The main difference is that the Philippine National Privacy Commission, a government privacy rights agency similar to our PDPC, publicly recommended that COMELEC chairman Andres Bautista be prosecuted for failing to uphold his duty as chairman, for which he could have been charged with 3-6 months imprisonment and a fine of up to 4 million pesos (S$103,000). While any ulterior motive for this recommendation is unknown, Andres Bautista’s story took an unexpected turn when he resigned and left the country in the face of government subpoenas during a corruption probe, only for the Senate to demand his arrest.

While we can see that the government organisation responsible (COMELEC) was held to account, similar to the SingHealth case, we do not know the specifics or details of the internal investigation, like in the Anthem case. Filipinos have no way to know exactly what transpired to cause this breach, as opposed to Singapore’s COI, which placed the entire organisation responsible under an electron microscope.

When it comes to punitive measures, chairman Andres in the Philippines was charged with negligence. IHiS CEO Bruce Liang, meanwhile, has not been publicly held accountable for the SingHealth security lapse.

Andres’ words, in his defence, can however apply to both cases: “Officers each have their own areas of responsibility, and a head of agency has to rely on the experts.” If a CEO is to be imprisoned for the crimes that his subordinates engaged in without his knowledge, the masses might be satisfied, but it would also be a miscarriage of justice, insofar as a CEO is not expected to micromanage all his employees’ actions. And so it does not seem fair that he should spend time behind bars for this.

However, a fine seems fair, and IHiS has implemented one, except we don’t know what it is. How are the people supposed to know that justice has been carried out when the fine numbers are not released? Do you want people to speculate on how unfairly low they are? Is there some critical national security secret lurking behind those digits, preventing the numbers from being declassified?

There is no reason for IHiS to not release the financial penalty it placed upon its executives, and we should be allowed to discuss how appropriate they are. The current opacity of these penalties sets a dangerous precedent that managers can oversee the crimes of their firms with little to no retribution, which shouldn’t be the case. After all, the possibility of retribution personally incentivises managers to ensure their staff are guarding the gates instead of admitting Trojan horses.

This is especially significant in IHiS’s case, as the COI uncovered that the firm prioritised business efficiency over security, something that was embedded into the organisation’s structure. For this, the responsibility for such an oversight certainly falls on the managers.