Cybercrime Prevention Act of 2012

The legislative course of the Philippine Cybercrime Prevention Act of 2012 (Republic Act No. 10175) has not run smooth. Enacted in September 2012 to address numerous forms of cyber crime uncovered by existing Philippine legislation, the Act originally covered illegal access, illegal interception, data interference, system interference, misuse of devices, cyber squatting, computer-related forgery, computer-related fraud, computer-related identity theft, cyber sex, child pornography, unsolicited commercial communications (i.e. spam), and libel.


The Act’s stance on online libel, which conferred the same liability on to those who received or reacted to libellous statements as on to those who made them, was seen by many as a heavy-handed undermining of free expression and privacy. Under the Act’s original provisions, even ‘liking’ a contentious post on Facebook or retweeting it on Twitter would have made you guilty of libel.

Freedom of speech campaigners therefore petitioned for the repeal of the controversial section, arguing that it was unconstitutional, as a result of which the Supreme Court issued a temporary restraining order (TRO) in October 2012 which stopped the government implementing the law.

Constitutional ruling

In February 2014 the Supreme Court ruled a number of provisions, including the online libel provisions relating to third parties (i.e. those who receive and react to defamatory remarks), to be unconstitutional. The law still applies to those who make libellous statements online.

Offences and penalties

Of the remaining sections deemed by the Supreme Court to be constitutional, the following penalties apply:

  • Cyber crime offences – including illegal access, illegal interception, data interference and system interference, and computer-related fraud, forgery and identity theft – are punishable by a fine of at least 200,000.00 pesos (PHP) and between six and 12 years’ imprisonment (prision mayor).
  • If committed against critical infrastructure, cyber crime offences are punishable by a fine of at least 500,000.00 pesos (PHP) and between 12 and 20 years’ imprisonment (reclusion temporal).
  • The misuse of devices – including computer programs – designed or adapted to commit any offence under the Act is punishable by a fine of up to 500,000.00 pesos (PHP) and between six and 12 years’ imprisonment (prision mayor).
  • Offences relating to cyber sex are punishable by a fine of between 200,000.00 and 1 million pesos (PHP) and/or between six and 12 years’ imprisonment (prision mayor).

Cyber security, compliance and ISO27001

Despite having absorbed many of the measures normally associated with information security, cyber security really only addresses the security of digital information. Information security is a broader approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.

In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.

ISO27001 is the internationally recognised best-practice Standard that lays out the requirements of an Information Security Management System (ISMS) and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.

Organisations with multiple compliance requirements often seek certification to ISO27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO27001 certification.

The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonise with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.

Further, the additional external validation offered by ISO27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

How ISO27001 can help you comply with Asia-Pacific data protection legislation

How ISO27001 can help you comply with data protection legislation in the Asia-Pacific region

Written by cyber security expert Alan Calder, this free guide details how to leverage ISO27001 as a single framework for creating a cyber secure enterprise while supporting adherence to many cyber security laws across the Asia-Pacific region.

Enter your name and email address below to read our free guide on complying with cyber security legislation in the Asia-Pacific region:

Why IT Governance?

IT Governance is a specialist in the field of information security and IT Governance, and has led more than 400 successful certifications to ISO27001 around the world.

IT Governance has created ISO 27001 packaged solutions to give Asia Pacific organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Get started today >>