CYBERSECURITY 2018 VIRTUAL ROUND TABLE www.corporatelivewire.com
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Introduction & Contents The Cybersecurity Roundtable 2018 features four experts from around the world who share their practical knowledge and experience on a range of key topics. The experts discuss the impact of GDPR on non-European companies; identify the role of the main regulators and key legislations in their jurisdiction; and offer best practice on how to ensure compliance. Featured countries are: Brazil and Mexico.
5
2
Q1. Who are the main regulators and what are the key legislations that apply to the cybersecurity in your jurisdiction?
7
Q2. Have there been any recent regulatory changes or interesting developments?
8
Q3. Are there any compliance issues or potential pitfalls that firms need to be cautious about?
9
Q4. How has your jurisdiction been affected by the implementation of the GDPR in Europe?
10
Q5. What are the most important security measures to consider when collecting consumer data?
11
Q6. Why is important for data protection regulations to be improved?
11
Q7. Have there been any other recent regulatory changes or interesting developments?
James Drakeford Editor In Chief
12
Q8. How is the continuous development of smart technology challenging cybersecurity?
13
Q9. What key trends do you expect to see over the coming year and in an ideal world what would you like to see implemented or changed?
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Meet The Experts Carlos Diaz Sobrino - Bello Gallardo Bonequi y Garcia S C T: +52 (55) 5292 5232 E: cdiaz@bgbg.mx
Carlos joined Bello, Gallardo, Bonequi and Garcia, SC for the first time in 2012, where he has specialized in the areas of Telecommunications, Media and Technology, Protection of Personal Data, Corporate Law and M & A. In the years 2016 and 2017, the Chambers and Partners publication included him in the “ Associates to watch “ ranking as a highly recommended lawyer in the Telecommunications Media and Technology (TMT) sector.
Hector Guzman - Bello Gallardo Bonequi y Garcia S C T: +52 (55) 5292 5232 E: hguzman@bgbg.mx
Héctor Guzmán has provided international legal consulting services in personal data protection to BGBG Abogados for more than two years. His services include the elaboration and delivery of training courses on personal data protection, safety measures and cloud computing. In August 2013, he became the head of said area in BGBG Abogados. Héctor Guzmám was the Chief Privacy Officer in the Spanish Ministry of Defense for a year, through the Communications and Information Technologies General Sub-director’s Office –Secretary of State for Defense. (Secretaría de Estado de Defensa). Héctor Guzmán has provided legal consulting services in personal data protection to various multinational corporations in Spain, in different areas such as: energy, banking, insurance, megastores, insurance company support, etc… He has also managed auditing and adaptation projects in personal data protection for various Public Administration in Spain, including the former National Energy Commission (Comisión Nacional de Energía), the Tax Administration Organism of the Council of Barcelona, the Social Welfare Department (Consejería de Bienestar Social) of the Government of Valencian Community and the Spanish Social Security IT Office (Generalidad Valenciana y la Gerencia de Informática de la Seguridad Social). Under the coordination of the ISMS Forum Spain and the Data Privacy Institute, he participated in two studies on a Data Protection Regulation Proposal for the European Union (Primera edición) and Segunda Edición). Héctor is a member of the Ilustre Colegio de Abogados de Madrid (ICAM), the ISMS Forum Spain, the Spanish Privacy Professional Association (APEP) and of the Latin American Data Protection Observatory Observatorio Iberoamericano de Protección de Datos.
Begona Cancino - Creel, Garcia-Cuellar, Aiza y Enriquez, S.C. T: +52 55 4748 0679 E: begona.cancino@creel.mx
Begoña Cancino is a partner with Creel, García-Cuéllar, Aiza y Enriquez, S.C., where she heads the Intellectual Property and Entertainment practice area. Ms. Cancino has experience in all aspects of intellectual property, data privacy and administrative litigation including counseling and litigation of patents, trademarks, appellations of origin, copyrights and trade secrets, focusing also in corporate transactions, data protection and IP aspects of the Procurement Law, regulatory, compliance, misleading advertising and unfair competition. Ms. Cancino has actively represented various foreign global companies in connection to intellectual property, data privacy, regulatory aspects and litigious matters. She also handles administrative litigious matters in general, representing clients in administrative litigations before administrative authorities and Federal courts. Ms. Cancino is a member of the International Trademark Association (INTA) and the Mexican Association for the Protection of Intellectual Property (AMPPI) and has published extensively on data protection and privacy, patents, trademarks and copyrights.
3
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Meet The Experts Renato Opice Blum - OPICE BLUM, BRUNO, ABRUSIO and VAINZOF Attorneys at Law T: +55 11 2189-0061 E: renato@opiceblum.com.br
Judge at the MIT Inclusive Innovation Challenge (2018). MSc, attorney and economist; Digital Law Cyberlaw and Data Protection Program Coordinator at Research and Education Institute (INSPER); Digital Law Coordinator at Sao Paulo Law School (EPD); Member of the Executive Council of the Technical Study of the Internet of Things – IoT; Former Vice-Chair of the Privacy, E-Commerce and Data Security Committee of American Bar Association (Intl. Law) and Vice-Chair at the International Technology Law Association South America Membership Committee; Member of Octopus Cybercrime Community (Council of Europe); Member of EPA’s Policy and Scientific Committee – EPA’S Think Tank; EuroPrivacy Board Invited Member (Data Protection); President of Sao Paulo Lawyers Institute Standing Information and Technology Studies Commission; Coordinator of Study Commission of Digital Law of the Superior Council of Law at State Federation of Commerce (FECOMERCIO); Coordinator and co-author of the book “Manual of Electronic Law and Internet”.
Jan Morgenstern - MORGENSTERN GmbH T: +49 (0) 6232 - 100119 0 E: jan.morgenstern@m-kanzlei.de
IT law is largely characterized by the rapid technical development, which always raises new (technical) issues. Our lawyers specializing in IT law, have a sound technical understanding, and many years of industry knowledge - as well as comprehensive and first-class legal know-how. The lawyers and managing partner of the law firm, Jan Morgenstern, has decisively shaped the highly specialized orientation of MORGENSTERN lawyers as a specialist lawyer for IT law. The law firm specializes exclusively in IT law, the media and e-commerce. As a lecturer for IT Law and Internet Law at the University of Applied Sciences Heidelberg, as well as an author and nationwide sought-after speaker, he has constantly redefined the law firm’s claim to legally demanding services that are valuable to clients at the same time. MORGENSTERN Rechtsanwälte are active in IT law throughout Germany and are represented at the Speyer and Koblenz locations. The law firm specializes in IT law in the following focal areas: •
Design and negotiation of IT and software contracts
•
Advice in connection with public procurement of IT services (EVB-IT)
•
Privacy and IT compliance
•
Design of general terms and conditions for software and IT services
•
Advice and representation in connection with domain law issues
•
Advice and representation in situations of imbalance in IT projects
•
Advice and representation of IT freelancers and personnel service providers
•
Non-competition clauses for freelancers / IT freelancers
•
Examination and design of framework contracts and project contracts
•
Mediation in difficulties in IT projects
•
Representation in legal proceedings and arbitration
For MORGENSTERN Rechtsanwälte, IT law is not just a crucial specialization, but a passion. Our lawyers are committed to providing firstclass legal advice based on a thorough understanding of the underlying technical processes. 4
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q1. Who are the main regulators and what are the key legislations that apply to the cybersecurity in your jurisdiction? There is no central authority for this purpose in Brazil. Administrative entities (e.g. Public Prosecutors Office, Ministry of Justice and consumer protection authorities) are able to investigate and set fines in case of wrong doings – and also initiating judicial proceedings against companies and individuals. Due to the Brazilian judiciary, administrative fines and claims for damage compensation can be further discussed in the judiciary branch. Renato Opice Blum
Relevant Authorities: • • • • • • •
Brazilian Internet Steering Committee (CGI.br) National Telecommunications Agency (Anatel) Police Departments specialised in Digital Crimes Public Prosecutors (State and Federal) Secretary for Consumers’ Defence Administrative entities Judiciary
Main legislations encompass: • • •
Decree No. 2,848/1940 – Brazilian Penal Code Law No. 4,117/1962 - Brazilian Telecommunications Act Sets forth telecommunications secrecy.
• •
Child and Adolescent Act (Law 8,069/1990) Provides for the crime of handling child pornographic materials.
• •
Law No. 12,737/2012 Promoted changes in the Brazilian Penal Code, typifying computer crimes such as improper invasion, data access and modification.
• •
Law No. 12,965/2014 – Brazilian Civil Rights Framework for the Internet Regulates the use of the internet, establishing principles and guarantees that make the network free and democratic in Brazil. Effective since 23 June 2014, it assures the rights and duties of users and companies who provide both access and services online.
• •
Decree No. 8,711/2016 Amends the Brazilian Civil Rights Framework for the internet regarding network neutrality, and set standards to operators in relation to adequate services, stability, security, integrity and functionality of the network, observing some requirements such as the restriction of spam, navigation control and attacks and network congestion, among other provisions.
Please note that applicable provisions can also be drawn from the Brazilian Constitution, and other legislation such as the consumers’ code. • •
5
Regulation No. 4,658/2018 Sets forth rules for the hiring of relevant cloud computing services, data processing and storage, and cyber security policies, applicable to all financial institutions and/or those authorised to operate by the Brazilian Central Bank.
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q1. Who are the main regulators and what are the key legislations that apply to the cybersecurity in your jurisdiction? Main Regulators: (i) the General Attorney Office; (ii) Public Prosecutors; (iii) the National Institute for Access to Public Information and Data Protection (“INAI”); and (iv) the Federal Telecommunications Institute (“IFT”).
Begona Cancino
Public Prosecutors in Mexico are in charge of investigating and resolving cyber activities; a cyber police service has been created to follow up on crimes or unlawful activities committed through the internet. Complaints directed to the cyber police can be submitted via its website, by phone, or through a Twitter or email account; in addition, the Federal Police have created a scientific division called the National Centre For Cyber-Incidents Response, focused in providing assistance to the victims or claimants of cyber threats and cyber-attacks. The INAI is empowered to evaluate if the cause that originated a data breach was caused by a failure of compliance or negligence. INAI is in charge of: (i) guaranteeing people is right of access to public government information; (ii) protecting personal data in possession of the federal government and individuals; and (iii) resolving denials of access to information that the dependencies or entities of the federal government have formulated. The IFT is in charge of regulating telecommunications and broadcasting services. Key Legislations: • The Mexican Constitution. • The Federal Law against Organised Crime. • The Federal Telecommunications and Broadcasting Law. • The Data Protection Law, its Regulations, Recommendations. • Guidelines and similar regulations on data protection. • The Federal Law on Transparency and Access to Public Information. • The General Law on Transparency and Access to Public Information. • General Standards as the Mexican Official Standard Regarding the Requirements that shall be observed when keeping Data Messages. • The Law on Negotiable Instruments and Credit Operations. • The Mexican Federal Tax Code. • The Credit Institutions Law. • The Sole Circular for Banks. • The Industrial Property Law. • The Mexican Copyright Law. • The Federal Criminal Code. • The National Security Law. • The Federal Labour Law. • The Federal Law for the Federal Police. • The National Development Plan 2013–2018. • The National Programme of Public Security 2014–2018. • The National Programme of Security 2014–2018.
“Public Prosecutors in Mexico are in charge of investigating and resolving cyber activities; a cyber police service has been created to follow up on crimes or unlawful activities committed through the internet.” - Begona Cancino -
6
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q2. Have there been any recent regulatory changes or interesting developments? Yes. The Brazilian House of Representatives approved the Brazilian data protection draft bill (PL 53/2018, “LGPD”) on 29 May 2018, due to an agreement reached by the Reporting Deputy. Following the Brazilian legislative procedure, the draft bill was forwarded to the Senate for analysis, and sanctioned by the President as of 14 August 20181. The draft bill is an important landmark in Brazilian history and will serve as the European General Data Protection Regulation (“GDPR”) – from which it draws inspiration. Renato Opice Blum
The law will come into force 18 months after its publication on 16 February 2020, which is the deadline for companies to comply with the LGPD. LGPD applies to the processing (including operations such as collection, use, storage, transmission and erasure) of personal data (any information relating to an identified or identifiable natural person, including but not limited to name, national identification numbers, location data, tastes and interests) that takes place in Brazil or relates to data subjects who are in the country, even if by enterprises located abroad. It is important to stress that the LGDP provides for extraterritorial effects. All companies that treat or aim at Brazilian data will be subject to its provisions. Another important provision regards cross-border data transfer, which will be made easier among countries that meet adequate data protection standards. This is the reason why companies that handle Brazilian data should prepare to comply – much alike to the global trend initiated by GDPR. The main goal of the legislation is to empower the individual towards the ownership and control of his own data. As regards pecuniary fines, these may reach as high as two percent of the total revenues earned by the company, economic group or conglomerate in Brazil in fiscal year preceding the commencement of the investigation, excluding taxes, but limited to a BRL 50 million cap per infringement (roughly USD 13 million).
Begona Cancino
On 7 November 2017, members of the Chamber of Deputies (mainly from the Green Party) proposed a legal initiative with the aim to introduce specific provisions into our federal criminal system, as well as to adopt the Convention on Cybercrime (Budapest Convention) in order for Mexico to be part of a global net of countries devoted to secure information in the cyberspace and use it as the basis of all required legal reforms. Currently, our Federal Criminal Code provides for certain crimes related to IT systems protected by security measures, however, it does have failures that go from the absence of a specific definition for the term “security systems” and “cybercrime” (the latter, only defined in the National Cybersecurity Strategy, which provisions are non-binding until they are elevated to law), to the lack of considering cyberbullying or malware as a crime. Especially, by means of this legal initiative, it is intended to typify as cybercrimes the following conducts: (i) hacking; (ii) phishing; (iii) identity theft; (iv) child pornography/grooming and (v) cyber fraud; as well as to incorporate into the Nacional Code of Criminal Procedures all investigative steps required to obtain evidence on digital means to preserve data stored and obtain such data while protecting personal data and collaborating effectively with other jurisdictions for coping with data transfer and other processing restrictions. In a separate note, on 12 June 2018, it was published into the Mexican Official Gazette that Mexico has adopted the Council of Europe Convention 108 of 28 January 1981 for the “Protection of Individuals with regard to Automatic Processing of Personal Data” and its “Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and cross border data flows” and considering that both are binding international instruments which protect the individual against abuses which may accompany the collection and processing of personal data and seeks to regulate at the same time, the cross border flow of personal data.
7
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q2. Have there been any recent regulatory changes or interesting developments? Regarding data protection, one of the newest applicable legal frameworks is related to the protection of personal data processed by Governmental Authorities Public Entities:, General Law for the Protection of Personal Data held by Public Authorities (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados). Before the enactment of said law, the general law was only applicable to the protection of personal data when the personal data was processed by individuals or companies. This development raises the standards in the protection of personal data in Mexico as public and private parties now have to follow principles regarding the protection of personal data. Now, it Carlos Diaz Sobrino is more common to see public authorities looking for advice on how to implement measures for the protection of the processed personal data. They are starting to have awareness on this important issue. Regarding cybersecurity, in July 2018, the Central Bank of Mexico published legal and regulatory general provisions applicable to the entities who are part of the Interbank Electronic Payment System (SPEI per its acronym in Spanish) in order to establish new procedures and requirements to guarantee the correct operation of the Interbank Electronic Payment System due to certain directed attacks that trespassed the security of the system and affected its operation. Those attacks were mostly suffered by banks and stock exchanges.
Q3. Are there any compliance issues or potential pitfalls that firms need to be cautious about? Certainly. As regards the Brazilian GDPR, the main points of attention to both privacy and compliance professionals follow below: Material Scope: It applies to any activity that involves the use of personal data - including the ones carried out by internet; Extraterritorial Scope: The legislation applies to companies located outside Brazilian territory, despite any physical Renato Opice Blum presence in the country; Legal Framework: Consent is one of the 10 hypothesis provided, able to legitimate the processing of personal data; Key Principles: Lawfulness; purpose limitation; data minimization; transparency; non-discrimination; safety; damage control; responsibility and accountability; free access and data accuracy; Data Subject Rights: Among others, right to information, access, data portability, erasure and amendment; Supervisory Authority: Although provided in the original draft bill, was vetoed by the President and should be implemented by 2020 through another legislative procedure; Specific Rules: Apply to the processing of sensitive data, children and teenager data and international data transfer; Data Protection Impact Assessment: Obligation to perform data protection assessments; Data Protection Officer (DPO): Every company responsible for data processing must designate a DPO; Notification: Mandatory in some cases, including data breaches; Infringements: Pecuniary fines up to BRL 50 million per infringement.
“Now, it is more common to see public authorities looking for advice on how to implement measures for the protection of the processed personal data.” - Carlos Diaz Sobrino-
8
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q3. Are there any compliance issues or potential pitfalls that firms need to be cautious about?
Begona Cancino
Assessing the extent of the breach (and therefore, determining whether there is a need to report such a breach to the affected parties) is a potential pitfall from the compliance perspective. Firstly, one would confirm whether the personal data is compromised and if so, what type of personal data (sensitive or not) and how many subjects are affected by the breach (this, along with the proper identification of the affected parties, is crucial for notification purposes). In addition to the assessment on the extent of the breach event, companies should implement corrective, preventive and improvement steps to make the security measures adequate to avoid a repeated breach, such measures should be informed to data subjects, along with the nature of the breach, the personal data compromised, the recommendations to data subjects after the breach and the means available for data subjects to obtain more information of the event, in case that notification is necessary, under Mexican provisions.
Q4. How has your jurisdiction been affected by the implementation of the GDPR in Europe?
Renato Opice Blum
An increased number of companies searched for advice and implementation of GDPR in Brazil due to its extra-territorial effects. Nonetheless, it also pushed the data privacy agenda forward in Brazil. The “Brazilian GDPR” draft bill origins date back to 2009, when first drafted within the Brazilian Ministry of Justice and after a procedure that involved intense debates and public consultations. The final wording of PL 53/2018 is also the result of other bills that were under analysis by the chamber of deputies, PL 4060/2012 and PL 5276/2016. It is worth clarifying that a second draft bill concerning data privacy is currently under discussion in the Senate (PLS 330/2013)7. Both projects, the Chamber of Deputies and the Senate one, were facing delays in the processing mainly due to the Brazilian political scenario, but were undoubtedly pushed forwarded by two main events: the Cambridge Analytica scandal and GDPR. Also, it is worth mentioning that in recent years many incidents were reported by the media regarding leakage of information and non-authorised sharing of data triggering an urgent need for a more specific law in Brazil.
Begona Cancino
9
In general terms, we may say that Mexico has proper regulations on the protection of personal data. Mexican law does not differ much from the specific provisions set forth by GDPR. However, there are differences that should be considered carefully. The Federal Law for the Protection of Personal Data held by Private Parties includes data controller’s obligation to notify “immediately” (instead of a specific term such as the one provided by the GDPR); the breach to data subjects that may be affected significantly on their economic or moral rights, but no requirement to notice the federal regulator is set forth in the relevant law. In this regard, it will be up to data controllers deciding whether to notify data subjects or not (please refer to our response to question three, regarding “potential pitfalls to be cautious about”), to that end, the data controller would rely on how sensitive the personal data compromised in the breach is and to what extent its misuse could affect data subjects not only from an economic, but also, from a moral perspective.
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q4. How has your jurisdiction been affected by the implementation of the GDPR in Europe? Even before 25 May 2018 the GDPR started to affect certain data controllers established in Mexico. In particular, the tourist sector has had to implement compliance measures in its relationships with European service providers and European citizens (their clients). Service providers from the EU started to send Data Transfers Agreements and Standard Contractual Clauses to be signed by tourist companies in Mexico. Hector Guzman
The use of Standard Contractual Clauses has caused “negotiations” between the parties, since some European companies wanted to sign controller-to-processor agreements when data transfers actually occur between data controllers. This probes that even today many European companies do not differentiate between a data controller and a data processor. Several Mexican companies will face the application of article 3.2 of the GDPR, but many are not aware of the impact of the GDPR and many others believe that the GDPR (a foreign law) is not binding. Time will tell if companies deciding not to comply will face real consequences coming from European DPAs.
Q5. What are the most important security measures to consider when collecting consumer data?
Begona Cancino
The Federal Law for the Protection of Personal Data held by Private Parties includes data controller’s obligation to notify “immediately” the breach to data subjects that may be affected significantly on their economic or moral rights, but no requirement to notice the federal regulator is set forth in the relevant law. In this regard, the key factor to be assessed by organisations when deciding whether to notify data subjects or not, would rely on how sensitive is the personal data compromised in the breach and to what extent its misuse could affect data subjects not only from the economic, but also, from the moral perspective. To be prepared for a security incident and improve security measures inside the company, the Mexican Regulations provides for certain obligations to data controllers, such as: (i) an inventory of personal data and processing systems; (ii) determine the duties and obligations of those who process personal data; (iv) have a risk analysis of personal data identifying, by level, dangers and estimated risks; (v) establishing security measures and identify those effectively implemented so far; (vi) analysing the gap between existing security measures and those missing but necessary for the protection of personal data; (vii) preparing and updating a work plan for the implementation of the missing security measures arising from the gap analysis; (viii) training personnel; and (ix) keeping a record of personal data storage media.
Data controllers collecting consumer data by means of web formats shall provide secure electronic communications by using SSL certificates. If they provide electronic payments platforms to sell their products/services, they shall look for compliance with PCI DSS.
Hector Guzman
If we are hiring a data processor that will process consumer’s data, we shall be sure that the relevant service provider complies with a minimum of security requirements to process data on our behalf. In fact, data controllers shall hire data processors using the requirements or criteria provided by article 28 of the GDPR: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures”.
10
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q6. Why is important for data protection regulations to be improved? Technology is pushing away any remaining physical boundaries between countries and people – either in terms of social contact or services rendering. However, conflicting interests strengthen the need for a coherent legislative framework to address contemporary challenges regarding data protection, ownership and cross border information flow. In comparison to other commercially relevant countries Brazil was among the few countries that did not handle the matter by means of a specific legislation. Thus, visibility of Brazil may improve in the technological international scenario. Data protection regulations are also positive in terms of assuring rights to users and preventively protecting Renato Opice Blum their data as a mean to shield from certain incidents. In addition, the level of accountability required of companies by data protection legislations and the penalties set forth will fuel immediate important changes concerning safety of data in the segment.
It is a fact that technology evolves faster than laws. New and improved technologies allow different human interactions that were not foreseen by a legislator 20, 10 or five years ago. In this scenario, it is easy to find current regulations that cannot deal with conducts or behaviours that only a few years ago didn’t exist (e.g. blockchain and cryptocurrencies). Hector Guzman
Data protection regulations are not different from other regulations when facing the challenge to keep updated in a dynamic world. The adoption of the GDPR proved that a Directive from 1995 could not face the challenges of a hyperconnected world and where zillions of data are exchanged every year. Legislators shall face the fact that laws will become outdated faster than in the 20th century; therefore, they shall review and update procedures for data protection regulations as a general rule.
Q7. Have there been any other recent regulatory changes or interesting developments? Yes. Regulation No. 4.658/2018 was enacted in 2018, and sets forth rules for the hiring of relevant cloud computing services, data processing and storage, and cyber security policies, applicable to all financial institutions and/or those authorised to operate by the Brazilian Central Bank. From an international perspective, the most interesting aspect of the Regulation is the green light for the hiring of relevant cloud computing services, data processing and storage from foreign providers – irrespective of their location, Renato Opice Blum or the location of the services rendering. Foreign providers will be subject to a higher standard of requirements, from which we highlight: • •
The existence of an information exchange agreement between the Brazilian Central Bank and the regulatory authorities of the countries where the services will be provided. In any case, the hiring must be submitted a priori to the analysis of the Brazilian Central Bank.
The hiring institution must: • • • • 11
Ensure that the provision of services does not cause any damage to its regular functioning nor harm in any way the performance of the Brazilian Central Bank. Decide, a priori, which countries and regions can provide services. Countries that limit or impede the access, by the Brazilian Central Bank, to the information provided, are illegible. Provide for alternatives in case the agreement cannot be maintained or is terminated.
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q7. Have there been any other recent regulatory changes or interesting developments? The Regulation also addresses other sensitive points, such as: (i) privacy by design; (ii) an incident response plan, considering the reality of each institution; and, finally, (iii) the inclusion of mechanisms to disseminate the cyber security culture to clients and users.
Renato Opice Blum
According to INAI and figures obtained from the official source of the National Commission for the Protection and Defence of Users of Financial Services, Mexico ranks eighth place for identity theft worldwide. 67% of those reported cases are due to loss of documents, 63% for robbery, and 53% for information taken directly from their credit accounts.
Begona Cancino
During Q3-2017, cyber frauds more than doubled (102%) compared to the same period of 2016, and represent a proportion from 13% to 51% year-on-year. In 2016, one out of every 131 emails contained malware. In addition, Mexico ranks second place in Latin America for the greatest number of cyberattacks to mobile devices. On 9 September 2017, the Officer of the General Prosecutor (PGR) announced through the Mexican Official Gazette, a new investigation unit to combat cyber and technological crimes and enhance investigations. Until March 2018, there were 312 files opened by the unit to investigate crimes related to the distribution, storage and production of child pornography, initiated upon notices received from Interpol. The unit of the PGR is also actively working with the Bank of Mexico to identify and sanction all responsible from the cyberattack to several financial institutions on their interbank electronic payments system.
Q8. How is the continuous development of smart technology challenging cybersecurity? Though the Federal Law remains the same from its issuance in 2010, the Mexican landscape has been changing and it is expected to remain changing due to the international commitments adopted by Mexico with the purpose to collaborate with other jurisdictions to ensure good practices when it comes to processing personal data.
Begona Cancino
Carlos Diaz Sobrino
I believe that the “artificial” consciousness of Artificial Intelligence (AI) regarding monitoring, surveillance, and processing of personal data, which in some cases may be sensitive personal data, is exponentially growing without taking into consideration the security threats that this technology exposes when processing, transferring or by simply accessing to information or data bases to gather information. The threats challenge cybersecurity as the AI may not consider applicable requirements which sometimes are implemented on a case-by-case basis to information systems and software, because certainly is not always required to have strict security measures when using AI. Also, I believe that the Internet of things (IoT) is challenging cybersecurity understanding these challenges as security challenges when processing data which in many cases may be considered personal data and which has to be protected in accordance with the applicable law, which is also conflict point, due to the nature of the type of processing which is in many cases happening in the cloud.
12
CYBERSECURITY 2018 VIRTUAL ROUND TABLE
Q9. What key trends do you expect to see over the coming year and in an ideal world what would you like to see implemented or changed?
Begona Cancino
We expect additional provisions to regulate, in a deeper sense, data privacy issues related to cloud computing. Under Mexican Regulations, data controller should only use services that ensure the proper protection of the personal data they gather. Considering that cloud computing is a model for the external provision of computer services on demand that involves the supply of infrastructure, platform or software distributed in a flexible manner, using virtual procedures on resources dynamically shared, data controller should enter into services agreements, with at least, the following contractual conditions for the service provider: (i) it shall use similar policies to protect personal data than those reflected in the Mexican law; (ii) if the service provided involves subcontracting, such provisions should be transparent; (iii) it should not assume any ownership on the information about which the service is provided; (iv) it should maintain confidentiality which respect to the personal data about which it provides the service. In addition, the service provider should have mechanisms in place at least for: (i) disclosing changes in its privacy policies and the services provided; (ii) permitting the data controller to limit the type of processing of personal data included in the service provided; (iii) establishing and maintaining adequate security measures to protect data included in the service provided; (iv) ensuring the suppression of data after the service has been provided; (v) impeding access by those who does not have authorised access and informing data controller if there is an official request of data from a competent authority, and last but not least, (vi) informing data controller about events of breach, immediately after its occurrence, and providing data controller with all necessary information to assess the extent of the harm caused by the breach, in accordance with Mexican legal provisions.
Key trends on data protection would be the harmonisation of local applicable frameworks with the principles established in the GDPR as in many countries, the European regulation on Privacy and Data Protection has been the ground of local frameworks. The strengthening of authorities of Data Protection Agencies (DPAs) will also be very common as strong governmental authorities are needed to enforce applicable data protection laws. In Mexico, our DPA, the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) in charge of enacting our Mexican data protection law, is very active Carlos Diaz Sobrino on investigation procedures and imposition of sanctions and fines related to breaches of the data protection laws and regulations. On cybersecurity, the importance of international bodies as the Inter-American committee against terrorism (“CICTE”) of the Organization of American States (“OAS”) and the Experts Governmental Group of the United Nations on Information Communication Technologies in the context of international peace and security, to mention few of them, will increase and the importance of their resolutions may impact local laws for the implementation of procedures and requirements to prevent cyberattacks to governmental authorities and public bodies.
13
www.corporatelivewire.com