• Home

  • Documents

  • PRIVACY AND CYBERSECURITY IN MEXICO · What types of cybersecurity incidents should companies be...
5
2 // MEXICO www.gettingthedealthrough.com PRIVACY AND CYBERSECURITY IN MEXICO Begoña Cancino, partner of the IP practice at Creel, García-Cuéllar, Aiza y Enriquez, SC, has taken the lead from the issuance of the Mexican Privacy Law, this approach of the firm to handle data privacy matters from the basis of an IP expert has been very successful, as personal data is assembled in databases that constitute a work of authorship under the Mexican Copyright Law and also constitute confidential information that may qualify as a trade secret under the Mexican Industrial Property Law. Begoña’s IP background gives her a better sense of her clients’ needs and the different angles that should be considered when providing the most specialised advice in the field. Recognised as Up and Coming in 2017 by Chambers and Partners, Begoña has authored several articles for the World Intellectual Property Review (Protecting Data in Mexico: what you need to know) as well as published in the 2015 and 2016 editions of The Data Protection and Privacy Global Guide and IP in Business Transactions by Thomson Reuters. She also authored the Mexican chapters for the International Comparative Legal Guide on Data Privacy 2017, Cybersecurity 2018, as well as Gambling 2018. Begoña received her law degree from Universidad La Salle in 2001; postgraduate studies at the University of Buenos Aires; Universidad Nacional Autónoma de Mexico and participated in the Leadership and Management Program for Lawyers, both at the Yale School of Management. iStock.com/UlrikeStein

PRIVACY AND CYBERSECURITY IN MEXICO · What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction? In this regard, companies should be able

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: PRIVACY AND CYBERSECURITY IN MEXICO · What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction? In this regard, companies should be able

2 // MEXICO www.gettingthedealthrough.com

PRIVACY AND CYBERSECURITY IN

MEXICOBegoña Cancino, partner of the IP practice at Creel, García-Cuéllar, Aiza y Enriquez, SC, has taken the lead from the issuance of the Mexican Privacy Law, this approach of the firm to handle data privacy matters from the basis of an IP expert has been very successful, as personal data is assembled in databases that constitute a work of authorship under the Mexican Copyright Law and also constitute confidential information that may qualify as a trade secret under the Mexican Industrial Property Law. Begoña’s IP background gives her a better sense of her clients’ needs and the different angles that should be considered when providing the most specialised advice in the field.

Recognised as Up and Coming in 2017 by Chambers and Partners, Begoña has

authored several articles for the World Intellectual Property Review (Protecting Data in Mexico: what you need to know) as well as published in the 2015 and 2016 editions of The Data Protection and Privacy Global Guide and IP in Business Transactions by Thomson Reuters. She also authored the Mexican chapters for the International Comparative Legal Guide on Data Privacy 2017, Cybersecurity 2018, as well as Gambling 2018.

Begoña received her law degree from Universidad La Salle in 2001; postgraduate studies at the University of Buenos Aires; Universidad Nacional Autónoma de Mexico and participated in the Leadership and Management Program for Lawyers, both at the Yale School of Management. iS

tock

.com

/Ulr

ikeS

tein

Page 2: PRIVACY AND CYBERSECURITY IN MEXICO · What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction? In this regard, companies should be able

GTDT: Market Intelligence – Privacy and Cybersecurity MEXICO \\ 3

GTDT: What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

On 7 November 2017, members of the Chamber of Deputies (mainly from the green party) proposed a legal initiative with the aim to introduce specific provisions into our federal criminal system, as well as to adopt the Convention on Cybercrime (Budapest Convention) for Mexico to be part of a global net of countries devoted to secure information in cyberspace and use it as the basis of all required legal reforms. Currently, the Federal Criminal Code provides for certain crimes related to IT systems protected by security measures; however, it does have failures that range from the absence of a specific definition for the term ‘security systems’ and ‘cybercrime’ (the latter only defined in the National Cybersecurity Strategy, whose provisions are non-binding until they are elevated to law), to cyberbullying or malware not being treated as a crime. In particular, legal initiative is intended to designate as cybercrime the following conduct: (1) hacking; (2) phishing; (3) identity theft; (4) child pornography/grooming and (5) cyber fraud; as well as to incorporate into the National Code of Criminal Procedure all the investigative steps required to obtain evidence stored digitally to preserve data and obtain such data, while protecting personal data and collaborating effectively with other jurisdictions to comply with data transfer and other processing restrictions.

On a separate note, on 12 June 2018, the Mexican Official Gazette published that Mexico has adopted the Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and cross-border data flows. Both are binding international instruments that protect the individual against any abuse of the collection and processing of personal data and they seek to regulate at the same time, the cross-border flow of personal data.

GTDT: When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

The Federal Law for the Protection of Personal Data held by Private Parties includes the data controller’s obligation to ‘immediately’ notify the breach to any data subjects that may be affected significantly in terms of their economic or moral rights, but no requirement to notify the federal regulator is set forth in the relevant law. In this regard, the key factor to be assessed by organisations when deciding whether to notify

data subjects or not would be the sensitivity of the personal data compromised and to what extent its misuse could affect data subjects, not only from an economic but also from a moral perspective.

GTDT: What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

The biggest issue in a data security incident is assessing the extent of the breach (and therefore, the need for reporting it to affected parties) by first confirming whether personal data is compromised and if so, what type of personal data (sensitive or not) and how many subjects are affected by the breach (this, along with the proper identification of the affected parties, is crucial for notification purposes). In addition to the assessment of the extent of the breach, companies should implement corrective, preventive and improvement measures to make security measures adequate to avoid a repeat breach. Such measures should be notified to data subjects, along with the nature of the breach, the personal data compromised, the recommendations to data subjects after the breach and the means available for data subjects to obtain more information of the event, if that notification is necessary, under Mexican provisions.

GTDT: What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

To be prepared for a security incident and improve security measures within the company, the Mexican regulations provide for certain obligations to data controllers, such as: prepare an

Begoña Cancino

Page 3: PRIVACY AND CYBERSECURITY IN MEXICO · What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction? In this regard, companies should be able

4 // MEXICO www.gettingthedealthrough.com

inventory of personal data and processing systems; determine the duties and obligations of those who process personal data; make a risk analysis of personal data identifying, by level, dangers and estimated risks; establish security measures and identify those effectively implemented so far; analyse the gap between existing security measures and those missing but necessary for the protection of personal data; prepare and update a work plan for the implementation of the missing security measures arising from the gap analysis; train personnel and keep a record of personal data storage media.

Likewise, the Mexican regulator, the Federal Institute for Transparency, Access to Information and Protection of Personal Data (INAI), has set out a document including 10 security recommendations for preventing theft of personal data in the digital environment.

GTDT: Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud-hosting environment?

Under Mexican Regulations on personal data held by private parties, data controllers (companies that collect and process personal data for commercial purposes) should only use services that ensure the

proper protection of the personal data they gather. Cloud computing is a model for the external provision of on-demand computer services that involves the supply of infrastructure, platform or software distributed in a flexible manner, using virtual procedures on dynamically shared resources. The data controller should enter into service agreements with at least the following contractual conditions for the service provider: (1) it shall use similar policies to protect personal data to those reflected in Mexican law; (2) if the service provided involves subcontracting, such provisions should be transparent; (3) it should not assume any ownership of the information about which the service is provided; (4) it should maintain confidentiality with respect to the personal data it holds. In addition, the service provider should as a minimum have mechanisms in place for: (1) disclosing changes in its privacy policies and the services provided; (2) permitting the data controller to limit the type of processing of personal data included in the service provided; (3) establishing and maintaining adequate security measures to protect data included in the service provided; (4) ensuring the suppression of data after the service has been provided; (5) impeding access to non-authorised parties and informing the data controller if there is an official request of data from a competent authority, and last but

Mexico is ranked eighth globally for identity theft

iSto

ck.c

om/d

iego

gran

di

Page 4: PRIVACY AND CYBERSECURITY IN MEXICO · What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction? In this regard, companies should be able

GTDT: Market Intelligence – Privacy and Cybersecurity MEXICO \\ 5

not least, (6) informing the data controller of the events of the breach immediately after its occurrence, and providing the data controller with all the necessary information for assessing the extent of the damage caused by the breach, in accordance with Mexican legal provisions.

GTDT: How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

According to INAI and figures obtained from the official source of the National Commission for the Protection and Defence of Users of Financial Services, Mexico is ranked eighth globally for identity theft, 67 per cent of those reported cases, is owing to loss of documents; 63 per cent for robbery and 53 per cent for information taken directly from their credit accounts. In the third quarter of 2017, cyber fraud grew by 102 per cent compared with the same period in 2016, and represent a proportion from 13 per cent to 51 per cent per year. In 2016, one out of every 131 emails contained malware, since email was the first source of disseminating malware. In addition, Mexico takes second place in Latin America with the greatest number of cyber attacks to mobile

devices. On 9 September 2017, the Officer of the General Prosecutor (PGR) announced in the Mexican Official Gazette a new investigation unit to combat cyber and technological crimes and enhance investigations. To March 2018, 312 files were opened by the unit to investigate crimes related to the distribution, storage and production of child pornography, initiated upon notices received from Interpol. The PGR unit is also actively working with the Bank of Mexico to identify and sanction all those responsible for a cyber attack on several financial institutions on the bank’s interbank electronic payments system.

GTDT: When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

Companies must conduct risk assessments (risk-based approach) arising from privacy and data security issues in M&A deals for them to make a decision. This is necessary not only when it comes to the target, but also for awareness of the mechanisms for exchanging personal data during the due diligence process. The risks in processing personal data should be assessed by reviewing

THE INSIDE TRACK

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

A multidisciplinary team that can provide legal advice and coordinate the required technical assistance to solve client’s issues, either for prevention or remediation. A team experienced not only in investigations but also in explaining the legal framework required by each industry in terms of data security, able to advise its clients and give training sessions to its employees so they can have a better sense of their duties in processing data in the course of each business.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

Pursuant to the existing laws, pulverised provisions as well as lack of specific provisions to define cybercrimes. Difficulties encompassing legal and technical advice. The fact that Mexico is not party to any international instruments such as the Budapest Convention, nor has it been acknowledged as a country that ensures adequate data protection standards, are some of the difficulties that lead us to enter into private agreements or find other ways to revise our standards in corporate or other transactions.

How is the privacy landscape changing in your jurisdiction?

Although the Federal Law remains the same from its issuance in 2010, the Mexican landscape has been changing and it is

expected to continue due to the international commitments adopted by Mexico with the aim of collaborating with other jurisdictions to ensure good practice in processing personal data.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

In this regard, companies should be able to differentiate between material and non-material harm under Mexican privacy laws by conducting a risk analysis. In so doing, companies will be able to determine if a breach should be notified to data subjects or if the company only needs to identify the gap between existing security measures and those missing but necessary for the protection of personal data and updating a work plan for the implementation of the missing security measures arising from the gap analysis. Material harm should be prioritised over non-material harm and will always depend on the business, scope, context and processing of the data compromised in the incident. Industry-specific risk identification of material and non-material harms is crucial then for all companies facing a cybersecurity incident, certain sectors such as the healthcare and banking should provide companies the required latitude to adapt their own internal policies.

Begoña CancinoCreel, García-Cuéllar, Aiza y Enriquez, SCMéxicowww.creel.mx

Page 5: PRIVACY AND CYBERSECURITY IN MEXICO · What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction? In this regard, companies should be able

6 // MEXICO www.gettingthedealthrough.com

the applicable laws in the relevant jurisdictions, specifically concerning data security policies, security transfers, security breach notifications, limitation purposes and fair processing. Processing activities should be classified in terms of their risk in order for the company to prioritise compliance and devise appropriate remedies to reduce potential negative impact in people. It should be noted that there is an industry-specific risk in certain sectors, for example, in the acquisition of a private health institution, clearly there would be

sensitive patient information involved that should be preserved during the due diligence process and safely transferred to the buyer post-closing. The global context should also be considered in cross-border transactions, where companies should assess the risk posed by their operation not only in their own but also in other jurisdictions with different legal regimes on data privacy that should also be respected. In short, each company has an obligation to consider the risk elements that apply to its own business and scope.


BIG Companies Should Challenge Designers more.Designers Should Challenge BIG Companies more

BIG Companies Should Challenge Designers more.Designers Should Challenge BIG Companies more

Documents
How companies should really use search

How companies should really use search

Business
CYBERSECURITY - Gogo Business Aviationlearn.business.gogoair.com/rs/097-RTO-429/images/... · CYBERSECURITY 1 Solutions brief. CYBERSECURITY: IT’S IN OUR DNA You should take cybersecurity

CYBERSECURITY - Gogo Business Aviationlearn.business.gogoair.com/rs/097-RTO-429/images/... · CYBERSECURITY 1 Solutions brief. CYBERSECURITY: IT’S IN OUR DNA You should take cybersecurity

Documents
TM Cybersecurity Report - cybersecobservatory.com...Report . Financing, trends, and companies analysis September 2015. CB. INSIGHTS. TM. 2. Cybersecurity Deals And Dollars by Year

TM Cybersecurity Report - cybersecobservatory.com...Report . Financing, trends, and companies analysis September 2015. CB. INSIGHTS. TM. 2. Cybersecurity Deals And Dollars by Year

Documents
Cybersecurity Patent Landscape ReportAnalysis firm Cybersecurity Ventures has predicted that global spending on cybersecurity products and ... •Chinese companies Tencent and Huawei

Cybersecurity Patent Landscape ReportAnalysis firm Cybersecurity Ventures has predicted that global spending on cybersecurity products and ... •Chinese companies Tencent and Huawei

Documents
ABCs for Cybersecurity Solutions the C-Suite Should Know ABCs for Cybersecurity Solutions the C-Suite Should Know NJamie Sheller, The Legal Intelligencer o ... (depending on type of

ABCs for Cybersecurity Solutions the C-Suite Should Know ABCs for Cybersecurity Solutions the C-Suite Should Know NJamie Sheller, The Legal Intelligencer o ... (depending on type of

Documents
CYBERSECURITY TALENT STUDY - McAfee · CYBERSECURITY TALENT STUDY The global shortfall in cybersecurity skills has been well-documented, with studies repeatedly confirming most companies

CYBERSECURITY TALENT STUDY - McAfee · CYBERSECURITY TALENT STUDY The global shortfall in cybersecurity skills has been well-documented, with studies repeatedly confirming most companies

Documents
Cybersecurity Index of Top Hong Kong Companies · New Technologies Executive Committees Involvement Cybersecurity Trends Agenda ... business. Cybersecurity Risk and its Associated

Cybersecurity Index of Top Hong Kong Companies · New Technologies Executive Committees Involvement Cybersecurity Trends Agenda ... business. Cybersecurity Risk and its Associated

Documents
GLOBAL PRIVACY & CYBERSECURITY...GLOBAL PRIVACY & CYBERSECURITY READ MORE WHISTLEBLOWER PROTECTION NON-COMPETE PROVISIONS MATERIAL ADVERSE EFFECT CLAUSES DISTRESSED COMPANIES ISSUE

GLOBAL PRIVACY & CYBERSECURITY...GLOBAL PRIVACY & CYBERSECURITY READ MORE WHISTLEBLOWER PROTECTION NON-COMPETE PROVISIONS MATERIAL ADVERSE EFFECT CLAUSES DISTRESSED COMPANIES ISSUE

Documents
Should you take a holiday from cybersecurity?

Should you take a holiday from cybersecurity?

Software
Norman Broadbent Cybersecurity Report - How should boards respond

Norman Broadbent Cybersecurity Report - How should boards respond

Documents
A Supply Chain Network Game Theory Model of Cybersecurity … · 2017. 1. 18. · mid-sized and large companies reported a 5% increase in cybersecurity budgets, whereas small companies

A Supply Chain Network Game Theory Model of Cybersecurity … · 2017. 1. 18. · mid-sized and large companies reported a 5% increase in cybersecurity budgets, whereas small companies

Documents
CyberSecurity CopyPortfolio™ - eToroAnalysing the cybercrime landscape, it’s very clear that there is a real opportunity for cybersecurity companies going forward. According to

CyberSecurity CopyPortfolio™ - eToroAnalysing the cybercrime landscape, it’s very clear that there is a real opportunity for cybersecurity companies going forward. According to

Documents
Turnaround and transformation in cybersecurity · Cybersecurity risks of target companies should be considered across three areas: 15 Canadian Insights –The Global State of Information

Turnaround and transformation in cybersecurity · Cybersecurity risks of target companies should be considered across three areas: 15 Canadian Insights –The Global State of Information

Documents
Implementation of the Cybersecurity Executive Order...Implementation of the Cybersecurity Executive Order November 13th, 2013 Ben Beeson, Partner, Lockton Companies Gerald J. Ferguson,

Implementation of the Cybersecurity Executive Order...Implementation of the Cybersecurity Executive Order November 13th, 2013 Ben Beeson, Partner, Lockton Companies Gerald J. Ferguson,

Documents
In cybersecurity there should be no ifs, ands, or butts · In cybersecurity, there should be no ifs, ands, or butts! Don’t let cybersecurity take a backseat

In cybersecurity there should be no ifs, ands, or butts · In cybersecurity, there should be no ifs, ands, or butts! Don’t let cybersecurity take a backseat

Documents
Why Transportation Companies Should Export

Why Transportation Companies Should Export

Small Business & Entrepreneurship
Should multinational companies request an Advance … · Should multinational companies request an Advance Pricing ... Should multinational companies request an ... equal tax rates

Should multinational companies request an Advance … · Should multinational companies request an Advance Pricing ... Should multinational companies request an ... equal tax rates

Documents
CyberSecurity...2019/09/13  · Airbus CyberSecurity provides companies, critical national infrastructure, government and defence with reliable high-grade solutions to prevent, detect

CyberSecurity...2019/09/13  · Airbus CyberSecurity provides companies, critical national infrastructure, government and defence with reliable high-grade solutions to prevent, detect

Documents
Cybersecurity: Emerging Exposures for Technology Companies · 2010-10-07 · Lieberman/Collins/Carper) S. 773 – The Cybersecurity Act (Sens. Rockefeller/Snowe) Regulatory Framework

Cybersecurity: Emerging Exposures for Technology Companies · 2010-10-07 · Lieberman/Collins/Carper) S. 773 – The Cybersecurity Act (Sens. Rockefeller/Snowe) Regulatory Framework

Documents
RESILIENT GOVERNANCE FOR BOARDS OF DIRECTORS...Abstract How should boards of directors oversee cybersecurity risk for large global companies? This has become an urgent question for

RESILIENT GOVERNANCE FOR BOARDS OF DIRECTORS...Abstract How should boards of directors oversee cybersecurity risk for large global companies? This has become an urgent question for

Documents
Privacy v. Cybersecurity : How Much Power Should the

Privacy v. Cybersecurity : How Much Power Should the

Documents
2015 GLOBAL CYBERSECURITY STATUS REPORT. 2015 Global Cybersecurity Status Report Companies and government organizations worldwide are focusing on cybersecurity

2015 GLOBAL CYBERSECURITY STATUS REPORT. 2015 Global Cybersecurity Status Report Companies and government organizations worldwide are focusing on cybersecurity

Documents
Cybersecurity Governance: Questions Boards Should Ask ......CEO and CFO to make required certifications of effectiveness regarding cyber disclosure • Companies that support CEO and

Cybersecurity Governance: Questions Boards Should Ask ......CEO and CFO to make required certifications of effectiveness regarding cyber disclosure • Companies that support CEO and

Documents
Medical Device Cybersecurity Reportmedical device companies, leading security researchers with extensive medical device cybersecurity expertise, representatives of a medical device

Medical Device Cybersecurity Reportmedical device companies, leading security researchers with extensive medical device cybersecurity expertise, representatives of a medical device

Documents
Cybersecurity and Credit Risk Management€¦ · Cybersecurity and Credit Risk Management March 19, 2018 AGENDA •Why should credit professionals care about cybersecurity? •Why

Cybersecurity and Credit Risk Management€¦ · Cybersecurity and Credit Risk Management March 19, 2018 AGENDA •Why should credit professionals care about cybersecurity? •Why

Documents
IIoT cybersecurity for transportation companies

IIoT cybersecurity for transportation companies

Documents
The Cybersecurity Imperative€¦ · The Cybersecurity Imperative 1. The speed of digital transformation is heightening cyber-risks for companies as they embrace new technologies,

The Cybersecurity Imperative€¦ · The Cybersecurity Imperative 1. The speed of digital transformation is heightening cyber-risks for companies as they embrace new technologies,

Documents
CAYMAN ISLANDS REGULATORY UPDATE · Companies and exempted liability partnerships that fail to file their annual ... “cybersecurity breach”, “cyber incident” and “cybersecurity

CAYMAN ISLANDS REGULATORY UPDATE · Companies and exempted liability partnerships that fail to file their annual ... “cybersecurity breach”, “cyber incident” and “cybersecurity

Documents
Cybersecurity: securly enabling transformaton and change · Protecting the bank and clients against fraud and cybersecurity threats Insurance Insurance companies are preparing for

Cybersecurity: securly enabling transformaton and change · Protecting the bank and clients against fraud and cybersecurity threats Insurance Insurance companies are preparing for

Documents