(In this Decision, one of the issues discussed by the National Privacy Commission (NPC) is phishing and the responsibility for avoiding the same. Considering that phishing activities are rampant, it is worthy to note that both the data subject and the Personal Information Controller (PIC) shall exercise all efforts not to fall victim on said scheme. The PIC must implement appropriate security measures to prevent it from happening for the protection of its data subject. Data subject, on the other hand, shall follow the advisories issued by the PIC in order to avoid the phishing bait.
As for the appropriate security measure, it is our opinion though that in case of online bank transactions, verification process by sending OTP should be reviewed. In the advent of highly-sophisticated phishing ploys, OTPs may no longer be a secured method. We will cover this in a separate article.
Please find below the summary of NPC’s Decision in the above-mentioned case. The summary, which focuses on phishing, is jointly prepared by Rachel Mae Granates and Geni Pearl Cauilan, and is reviewed by Atty. Arnel D. Mateo of ADM. For the detailed discussion of the case, full text of the Decision is available at the website of NPC.)
Complainant Ignacio received an email allegedly from BPI requiring him to log-in as a card holder to verify his information under threat of having his card suspended if he input any wrong information. On the belief that it was a legitimate email, Complainant complied.
When Complainant tried to used his credit card 10 days after the email, he was informed that he had already reached his credit card limit. Upon checking with the Customer Service, several online transactions which required OTP were charged against his credit card to which he had no knowledge of.
Complainant made a letter requiring BPI to make and effect necessary correction/removal and rectification of his accounts. Later on, Complainant instituted his complaint before NPC for BPI’s alleged violations of the DPA.
In defense, BPI maintained among others that they did not violate the DPA and that online transactions are deemed valid because they were properly authenticated through OTPs sent to the complainant’s email address.
Whether or not BPI is liable for processing the credit card transactions charged to Complainant upon the latter’s allegations that the same are without his authority and that we was a victim of phishing?
BPI is not liable.
Phishing is defined as the fraudulent process of attempting to acquire private or confidential information by masquerading as a trustworthy entity in electronic communication. The responsibility for the avoidance of falling victim to phishing falls both on the Personal Information Controller and the data subject.
The PIC must be able to implement appropriate security measures provided under the DPA to capture cases of phishing and be able to prevent it from happening for the protection of its data subjects.
While is it true that Ignacio was able to establish that he fell victim to phishing by presenting a copy of the email pretending to be a legitimate message from BPI, he was not able to prove that falling for the same email was due to the negligence of the latter.
In the submissions made by the BPI, records show how it regularly sends advisories to its clients’ registered email addresses and mobile numbers. They also posted advisories on their website to constantly remind their clients to ignore phishing emails and messages. These advisories were sent to its clients as early as 2014. Furthermore, respondent has shown that it was not remiss in its duties in adopting dynamic consumer awareness program against phishing by utilizing all the available channels to reach their clients, through advisories in its website, television commercials and email reminders. As to the sending of email advisories, Respondent also presented proof that the complainant’s email address is included as recipient of their advisories on warnings against phishing.
The regular campaigns of the respondent against phishing do not only raise awareness of their customers, but it also provides its clients with precautionary steps to be taken if and when they receive suspicious emails luring them to give their personal information, particularly financial information. BPI submitted evidence that they have enabled multi-factor authentication for their online payments through the implementation of One-Time Password (OTP) to ensure that any access or purchase would need a confirmation from the account owner through an email message before they process the purchase.
As for the determination of fraud on credit card transactions, the same falls within the ambit of the Central Bank.