Cyber events are global issues that manifest in many ways and generally impact several countries simultaneously. It is critical to comprehend the requirements and procedures set by each jurisdiction to ensure compliance and, at the same time, the security of personal data and data subjects. This article examines the cyber incident notification requirements in Brazil, Argentina, Colombia and Mexico.
Multijurisdictional incident response
The duty to notify regarding an information security incident is a key requirement in any privacy and data protection legislation around the globe. Many jurisdictions have adopted such notifications considering studies indicating that reporting requirements increase transparency, accountability, and overall data security investments, in addition to enforcing personal data protection and cybersecurity awareness within organizations.
Furthermore, mandatory notifications encourage organizations to implement incident response plans. In Brazil, for instance, when a cyber incident has occurred, the controller must inform the Brazilian data protection authority, the Autoridade Nacional de Proteção de Dados, about the steps taken to mitigate the incident. A thorough response plan is necessary for organizations to reach a high maturity level to effectively map and document the measures adopted to mitigate the breach.
Reporting is one of the most difficult challenges in data protection compliance for global corporations with personal data processing activities spread over the globe. Reporting triggers vary significantly across the globe and impact organizations' privacy programs that must assess whether an incident should be reported in each jurisdiction.
Information security incidents may arise from malicious attacks, insider threats, or errors from any organization's personnel. It is important to note the need for a cyber incident report is not always related to the cause of the incident – recent research shows that insiders caused approximately 60% of cyber incidents, mostly inadvertently. For example, the majority of data breaches cited by the Colombian Data Protection Authority stem from errors made by insiders or by the organization, including a lack of preventive security rules or protocols, carelessness or negligence, flaws in the organization's systems, flawed procedures, and operational shortcomings.
A common misconception is that incidents would be reportable only as cyberattacks. However, the truth is that most legislation follows the "risk-based approach" to determine whether an incident report is required. The standpoint is the individual and how they were affected by the corresponding incident. For instance, Brazil's General Data Protection Law, Federal Law No. 13.709 of 2018, requires information security incidents to be disclosed to the regulatory authority and data subjects if there is a risk to the individuals or relevant damage has been caused to them. Therefore, there is nothing related to a malicious attack but solely to risk and impacts on individuals.
It is noteworthy that numerous authorities, typically sectoral, demand incident notifications in multiple jurisdictions. For example, in Brazil, a number of sectorial authorities demand breach notifications, including Agência Nacional de Energia Elétrica in the energy sector, Comissão de Valores Mobiliários for securities and exchange companies, Agência Nacional de Telecomunicações in the telecommunication sector, and Banco Central do Brasil. This article will only address general notification obligations primarily imposed by each nation's data protection authority, excluding any sector-specific obligations.
Triggers for reporting
In Brazil, under the LGPD, data controllers are required to report any adverse event that affects any type of personal data, such as unauthorized access, destruction, loss, modification, leakage, or any illegal data processing activity, if they are likely to put data subjects at risk, primarily regarding their rights and/or freedoms, and/or cause any relevant damage to the data subjects.
Determining what might cause risks or damage to data subjects under the LGPD is challenging. Analyzing if the incident involves sensitive personal data (such as racial origin, membership in a trade union or political organization, information related to health, sexual orientation, or biometric data), vulnerable categories of data subjects, i.e., children or the elderly, or is likely to facilitate financial fraud, discriminatory behavior against the data subjects, and/or identity theft, or impairs the rights of third parties, are some factors that can be taken into consideration to determine whether there are any risks or damages involved.
Other factors include the volume of data, how easily data subjects may be identified based on the personal data affected by the incident, the territorial scope of the incident, and if it was derived from a malicious attack. Note this is just one of the criteria that may be taken into account. Inadvertent and internal incidents must be notified as much as deliberate ones when the other criteria have been met.
Reporting information security events is a "best practice" in Argentina as there is no legal requirement to report them, even under the Argentinean Data Privacy Law. Although incident notifications are not mandatory, businesses must preserve records of data breaches in case the Argentinian DPA, the Agencia de Acceso a la Información Publica, requests them during an inquiry or audit. Furthermore, the AAIP adopted Resolution 47 of 2018, which specified many suggested security procedures, including reporting security problems to the AAIP.
The local authority imposed an administrative fine of ARS 290.000,00 (approximately USD 3.000,00) in AAIP v. Cencosud SA. It was found Cencosud had a security breach that became public, and the company did not take the recommended measures to prevent, notify, and remedy the effects of the breach, nor did it notify the users whose data had been affected. Thus, despite not being mandatory, notifying data breaches is shown to be a very strategic and recommendable measure in the Argentinian scenario.
In Colombia, as per Law No. 152 of 2012, notifications are required in the event of security code violations or the existence of risks associated with the processing of data subjects' personal data. The non-binding accountability guidelines of Colombia's DPA define a data breach incident as "any incident in information systems or in manual or systematized databases that threatens the security of the personal data stored in them." This broad definition is similar to the one provided by the AAIP.
Law No. 1581 establishes a security principle and a general duty for the controller, who is responsible for enforcing information security codes. The codes must include precautions and safeguards for the company's information security, planned in accordance with several criteria outlined by the CDPA, such as the company's size and the scope and purpose of the data processing. However, the CDPA states businesses must be ready "to mitigate the risks and damages that may be caused to the basic rights and freedoms of the data subjects and the organizations" if those preventive measures are unsuccessful. Notifying the CDPA of the security code violation is one of the necessary actions.
The CDPA categorizes the risks related to processing the data subjects' personal information into low, moderate, high, and extreme risks, with each organization in charge of developing its assessment model. The CDPA does recommend certain criteria to be adopted, such as the volume and the category of data subjects affected, the volume and the category of the affected personal data, the cause of the data breach and the measures taken to mitigate its impacts. This categorization will assist the organization in understanding the risks and potential consequences of security breaches, thereby facilitating the determination of adequate security measures for each scenario.
In Mexico, we see a scenario more like Brazil. When "data vulnerabilities" significantly impact the data subjects' material or moral rights, a report must be filed in Mexico. The Federal Law on the Protection of Personal Data Held by Private Parties of 2010 introduced a non-exhaustive list of "vulnerabilities" that may trigger a reporting obligation to the Mexican Authority, which include unauthorized loss, destruction, use, access, or treatment; theft, loss, or unauthorized copying; and damage, unauthorized alteration, or modification.
In Mexico and Brazil, the triggers for reporting are linked to the impact on data subjects. In contrast, notifications in Colombia and Argentina are not based on how the incident will affect the data subjects.
Who should be notified
If the above triggers provided for in the LGPD are met, organizations must notify the ANPD and the affected data subjects – to date there is no distinction between reporting obligations in respect of the authority and individuals.
In Argentina, if the organization decides to report the incident, it should be addressed to AAIP in compliance with Resolution No. 47 of 2018. Notifications to the data subjects are not mentioned in the resolution, but according to the Argentine Civil and Commercial Code, it may be considered a general duty to prevent damage and avoid liability during investigations or audit procedures carried out by the local AAIP.
The Delegatura para la Protección de Datos Personales of the Superintendence of Industry and Trade in Colombia is the authority responsible for personal data protection and should receive the reports. According to Law 1,581 of 2012, it is mandatory that organizations notify all affected data subjects.
In Mexico, notifications should be directed to the National Institute of Transparency, Access to Information, and Personal Data Protection. While notifying the INAI is good practice, notifying all affected data subjects is also required by the Mexican Federal Law on the Protection of Personal Data Held by Private Parties of 2010.
Following a cyber incident, the affected organization must take several steps, which must be documented according to the incident response plan. Reports must comply with a specific timeline in each jurisdiction but will likely go through the same evaluation - identifying (i) the triggers for mandatory or good-practice notifications, (ii) who must be notified, and (iii) the notification deadline. Classifying those three steps will set the timeline for data breach notifications in all four jurisdictions examined. Regarding the final step - the deadline for notifications - it is critical to determine whether delays are permissible and under what conditions.
According to the ANPD and the corresponding guidance currently in place, organizations must submit the report of an incident within two business days of becoming aware of the incident. It should be noted this deadline has yet to be permanently determined by a specific resolution, and the position may change. Delays in notification may be allowed to remediate a security incident and determine its scope if the controller can thoroughly document the reasons for the delay to the ANPD.
There are no mandatory deadlines in Argentina and Mexico because notifications to authorities are not required. However, the INAI published "Recommendations for Handling Personal Data Security Incidents," which recommends reports be submitted "without undue delay."
The notification deadline in Colombia is much longer than in Brazil, with a total of fifteen business days to notify the CDPA and data subjects. Delays are not allowed because organizations have much more time to notify. However, if a delay occurs, it could be argued that it was caused by the difficulty in identifying the corrective measures and the people in charge of implementing them. According to the CDPA's Guide to Managing Security Incidents, the deadline for organizations begins on "the date it was detected and brought to the attention of the person or area in charge of assisting them."
If you want to comment on this post, you need to login.