Data Breach Incident Response

By the time most companies confirm a data breach, the legal deadline to report it is already running. The notification window is 72 hours, and it runs from knowledge of, or reasonable belief of, a qualifying breach, not from the day your investigation finishes. The hardest question inside that window is not technical. It is whether this incident must be reported, to whom, and what happens if you get that answer wrong.

STLAF takes over the Philippine legal response to a breach: the assessment, the notify-or-not judgment, the NPC filings, and the regulatory relationship that follows. The practice serves companies in an incident now, companies preparing before one, and the foreign breach coaches, insurers, and overseas parents who need the Philippine layer of a global incident handled by local counsel. The legal background sits in our Data Privacy Act guide; this page is about what we do when it stops being background.

In a breach now: what STLAF does first

STLAF’s first hours in a breach are assessment and control: establishing what happened, whether the notification duty is triggered, and what must be filed with the NPC before the window closes. The sequence, in order:

Rapid assessment. What data, whose, how much, and how it left. Your IT or forensic team establishes the technical facts; we are the legal layer that turns them into decisions.
The notify-or-not judgment. Not every incident is legally notifiable; the duty turns on the kind of data involved and the real risk of serious harm. Deciding wrongly in either direction is expensive, and this judgment, made defensibly and documented, is the center of what you are engaging counsel for.
The NPC notification. Prepared correctly and filed through the proper channel inside the window, saying what must be said and not a word that creates exposure no rule demanded.
Notifying affected individuals. Required, sensitive, and frequently bungled. How your employees or customers learn about the incident shapes everything downstream, including whether they become complainants.
The follow-up and the record. The full report that follows the initial notification, and a documentation trail built from hour one to be examined later, because it will be.

One thing we say in every breach engagement, because someone in the room is usually thinking it: staying quiet is not a strategy. Concealing a notifiable breach is itself an offense, separate from the breach. If silence is on your option list, we will take it off, and that is part of the service too.

After the window: the NPC relationship

Notification is the start, not the end; STLAF manages the NPC’s questions, orders, and any enforcement that follows, and builds the documentation that stands up to review.

Once notified, the NPC can ask questions, require submissions, and issue orders, and the affected individuals can complain, demand answers, or escalate publicly; the employees of breached companies are often the loudest public voice an incident gets. The post-window work is managing all of it: the regulator’s process, the responses and submissions, the vendor dimension when a processor caused the incident but the accountability stayed with you, and the path back to normal operations with a record that shows an organization that handled its breach properly. Where a matter escalates toward enforcement or litigation, the same firm carries it forward.

Before a breach: readiness

The companies that survive the 72-hour window are the ones that built the workflow before they needed it, and STLAF builds that legal layer: the notification playbook, the templates, and standby counsel arrangements.

A breach response plan that exists only as an IT document fails at the exact moment it is needed, because the binding deadlines are legal ones. The readiness engagement builds the legal layer: the decision workflow for the notify-or-not judgment, notification templates for the NPC and for affected individuals, role clarity on who calls whom in the first hour, and a standby arrangement so the counsel who responds to your incident already knows your organization. Companies whose wider compliance program also needs building should start with our Data Privacy and NPC Compliance service; this page’s readiness work arms you for the incident itself.

For foreign breach coaches, insurers, and overseas parents

For global incidents with Philippine exposure, STLAF acts as Philippine-side counsel: the NPC notification and liaison, the local-law assessment, and the regulatory layer, coordinated with the team running the global response.

When a multinational’s incident touches the Philippines, through a subsidiary, a BPO operation, or Filipino customer data, the global response is typically run by a breach coach or coordinated through insurers, and what they need from this country is specific: local counsel that can assess Philippine notification duties quickly, handle the NPC layer cleanly, and report upward in the working rhythm of an international incident. That seat is the one STLAF is built for: a Philippine-licensed firm, structured for cross-border coordination through its international partner network, with law and accountancy in one engagement, which matters when the insurance workstream needs loss numbers as well as legal answers. We work under your lead counsel’s coordination and carry the Philippine layer.

Law and accountancy in a breach

A breach is a legal event and a financial one, and STLAF handles both: the regulatory response, and the financial investigation and loss quantification that boards, insurers, and courts eventually ask for.

Every serious breach eventually produces the second question. After “are we compliant?” comes “what did this cost us?”, from the board, the insurer, or the courtroom. Because STLAF pairs law with accountancy, the financial investigation and loss quantification happen inside the same engagement as the legal response, the way the firm already works in fraud and tax litigation matters, rather than through a second adviser arriving cold.

Why STLAF

STLAF practices in breach response and data privacy within one law and accountancy firm, led on cybercrime matters by Atty. Gabriel D. Adora and recognized by Legal 500, Mondaq, the International Bar Association, and as a Finalist at the ALB Philippine Law Awards 2025.

The firm serves organizations across industries including financial services, BPO, logistics, energy, and retail, publishes its expertise openly, including the Data Privacy Act guide behind this page, and connects its breach work to compliance, litigation, and financial-investigation capability under one roof. In an incident, that means fewer handoffs at the moment handoffs cost the most.

Frequently asked questions

We just discovered a breach. What do we do in the first hour?

Preserve what you know, stop the spread if containment is still live, and involve counsel immediately, because the notification window runs from knowledge or reasonable belief, not from confirmation. The assessment starts now, not after the investigation finishes.

Does every breach have to be reported to the NPC?

No. Notification turns on the data involved and the risk of serious harm, and that assessment is precisely the judgment STLAF makes with you, defensibly and on the record.

Our vendor caused the breach. Is it their problem?

The legal accountability remains with your organization; the regulator looks to you. The vendor dimension is real and we handle it, but it is handled inside your response, not instead of it.

What happens if we miss the 72-hour window?

Late is better than concealed, and how the lateness is explained and documented matters. Concealment is a separate offense; a late, honest notification managed by counsel is a recoverable situation.

We are foreign counsel on a global incident with Philippine exposure. What do you need from us?

The facts and the data map: what was exposed, whose data, and the Philippine touchpoints. STLAF takes the Philippine notification assessment, the NPC layer, and local-law questions from there, reporting in your incident’s rhythm.

Can you help before anything has happened?

Yes, and it is the better engagement: notification playbooks, templates, and standby counsel arrangements are how the 72-hour window becomes survivable instead of chaotic.

Talk to us

If an incident is unfolding, contact STLAF now and start the assessment inside the window. If it is not, the best version of this engagement is the one that starts before you need it.

STLAF Global is a Philippine legal and accountancy firm. This page is information, not legal advice, and does not create a lawyer-client relationship.