Special Report On Cybersecurity In The Philippines.

CL: Which Philippine laws and regulations govern cybersecurity and data protection that GCs should prioritize (e.g., the DPA of 2012 and the Cybercrime Prevention Act)?

SyCipLaw: The Philippines is not governed by a single, overarching cybersecurity law; multiple laws and regulations generally would apply to cybersecurity issues. General protection of data is governed by the Cybercrime Prevention Act (Republic Act No. 10175), and particularly in respect of personal data, by the Data Privacy Act of 2012 (“DPA”) (Republic Act No. 10173) and the issuances of the National Privacy Commission (“NPC”), such as NPC Circular No. 2023-06 (Security of Personal Data in the Government and Private Sector) (“NPC Security Guidelines”).

Cybercrime Prevention

The Cybercrime Prevention Act defines and penalizes what are called cybercrimes such as illegal access, data interference, system interference, and computer-related fraud. The statute grants law enforcement authorities investigatory powers. Although it does not establish a comprehensive cybersecurity governance framework, the law may be viewed as setting baseline legal standards for prohibited conduct involving computer systems, data, and networks.

Personal Data Protection

With respect to personal data, the DPA applies to all natural or juridical persons engaged in the processing of personal data, and regulates the collection, processing, and protection of personal data by personal information controllers (“PICs”) and personal information processors (“PIPs”). The DPA has extraterritorial application such that even if data processing takes place outside of the Philippines, the law would still be relevant provided the processing has “links” to the Philippines and the processing involves personal data of Philippine citizens or residents.

Under the DPA, PICs and PIPs are required to establish sufficient security measures to protect personal data being processed. The NPC Security Guidelines provides detailed guidance on the security measures expected under the DPA. It covers the general obligations of PICs and PIPs, privacy-by-design principle and privacy-by-default mechanisms, rules on the storage of and access to personal data, business continuity planning to mitigate potential disruptive events, safeguards for the transfer of personal data, and guidelines on the proper disposal of personal data.

CL: What recent enforcement trends or penalties should companies be aware of, and how active is the National Privacy Commission (NPC) in enforcing cybersecurity compliance?

SyCipLaw: Based on publicly available information, the NPC has been increasing its enforcement efforts. The NPC has conducted on‑the‑spot privacy sweeps and compliance checks, particularly in sectors that collect large volumes of personal data. However, it appears that enforcement is primarily complaint-driven and reactive rather than independently initiated by the NPC.

“Where violations were established, the NPC recommended prosecution to the Department of Justice and imposed or ordered remedies that included: (1) cease and desist orders; (2) temporary bans on data processing activities; (3) warnings and compliance directives; and (4) awards of nominal damages.”

The 2023 NPC Annual Report (the most recent report publicly available as of the writing of this article) shows an upward enforcement trend since 2019:

Year	Total No. of Compliance Checks
2023	698
2022	685
2021	641
2020	368
2019	345

However, the same report would show that the compliance checks are mostly complaint-driven. NPC-initiated investigations were far fewer, with only three initiated by the NPC in 2023.

Where violations were established, the NPC recommended prosecution to the Department of Justice and imposed or ordered remedies that included: (1) cease and desist orders; (2) temporary bans on data processing activities; (3) warnings and compliance directives; and (4) awards of nominal damages.

In 2024, there was a surge of NPC-initiated investigations with two instances where the NPC carried out field inspections. These targeted malls and retail stores.

“To promote cross‑border cooperation, the advisory provides references to available model contractual clauses, including those issued by the GPA and the ASEAN–European DPA joint guidance. It notes that PICs and processors may adopt these clauses for cross‑border data transfers.”

CL: In what ways is the NPC evolving its enforcement and cross-border cooperation?

SyCipLaw: Based on actions in the past few years, the NPC is exploring more proactive enforcement methods for compliance checks and expanding beyond its usual complaint‑driven and responsive approach.

On cross-border cooperation, the NPC has always expressed a positive view. In this regard the NPC issued NPC Advisory No. 2024-01 (Model Contractual Clauses for Cross-Border Transfers of Personal Data) and the NPC Advisory No. 2025-02 (Guidelines on Privacy Engineering in Systems Life Cycle Processes).

NPC Advisory No. 2024-01 (Model Contractual Clauses for Cross Border Transfers of Personal Data) (“NPC MCC Guidelines”)

The NPC MCC Guidelines recognize the NPC’s role in coordinating with data protection regulators in other jurisdictions and in participating in international and regional privacy and data protection initiatives, including the Global Privacy Assembly (“GPA”).The same advisory acknowledges international and regional efforts to harmonize cross-border data transfer mechanisms, including comparative work on model contractual clauses and earlier Association of Southeast Asian Nations (“ASEAN”)-related frameworks and guidance.

To promote cross‑border cooperation, the advisory provides references to available model contractual clauses, including those issued by the GPA and the ASEAN–European DPA joint guidance. It notes that PICs and processors may adopt these clauses for cross‑border data transfers.

NPC Advisory No. 2025-02 (Guidelines on Privacy Engineering in Systems Life Cycle Processes) (“NPC Privacy Engineering Guidelines”)

The NPC Privacy Engineering Guidelines further supports cross‑border cooperation by aligning Philippine standards on privacy engineering with widely accepted international standards.

In particular, the NPC Privacy Engineering Guidelines reflects the principles underlying Article 25 of the European Union’s General Data Protection Regulation(“GDPR”), by requiring that data protection safeguards be integrated into the design and operation of systems that process personal data. It also mirrors the risk-based approach under Article 35 of the GDPR by emphasizing the need to conduct Privacy Impact Assessments to identify and assess risks to data subjects and to implement appropriate safeguards for higher-risk processing activities.

CL: In the Philippines, what are the mandatory reporting requirements for data breaches, and how quickly must companies notify the NPC and affected individuals?

SyCipLaw: NPC Circular No. 16-03 (Personal Data Breach Management) (“Data Breach Guidelines”) governs data breach notification requirements. It prescribes reporting and notification requirements for security incidents and personal data breaches.

A security incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place.

A “personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

The Data Breach Guidelines requires covered entities (i.e., PICs) to report all security incidents through the submission of an Annual Security Incident Report to the NPC.

Personal data breaches must be notified to the NPC and data subjects where all the following conditions are met:

The personal data involves sensitive personal information or any other information that may be used to enable identity fraud.

For this purpose, “other information” shall include, but not be limited to: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits.
There is reason to believe that the information may have been acquired by an unauthorized person; and

The PIC or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

The PIC must notify the NPC and data subjects within 72 hours from “knowledge of or the reasonable belief by the PIC or PIP that a personal data breach has occurred.”

As an exception, a PIC may request an extension from the NPC to postpone or delay notification beyond the 72-hour period when such delay is reasonably necessary to determine the scope of the breach, prevent further unauthorized disclosures, or restore the reasonable integrity of the information and communications system. The mere inability to immediately secure or restore the integrity of the information and communications system will not by itself constitute valid grounds for delaying notification.

Further, delay in notification is strictly prohibited where the personal data breach affects at least 100 data subjects or involves the disclosure of sensitive personal information that is likely to cause harm or otherwise adversely affect the data subject. In such cases, the notification to the NPC must be made within 72 hours based on available information followed by a full breach report that must be submitted within five days, unless the NPC extends such period for the submission of the full breach report.

As mentioned, notifications to affected data subjects must likewise be made within the same 72-hour period. Where it is not reasonably possible to notify data subjects within the prescribed period, the PIC may seek clearance from the NPC either for an exemption from the notification requirement or for the postponement of such notification.

A PIC may be exempted from notifying data subjects where the NPC determines that notification would not be in the public interest or in the interest of the affected data subjects. The NPC may also authorize the postponement of notification where timely disclosure would hamper the progress of a criminal investigation in relation to a serious personal data breach.

Where notification is required, affected data subjects shall be notified individually and through secure means of communication, whether in written or electronic form. Where individual notification is not feasible or would involve a disproportionate effort, the PIC may seek the approval of the NPC to employ alternative means of notification, such as public announcements or similar measures, provided that such methods are equally effective in informing the affected data subjects.

The Data Breach Guidelines requires covered entities (i.e., PICs) to report all security incidents to the NPC, even if they are not mandatorily notifiable as described above, through the submission of an Annual Security Incident Report to the NPC.

“In general, there are no prohibitions on the transfer of personal data from the Philippines to offshore unless it involves certain types of protected data such as government data.”

CL: When transferring sensitive data abroad, what restrictions apply, and how should multinational companies ensure compliance with shared data systems?

SyCipLaw: In general, there are no prohibitions on the transfer of personal data from the Philippines to offshore unless it involves certain types of protected data such as government data.

Transfers of personal data under the DPA may be viewed as either data sharing (i.e., a PIC-to-PIC transfer) or outsourcing arrangements (i.e., PIC-to-PIP or PIP-to-PIP transfers).

Data Sharing

The DPA Implementing Rules and Regulations (“DPA IRR”) defines data sharing as “the disclosure or transfer to a third party of personal data under the custody of a PIC or PIP. In the case of the latter, such disclosure or transfer must have been upon the instructions of the PIC concerned.”

Data sharing is specifically governed by NPC Circular No. 2020-03, which provides that a data sharing agreement (“DSA”) is not required between the parties. However, the NPC has opined that though a DSA is optional, it is as best practice and a demonstration of accountability amongst the parties to data sharing. NPC Circular No. 2020-03 further provides that the NPC will take the execution of a DSA “into account in case a complaint is filed pertaining to such data sharing and/or in the course of any investigation relating thereto, as well as in the conduct of compliance checks.”

Outsourcing

On the other hand, the DPA IRR defines outsourcing as the “disclosure or transfer of personal data by a [PIC] to a [PIP].” Outsourcing contemplates the transfer of personal data by a PIC to a PIP in order to process personal data for the former. In this case, the PIC remains accountable for the personal data and is responsible for the processing of the PIP.

Unlike with data sharing, Section 44 of the DPA IRR, requires that outsourcing must be governed by a contract or other legal act that binds the PIP to the PIC. In particular, this contract or other legal act must set out the following:

Subject-matter and duration of the processing;
Nature and purpose of the processing;
Type of personal data and categories of data subjects;
Obligations and rights of the controller;
Geographic location of the processing under the subcontracting agreement; and
Certain mandatory provisions that the PIP shall:

Process the personal information only upon the documented instructions of the PIC, including a prohibition against further transfers of personal data to another country or an international organization, unless such transfer is authorized by law;
Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal data;
Implement appropriate security measures and comply with the DPA, DPA IRR, and other issuances of the NPC;
Not engage another processor without prior instruction from the PIC: provided, that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
Assist the PIC in fulfilling the obligation to respond to requests by data subjects relative to the exercise of their rights;
Assist the PIC in ensuring compliance with the DPA, DPA IRR, other relevant laws, and other issuances of the NPC;
At the choice of the PIC, delete or return all personal data to the controller after the end of the contract period;
Make available to the PIC all information necessary to demonstrate compliance with the obligations laid down in the DPA, and allow for and contribute to audits; and immediately informing the PIC if, in its opinion, an instruction infringes the DPA, DPA IRR, or any other issuance of the NPC.

CL: What should the GC consider when coordinating regional privacy and cybersecurity frameworks (ASEAN data corridors, etc.)?

SyCipLaw: From a Philippine standpoint, the first step for a GC is to determine the entities involved in the transfer of Philippine personal data and their role in the processing, whether they are characterized as a PIC or a PIP. The next step would be to determine whether any transfers by the identified PICs will involve outsourcing or data sharing. These steps will clarify the responsibilities of each entity, as PICs will be held accountable for DPA compliance for the personal data under their custody.

From a regional standpoint, the Philippines is not a party to any international data privacy agreements, which would provide for reciprocity. This would mean that processing compliant with foreign laws will not necessarily equate to compliance with the DPA. Further, as mentioned above, foreign personal data processed pursuant to foreign laws will be out of scope of the DPA. Thus, compliance with data privacy laws and regulations would likely be on a per jurisdiction basis.

That said, in NPC Advisory No. 2024-01, the NPC recognizes that the use of the Association of Southeast Asian Nations Model Contract Clauses and other similar standard clauses may help PICs in upholding the accountability principle in cross-border transfers of personal data. However, the same issuance provides that the adoption of these clauses is optional. Thus, GCs will have to treat model clauses as reference tools rather than default solutions and ensure that any contractual framework is tailored to reflect the specific legal, regulatory, and risk requirements of each participating jurisdiction.

CL: What should the Board and General Counsel do to ensure that a company-wide cybersecurity governance framework is aligned with Philippine law and international standards?

SyCipLaw: A company’s management should appoint an “owner” of the cybersecurity task – whether this be the chief technology officer, compliance officer, or data protection officer (“DPO”) – that should ensure the company:

Identifies the data, whether or not personal, that it collects and handles;
Knows the relevant regulatory frameworks that govern the cybersecurity of such data;
Knows industry standards and best market practices such as those under ISO/IEC 29100, ISO/IEC 29151, ISO/IEC 24760, and ISO/IEC 29134, among others;
Has awareness of the market practice,

Currently, the more developed regulatory framework is that applicable to personal data, and a company that collects and processes data (such as those of its employees) will be required to appoint a DPO. A DPO should be able to develop a compliance checklist under the DPA. From a business or operational perspective, that DPO will also need to be aware of whether data privacy laws of other jurisdictions might apply to the company. If so, the company and its DPO may need to seek the advice of the relevant foreign counsel to ensure compliance.

CL: What are the best ways for companies to mitigate cybersecurity risks arising from outsourcing or third-party services providers, which is a common practice in the Philippines’ BPO sector?

SyCipLaw: Companies can mitigate cybersecurity risks arising from outsourcing arrangements by ensuring that the parties enter into an outsourcing agreement or other agreement that provides for the mandatory provisions laid out in the DPA IRR. These provisions are meant to ensure that the third-party service providers (i.e., PIP) will be bound to the PIC. Important among these provisions is that the PIP will only process personal data upon document instructions of the PIC and that there will be no sub-processor without approval of the PIC.

Other than those required in the DPA IRR, the PIC should include a clause in the agreement that the PIP will immediately notify the PIC when it becomes aware of a security incident or data breach. It is standard practice to give the PIP a 24-hour period (or less) to notify the PIC. This is because the 72-hour period to notify the NPC and data subjects can be triggered when the PIP has knowledge of the data breach.

CL: In regulated sectors such as banking, fintech, telecommunications, or energy, are there additional cybersecurity compliance requirements?

SyCipLaw: Some industries are covered by their specific governing law or regulation such as with the banking and telecommunications sectors.

Banking and Financial Technology

A service provider engaged in cybersecurity or data management services for a banking institution or a non-banking financial institution may be contractually required to support its Bangko Sentral ng Pilipinas, the central monetary authority, (“BSP”)-regulated clients in complying with the cybersecurity incident reporting requirements under BSP Circular No. 1019, Series of 2018.

Among other requirements, BSP‑supervised financial institutions have to report major cyber‑related incidents to the BSP. Major cyber-related incidents are defined as incidents that may seriously compromise the confidentiality, integrity, or availability of critical information, data, or systems, including those affecting customers and other stakeholders.

Since service providers engaged in cybersecurity or data management typically handle, process, or have access to personal and sensitive personal information of the bank’s or non-banking financial institution’s end users, any breach affecting the service provider’s systems that may reasonably qualify as a major cyber‑related incident.

In addition, service providers may be required under their service agreements to support BSP‑regulated clients in complying with the Anti-Money Laundering Act (“AMLA”) (Republic Act No. 9160) obligations. These obligations include the retention of customer records and transaction documents for at least five years from the date of the transaction, which may be held by the service provider. Where the service provider keeps such data, it must comply with AMLA record‑keeping obligations, including the secure digitization, retention, and timely retrieval of such records.

Telecommunications

For the telecommunications industry, there are laws that would require some covered entities to preserve certain types of data.

Cybercrime Prevention Act: A service provider engaged in cybersecurity or data management services typically operates on the internet and relies on information and communications technology systems. As such, there is a greater likelihood that such service providers will encounter cybercrime-related incidents, which may trigger the application of specific provisions and obligations under the Cybercrime Prevention Act.

Service providers may be required to preserve the integrity of traffic data and subscriber information related to their communication services for at least six months from the date of the transaction. Content data may likewise be required to be preserved for a similar period, reckoned from the date of receipt of a lawful preservation order issued by law enforcement authorities. The law also allows a one-time extension of the preservation period for an additional six months. The data may be disclosed to law enforcement from receipt of a court warrant.

Anti-Online Sexual Abuse or Exploitation of Children (“Anti-OSAEC”) and Anti-Child Sexual Abuse or Exploitation Materials Act (“Anti-CSAEM”) (Republic Act No. 11930): The Anti-OSAEC and CSAEM Act provides special protections to children from all forms of sexual violence, abuse and exploitation especially those committed with the use of information and communications technology.

“Internet intermediaries must also immediately block, remove, or take down websites or content containing CSAEM or streaming/live-streaming of OSAEC within 24 hours of notice from a competent authority. This period may be extended by an additional 24 hours.”

By the nature of their operations, service providers engaged in cybersecurity or data management services may be classified as internet intermediaries defined as “[p]ersons or entities that provide infrastructure, platforms, access to, and host, transmit, and index content, products, and services originated by third parties on the internet.” As internet intermediaries, these service providers would be subject to several obligations such as the preservation of subscriber or registration information and traffic data for six months, extendable for another six months or for the duration of the case involving OSAEC or CSAEM. Content data must be preserved for one year, extendable for 6 additional months upon notice from the competent authority.

Internet intermediaries must also immediately block, remove, or take down websites or content containing CSAEM or streaming/live-streaming of OSAEC within 24 hours of notice from a competent authority. This period may be extended by an additional 24 hours.

Finally, internet intermediaries must comply with subpoenas issued by the Philippine National Police, National Bureau of Investigation (“NBI”), or a prosecutor to provide subscriber, registration, or traffic data for individuals who accessed CSAEM content, facilitated violations of the act, or conducted streaming/live-streaming of child sexual exploitation.

Government Data

Department of Information and Communications Technology (“DICT”) Circular No. 2017-002, as amended by DICT Circular No. 2020-010, lays down the Philippine Government’s Cloud First Policy. These rules allow the storage and processing of non-sensitive government data offshore, but impose localization or encryption requirements for sensitive, above-sensitive, and highly sensitive government data. The more Above sensitive and highly sensitive government data, must be stored exclusively within Philippine territory.

CL: Can you describe how law enforcement agencies like the Cybercrime Investigation and Coordinating Center (CICC) and the National Bureau of Investigation (NBI) work with private companies during cyber crime investigation?

SyCipLaw: Philippine law enforcement agencies work with private companies primarily by partnering with them for policy and preventive initiatives, or by requesting their cooperation in cybercrime investigations and cases.

The Cybercrime Investigation and Coordinating Center (“CICC”) engages private entities primarily by partnering with them in cybercrime prevention initiatives, in line with its mandate to protect and secure the country through effective institutional programs and policy development to combat cybercrime, promote cybercrime awareness, and institutionalize cybercrime prevention capacity building. In a recent news article, the CICC confirmed that it has scaled up its preventive actions by entering into partnerships with private companies in the financial and technology sectors, as well as with civil society groups, to address emerging cyber threats, promote coordinated responses across sectors, and reinforce collective efforts to protect the public in the digital space.

The NBI, on the other hand, exercises investigative and enforcement authority over cybercrime activities. Under its charter, the NBI is tasked with receiving cybercrime complaints and investigating and filing cases arising from such complaints. Private companies may be required to cooperate with the NBI through formal legal processes, such as subpoenas, court orders, or warrants, particularly where access to records, system logs, or other data is necessary to support criminal investigations under relevant laws, such as those discussed in item 9 above.

CL: How are Philippine regulators dealing with newer challenges such as ransomware, AI-driven cyberattacks, and cloud infrastructure?

SyCipLaw: At present, Philippine regulators would need to rely on a mixture of laws (as discussed above) depending on the type of violation. The challenge would be ensuring that the act to be prosecuted would match the elements of the crime. In general, most forms of hacking would fall under “Illegal Access,” which is penalized under the Cybercrime Prevention Act. Illegal Access is defined as the “access to the whole or any part of a computer system without right.”

The Philippines has pending bills that seek to create a more comprehensive cybersecurity law that can tackle more modern challenges. In this regard, Senate Bill No. 1492 (An Act Establishing the Philippine Cybersecurity Council and Enhancing the National Cybersecurity Framework) seeks to strengthen the Philippines’ approach to cybersecurity by creating a National Cybersecurity Council as the primary policy-making, coordinating, and oversight body for on all matters relating to cybersecurity, cyber-terrorism, and protection of critical information infrastructure in the Philippines. The bill also proposes mandatory cybersecurity breach, incident, or data compromise reporting obligations for incidents affecting critical information infrastructure. In addition, the bill proposes to establish a National Cyber Incident Registry, which will serve as a public advisory system to promptly inform citizens of major cyber threats or ongoing attacks that may endanger public welfare or essential services.

Artificial Intelligence-Specific Efforts

“The AI Regulation Bill seeks to prohibit the use of AI systems: (1) that shall cause unnecessary, unjustifiable, and indiscriminate moral or pecuniary damage to individuals, and (2) that may manipulate, exploit or control any person beyond his or her consciousness to materially distort his or her behaviour in a manner that is likely to cause him or her or another person physical or psychological harm, among others.”

With respect to artificial intelligence, several bills are currently pending in Congress to regulate the development, deployment, and use of Artificial Intelligence (“AI”), including misuse that may give rise to criminal liability.

House Bill No. 7396: Proposed Artificial Intelligence Development and Regulation Act of the Philippines (“AI Development and Regulation Bill”) – The bill proposes to establish the Artificial Intelligence Development Authority that will develop a national AI development and regulation strategy, prescribe and enforce standards and guidelines for legal and ethical AI development and use, and establish licensing and certification requirements for AI developers and deployers.

House Bill 7913: Proposed Artificial Intelligence Regulation Act (“AI Regulation Bill”) –The bill provides for an AI Bill of Rights, which institutionalises the following rights for Filipinos in relation to AI systems: (1) Right to protection from unsafe and ineffective AI systems; (2) Right against algorithmic discrimination; (3) Right to privacy; (4) Right to know; and (5) Right to remedy.

The AI Regulation Bill proposes the establishment of two government agencies to regulate AI: the Philippine Council on Artificial Intelligence (“PCAI”) and the Artificial Intelligence Board (“AIB”). The PCAI will be a policy-making and advisory body of experts which aims to, among others, develop and promulgate an AI governance framework, establish a code of ethics for AI developers, promulgate rules and measures against harmful applications of AI and algorithms. The AIB will exercise regulatory and supervisory authority over the development, application, and use of AI systems.

The AI Regulation Bill seeks to prohibit the use of AI systems: (1) that shall cause unnecessary, unjustifiable, and indiscriminate moral or pecuniary damage to individuals, and (2) that may manipulate, exploit or control any person beyond his or her consciousness to materially distort his or her behaviour in a manner that is likely to cause him or her or another person physical or psychological harm, among others.

CL: What due diligence and contractual safeguards should be incorporated into M&A or joint venture deals in the Philippines to manage cybersecurity risks?

SyCipLaw: For a buyer or investor, the standard approach should be taken: (1) legal and technical due diligence that focuses on regulatory compliance and best practice for cybersecurity standards, and (2) incorporation of appropriate conditions, representations, undertakings and indemnification in the transaction documents.

For data privacy, there are clear “checklist items,” that may be red flags if not in place, such as the basic organizational security measures under the SPA (e.g., appointment of a Data Protection Officer, privacy policy, data security breach management response), and registration with the NPC where applicable.

At the outset and prior to the start of due diligence, parties should consider signing an initial document on confidentiality obligations and restrictions on the recipients of personal data. Parties may be asked to confirm that they are authorized or permitted by law to share third-party or personal data.

Further, depending on the number of documents, the parties can implement measures that will limit the amount of personal data provided for review through the anonymization of information. In practice, this would usually involve the redaction of personal data (e.g., removing the addresses of directors) unless it is absolutely necessary for the transaction (e.g., full name and nationality of directors). The disclosing party should go through any documents provided to ensure unnecessary personal data is not provided.

The sharing of due diligence documents should also be controlled whether this is done through a physical or virtual data room. For virtual data rooms, these would generally include watermarks when documents are downloaded, which would help monitor any unwanted leaks of documents. For physical data rooms, there must be clear endorsements so the parties can track to whom documents were provided.

After the conduct of due diligence, the parties should include specific contractual provisions governing the handling of personal data and other information post-signing and post-closing. This will include the retention policy or the disposal of any due diligence materials.

CL: In what ways can businesses manage their liability exposure in the event of cyberattacks or data breaches?

SyCipLaw: Compliance with applicable law and market standards for cybersecurity and data protection, and an ability to adequately prove that compliance are the key liability mitigation steps that businesses should take.

For instance, under the DPA, a controller is not penalized because a personal data breach occurs in its processing systems. What triggers penalty is concealment, or a violation of requirements that are discovered when a breach is investigated, and which violations may have resulted in the breach.
Contractual liability exposure may be managed through contractual risk allocation, including limited liability clauses that clearly define exclusions, carve-outs, and caps, particularly for data protection and cybersecurity-related claims. Under Philippine law, liability may not be limited or waived where the act involves future fraud or bad faith, gross negligence or intentional misconduct, or where the waiver is contrary to law, morals, good customs, public order, or public policy, including instances where the law imposes a heightened standard of diligence that cannot be contractually reduced (e.g., banking industry).

_____

WRITTEN BY

Rose Marie M. King-Dominguez is a senior partner of SyCipLaw and head of the Firm’s Special Projects department. She specializes in M&A, TMT and data, investments, and general business law. She has handled M&A projects and market entry work in a range of industries, including technology, healthcare, pharmaceutical enterprises, retail, real estate, and manufacturing. She helped found the SyCipLaw TMT practice group, developing it into a Tier 1 ranked team that advises key global and local leaders in technology and related emerging issues. She is also a leading privacy and data expert who has supported numerous clients in compliance, assessments, and training.

Christopher A. Capulong is a senior associate and a member of the Firm’s Banking, Finance and Securities, Corporate Services, and Special Projects departments. His practice areas involve mergers and acquisitions, telecommunications, media, technology, food, promotions and marketing, consumer protection, and data privacy. Christopher regularly advises clients in various industries on privacy and data protection issues (e.g., employee data policies, transfer impact assessments, data transfers, data breaches, and general compliance with privacy regulations).

Alithea C. Soriano is an associate and a member of the Firm’s Special Projects and Employment and Immigration departments.

Special Report On Cybersecurity In The Philippines.

Philippines – Independent Civil Action For Fraud.

- Nilo T. Divina - DivinaLaw,

Philippines – Who Sets The Rules In Preliminary Investigation?

- Nilo T. Divina - DivinaLaw,

No Limitation Periods For Unfair Prejudice Petitions – UKSC Rules In THG Plc V. Zedra Trust Company (Jersey) Ltd.

Trademark Registration In Sri Lanka.

Sri Lanka Income Tax Proposals 2026.

Arbitration Clauses V. NCLT’s Jurisdiction In Shareholder Disputes: Legal Position In India.

- Bharat Vasani - Cyril Amarchand Mangaldas,

India – FIG Paper No. 54 (VDA Series 9): Recent Delhi High Court Rulings: Learnings For Digital Asset Players.

- Anu Tiwari - Cyril Amarchand Mangaldas,

India – From Restriction To Recalibration – The Path Forward For Press Note 3 And Cross-Border M&A.

India – Settling The Clash Between The Public Premises Act And State Rent Control Laws.

Malaysia – Resolving Family IP Disputes While Preserving Silaturrahim In The Spirit Of Ramadhan And Syawal.

CONVENTUS LAW

OTHERS

Special Report On Cybersecurity In The Philippines.

Footer

CONVENTUS LAW

OTHERS