures
- Provide ongoing compliance support
Data Breach Preparedness Checklist
- Breach Response Team designated with contact information
- Breach response plan documented and accessible
- DPO appointed and trained on breach procedures
- Detection systems in place (IDS, monitoring, alerts)
- Employee breach reporting procedures established
- NPC contact information readily available
- Customer notification templates prepared
- Evidence preservation procedures documented
- Forensic investigation contacts identified
- Annual breach response drills conducted
- Security incident log template created
- Legal counsel identified for breach response
The Bottom Line
Every Philippine business that processes personal data must have a data breach response plan. It’s not a matter of if a breach will occur, but when.
The 72-hour NPC reporting requirement means you cannot afford to figure things out as you go. Preparation is everything.
Three Steps to Take Today:
- Designate a Data Protection Officer to oversee breach response
- Create a written breach response plan using this guide
- Train your team on breach detection and reporting procedures
Don’t wait for a breach to force compliance. Be prepared, respond quickly, and protect your business from catastrophic penalties.
Need help creating a data breach response plan or responding to an active breach? Contact me immediately. As a TÜV Certified DPO serving Region 8, I provide emergency breach response services and ongoing compliance support.