1. Penalizes (section 8) sixteen types of cybercrime (Section 4).

They are:

Types of Cybercrime

1. Illegal access
Unauthorized access (without right) to a computer system or application.

2. Illegal interception
Unauthorized interception of any non-public transmission of computer data to, from, or within a computer
system.

3. Data Interference
Unauthorized alteration, damaging, deletion or deterioration of computer data, electronic document, or
electronic data message, and including the introduction or transmission of viruses.Authorized action can also
be covered by this provision if the action of the person went beyond agreed scope resulting to damages
stated in this provision.

4. System Interference
Unauthorized hindering or interference with the functioning of a computer or computer network by inputting,
transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or program, electronic
document, or electronic data messages, and including the introduction or transmission of viruses.Authorized
action can also be covered by this provision if the action of the person went beyond agreed scope resulting to
damages stated in this provision.

5. Misuse of devices
The unauthorized use, possession, production, sale, procurement, importation, distribution, or otherwise
making available, of devices, computer program designed or adapted for the purpose of committing any of the
offenses stated in Republic Act 10175.Unauthorized use of computer password, access code, or similar data
by which the whole or any part of a computer system is capable of being accessed with intent that it be used
for the purpose of committing any of the offenses under Republic Act 10175.

6. Cyber-squatting
Acquisition of domain name over the Internet in bad faith to profit, mislead, destroy reputation, and deprive
others from the registering the same. This includes those existing trademark at the time of registration; names
of persons other than the registrant; and acquired with intellectual property interests in it.Those who get
domain names of prominent brands and individuals which in turn is used to damage their reputation – can be
sued under this provision.Note that freedom of expression and infringement on trademarks or names of
person are usually treated separately. A party can exercise freedom of expression without necessarily
violating the trademarks of a brand or names of persons.

7. Computer-related Forgery
Unauthorized input, alteration, or deletion of computer data resulting to inauthentic data with the intent that it
be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is
directly readable and intelligible; orThe act of knowingly using computer data which is the product of
computer-related forgery as defined here, for the purpose of perpetuating a fraudulent or dishonest design.

8. Computer-related Fraud
Unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a
computer system, causing damage thereby with fraudulent intent.

9. Computer-related Identity Theft

Unauthorized acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information
belonging to another, whether natural or juridical.
 10. Cybersex
Willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious exhibition of
sexual organs or sexual activity, with the aid of a computer system, for favor or consideration.There is a
discussion on this matter if it involves “couples” or “people in relationship” who engage in cybersex. For as
long it is not done for favor or consideration, I don’t think it will be covered. However, if one party (in a couple
or relationship) sues claiming to be forced to do cybersex, then it can be covered.

11. Child Pornography
Unlawful or prohibited acts defined and punishable by Republic Act No. 9775 or the Anti-Child Pornography
Act of 2009, committed through a computer system.

****** Unsolicited Commercial Communications (SPAMMING)

THIS PROVISION WAS STRUCK DOWN BY THE SUPREME COURT AS UNCONSTITUTIONAL.

12. Libel
Unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code, as amended
committed through a computer system or any other similar means which may be devised in the
future.Revised Penal Code Art. 355 states Libel means by writings or similar means. — A libel committed
by means of writing, printing, lithography, engraving, radio, phonograph, painting, theatrical exhibition,
cinematographic exhibition, or any similar means, shall be punished by prision correccional in its minimum
and medium periods or a fine ranging from 200 to 6,000 pesos, or both, in addition to the civil action which
may be brought by the offended party.The Cybercrime Prevention Act strengthened libel in terms of penalty
provisions.The electronic counterpart of libel has been recognized since the year 2000 when the E-
Commerce Law was passed. The E-Commerce Law empowered all existing laws to recognize its electronic
counterpart whether commercial or not in nature.

13. Aiding or Abetting in the commission of cybercrime – Any person who willfully abets or aids in the
commission of any of the offenses enumerated in this Act shall be held liable.

14.  Attempt in the commission of cybercrime Any person who willfully attempts to commit any of the
offenses enumerated in this  Act shall be held liable.

15. All crimes defined and penalized by the Revised Penal Code, as amended, and special laws, if committed
by, through and with the use of information and communications technologies shall be covered by the
relevant provisions of this Act.

Although not exactly a cybercrime, I am including this here as penalties are also imposed by the law.
16. Corporate Liability. (Section 9)
When any of the punishable acts herein defined are knowingly committed on behalf of or for the benefit of a
juridical person, by a natural person acting either individually or as part of an organ of the juridical person,
who has a leading position within, based on:(a) a power of representation of the juridical person provided the
act committed falls within the scope of such authority;(b) an authority to take decisions on behalf of the
juridical person. Provided, That the act committed falls within the scope of such authority; or(c) an authority to
exercise control within the juridical person,It also includes commission of any of the punishable acts made
possible due to the lack of supervision or control.

Responsibilities of the Philippine National Police (PNP) and National Bureau of

Investigation (NBI)

The law gave police authorities the mandate it needs to initiate an investigation to process
the various complaints/report it gets from citizens. There are instances of online attacks,
done anonymously, where victims approach police authorities for help. They often find
themselves lost in getting investigation assistance as police authorities can’t effectively
initiate an investigation (only do special request) – as their legal authority to request for
logs or data does not exist at all unless a case is already filed. (which in case of
anonymously done – will be hard to initiate)

I truly believe in giving citizen victims, regardless of stature, the necessary investigation
assistance they deserve. This law – gave our police authorities just that.

The PNP and NBI shall be responsible for the enforcement of this law. This includes:

(a) The PNP and NBI are mandated to organize a cybercrime unit or center manned by
special investigators to exclusively handle cases involving violations of this Act. (Section
10).

(b) The PNP and NBI are required to submit timely and regular reports including pre-
operation, post-operation, and investigation results and such other documents as may be
required to the Department of Justice for review and monitoring. (Section 11)

Responsibility of individuals

(a) Individuals upon receipt of a court warrant being required to disclose or submit
subscriber’s information, traffic data or relevant data in his possession or control shall
comply within seventy-two (72) hours from receipt of the order in relation to a valid
complaint officially docketed and assigned for investigation and the disclosure is
necessary and relevant for the purpose of investigation.

(b) Failure to comply with the provisions of Chapter IV specifically the orders from law
enforcement authorities shall be punished as a violation of Presidential Decree No. 1829
with imprisonment of prision correccional in its maximum period or a fine of One hundred
thousand pesos (P100,000) or both for each and every non-compliance with an order
issued by law enforcement authorities.

Cybercrime new authorities

(a) Office of Cybercrime within the DOJ designated as the central authority in all matters
relating to international mutual assistance and extradition. (section 23)

(b) Cybercrime Investigation and Coordinating Center (CICC) an inter-agency body to be

created under the administrative supervision of the Office of the President, for policy
coordination among concerned agencies and for the formulation and enforcement of the
national cybersecurity plan. (section 24)

CICC will be headed by the Executive Director of the Information and Communications
Technology Office under the Department of Science and Technology as Chairperson with
the Director of the NBI as Vice Chairperson; the Chief of the PNP, Head of the DOJ Office
of Cybercrime; and one (1) representative from the private sector and academe, as
members. (section 25)
The CICC is the cybercrime czar tasked to ensure this law is effectively implemented.
(section 26)

Although the law specifically stated a fifty million pesos (P50,000,000) annual budget, the
determination as where it would go or allotted to, I assume shall be to the CICC.

As the Cybercrime Law gets upheld by the Supreme

Court, here are my personal notes on the development of
its implementing rules and regulations:
1. Ensure that procedures for police assistance and securing court orders will be fair
regardless whether complainants can afford a lawyer or not to assist them.

2. Make the process for data access efficient so that text and online scams culprits can be
made accountable soon while ensuring that the data collected won’t be abused.

I am glad that lobbying moves to strike down the whole Cybercrime Prevention Act
(Republic Act 10175) did not prosper. The law has greater purposes and intentions
that can be helpful in protecting the interest of our netizens and country online.

Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, was signed into law by
President Aquino on Sept. 12, 2012.
Its original goal was to penalize acts like cybersex, child pornography, identity theft and unsolicited
electronic communication in the country.

RA 10175 punishes content-related offenses such as cybersex, child pornography and libel which
may be committed through a computer system. It also penalizes unsolicited commercial
communication or content that advertises or sells products or services.

But there are exemptions relating to the sending of unsolicited material: It is not a crime if there is
prior consent from the recipient, the communication is an announcement from the sender to users,
and if there is an easy, reliable way for the recipient to reject it, among others.

Individuals found guilty of cybersex face a jail term of prision mayor (6 years and one day to 12
years) or a fine of at least P200,000 but not exceeding P1 million.

Child pornography via computer carries a penalty one degree higher than that provided by RA
9775, or the Anti-Child Pornography Act of 2009. Under RA 9775, those who produce, disseminate
or publish child pornography will be fined from P50,000 to P5 million, and slapped a maximum jail
term of reclusion perpetua, or 20 to 40 years.
Persons found guilty of unsolicited communication face arresto mayor (imprisonment for 1 month
and 1 day to 6 months) or a fine of at least P50,000 but not more than P250,000, or both.

The law also penalizes offenses against the confidentiality, integrity and availability of computer
data and system, such as illegal access, illegal interference, data interference, system interference,
misuse of devices, and cybersquatting.

It defines cybersquatting as the acquisition of a domain name on the Internet in bad faith or with the
intent to profit, mislead, destroy one’s reputation or deprive others from registering the same
domain name. Also covered by the law are computer-related forgery, fraud and identity theft.

As many as 87 percent of Filipino Internet users were identified as victims of crimes and malicious
activities committed online, according to a November 2012 primer released by the DOJ, which
quoted a 2010 report of the security software firm Symantec.

These included being victimized in activities such as malware (virus and Trojan) invasion, online
or phishing scams and sexual predation.

From 2003 to 2012, the Anti-Transnational Crime Division of the Criminal Investigation and
Detection Group of the Philippine National Police looked into 2,778 referred cases of computer
crimes from government agencies and private individuals nationwide.
The Cybercrime Prevention Act of 2012, officially recorded as Republic Act No. 10175, is a law in
the Philippines that was approved on September 12, 2012. It aims to address legal issues concerning online
interactions and the Internet in the Philippines. Among the cybercrime offenses included in the bill
are cybersquatting, cybersex, child pornography, identity theft, illegal access to data and libel.
While hailed for penalizing illegal acts done via the Internet that were not covered by old laws, the act has been
criticized for its provision on criminalizing libel, which is perceived to be a curtailment of the freedom of expression
—"cyber authoritarianism".[2] Its use against journalists like Maria Ressa, of Rappler, has drawn international
condemnation.[3][4]
On October 9, 2012, the Supreme Court of the Philippines issued a temporary restraining order, stopping
implementation of the Act for 120 days, and extended it on 5 February 2013 "until further orders from the court." [5][6]
On February 18, 2014, the Supreme Court upheld most of the sections of the law, including the controversial
cyberlibel component.[7][note 1]

History
The Cybercrime Prevention Act of 2012 is the one of the first law in the Philippines which specifically
criminalizes computer crime, which prior to the passage of the law had no strong legal precedent in Philippine
jurisprudence. While laws such as the Electronic Commerce Act of 2000 (Republic Act No. 8792[8]) regulated certain
computer-related activities, these laws did not provide a legal basis for criminalizing crimes committed on a
computer in general: for example, Onel de Guzman, the computer programmer charged with purportedly writing
the ILOVEYOU computer worm, was ultimately not prosecuted by Philippine authorities due to a lack of legal basis
for him to be charged under existing Philippine laws at the time of his arrest. [9]
The first draft of the law started in 2001 under the Legal and Regulatory Committee of the former Information
Technology and eCommerce Council (ITECC) which is the forerunner of the Commission on Information and
Communication Technology (CICT). It was headed by former Secretary Virgilio "Ver" Peña and the committee was
chaired by Atty. Claro Parlade (+). It was an initiative of the Information Security and Privacy Sub-Committee
chaired by Albert Dela Cruz who was the President of PHCERT together with then Anti-Computer Crime and Fraud
Division Chief, Atty. Elfren Meneses of the NBI. The administrative and operational functions was provided by the
Presidential Management Staff (PMS) acting as the CICT secretariat. [10]
This was superseded by several cybercrime-related bills filed in the 14th and 15th Congress. The Cybercrime
Prevention Act ultimately was the product of House Bill No. 5808, authored by Representative Susan Yap-Sulit of
the second district of Tarlac and 36 other co-authors, and Senate Bill No. 2796, proposed by Senator Edgardo
Angara. Both bills were passed by their respective chambers within one day of each other on June 5 and 4, 2012,
respectively, shortly after the impeachment of Renato Corona, and the final version of the Act was signed into law
by President Benigno Aquino III on September 12.

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction
have dedicated cybersecurity laws?
The Cybercrime Prevention Act of 2012 (CPA) defines the following as cybercrimes:

 offences against the confidentiality, integrity and availability of computer data and systems (illegal
access, illegal interception, data interference, system interference, misuse of devices and
cybersquatting);
 computer-related offences (computer-related forgery, computer-related fraud and computer-related
identity theft); and
 content-related offences (cybersex, child pornography, unsolicited commercial communications
and libel).
The CPA appointed the National Bureau of Investigation (NBI) and Philippine National Police (PNP) as
enforcement authorities, and regulates their access to computer data, creating the Cybercrime
Investigation and Coordinating Center (CICC) as an inter-agency body for policy coordination and
enforcement of the national cybersecurity plan, and an Office of Cybercrime within the Department of
Justice (DOJ-OC) for international mutual assistance and extradition.
The Supreme Court’s Rule on Cybercrime Warrants (AM No. 17-11-03-SC) governs the application and
grant of court warrants and related orders involving the preservation, disclosure, interception, search,
seizure or examination, as well as the custody and destruction of computer data, as provided under the
CPA.
The Electronic Commerce Act of 2000 (ECA) provides for the legal recognition of electronic documents,
messages and signatures for commerce, transactions in government and evidence in legal proceedings.
The ECA penalises hacking and piracy of protected material, electronic signature or copyrighted works,
limits the liability of service providers that merely provide access, and prohibits persons who obtain access
to any electronic key, document or information from sharing them. The ECA also expressly allows parties
to choose their type or level of electronic data security and suitable technological methods, subject to the
Department of Trade and Industry guidelines.
The Access Devices Regulation Act of 1998 (ADRA) penalises various acts of access device fraud such
as using counterfeit access devices. An access device is any card, plate, code, account number,
electronic serial number, personal identification number or other telecommunications service, equipment
or instrumental identifier, or other means of account access that can be used to obtain money, goods,
services or any other thing of value, or to initiate a transfer of funds. Banks, financing companies and
other financial institutions issuing access devices must submit annual reports of access device frauds to
the Credit Card Association of the Philippines, which forwards the reports to the NBI.
The Data Privacy Act of 2012 (DPA) regulates the collection and processing of personal information in the
Philippines and of Filipinos, including sensitive personal information in government; creates the National
Privacy Commission (NPC) as a regulatory authority; requires personal information controllers to
implement reasonable and appropriate measures to protect personal information and notify the NPC and
affected data subjects of breaches; and penalises unauthorised processing, access due to negligence,
improper disposal, processing for unauthorised purposes, unauthorised access or intentional breach,
concealment of security breaches and malicious or unauthorised disclosure in connection with personal
information.
The Philippines acceded to the Convention on Cybercrime, effective on 1 July 2018.

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
Question 1 describes the CPA cybercrimes and offences under the DPA, ECA and ADRA that may cover
cyberactivities relevant to organisations as they may either be committed by organisations or committed
against organisations (as possible targets).

Enforcement
Regulation
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The NBI Cybercrime Division, PNP Anti-Cybercrime Group, DOJ-OC, CICC, BSP and NPC enforce
various rules related to cybersecurity.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute
infringements.
The CPA authorises the NBI Cybercrime Division and PNP Anti-Cybercrime Group to investigate
cybercrimes. The DOJ prosecutes cybercrimes and its DOJ-OC coordinates international mutual
assistance and extradition. The CICC CERT provides assistance to suppress real-time commission of
cybercrimes and facilitates international cooperation on intelligence, investigations, suppression and
prosecution. Law enforcement authorities may collect or record traffic or non-traffic data in real time upon
being authorised by a court warrant.
The New Central Bank Act (Republic Act No. 7653) confers on the BSP the power to supervise the
operations of banks and exercise such regulatory powers under Philippine laws over the operations of
finance companies and non-bank financial institutions performing quasi-banking functions and institutions
performing similar functions.
The NPC (i) enforces, monitors compliance of government and private entities with, and investigates and
recommends to the DOJ, the prosecution of violations under the DPA; (ii) facilitates cross-border
enforcement of data privacy protection; and (iii) can issue cease-and-desist orders, or impose a temporary
or permanent ban on the processing of personal information upon finding that the processing will be
detrimental to national security or public interest, or both.

Penalties
What penalties may be imposed for failure to comply with regulations aimed at preventing
cybersecurity breaches?
In general, the penalties consist of fines and imprisonment.
What penalties may be imposed for failure to comply with the rules on reporting threats and
breaches?
BSIs that fail to report breaches in information security, especially incidents involving the use of electronic
channels, may be penalised with fines, suspension of the BSI’s privileges or access to the Central Bank’s
credit facilities, as well as revocation of a quasi-banking licence. Internet service providers and internet
hosts that fail to promptly report child pornography to police authorities may be penalised with fines and
imprisonment. As to breaches related to personal information, the NPC has yet to provide penalties
specific to the failure to report.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately
protect systems and data?
The DPA entitles data subjects the right to be indemnified for any damage sustained owing to inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorised use of personal information. Claims for
indemnity may be filed with the NPC.
Parties may provide for redress in a contract and claim damages for breach of contract. Philippine tort law
allows claims for damages resulting from acts or omissions involving negligence or those involving
violations by private entities or individuals of the constitutional rights of other private individuals. Claims
may be filed in court or through alternative dispute resolution mechanisms.