Third Annual Latin America Privacy & Cybersecurity Symposium
EGADE Business School
Tecnológico de Monterrey
Av. Carlos Lazo 100, Sante Fe
Álvaro Obregón, 01389
April 25 2:30 p.m. - 6:30 p.m.
April 26 8 a.m. - 7 p.m.
Jones Day partnered with professionals in the privacy and cybersecurity industry to host the Third Annual Latin American Cybersecurity and Privacy Symposium in Mexico City and discuss new legal obligations and trends in cybersecurity and data privacy in the region. The symposium offered panels on new legal obligations for information and security management in light of updated privacy and cybersecurity legislation in Latin American countries, and discussed best compliance practices for companies in the region. Latin American government officials alongside senior business executives and other legal advisors shared their views on where the legislation and practices are headed.
Jones Day partners Mauricio Paez (New York), Todd McClelland (Atlanta), Richard Martinez (Minneapolis), Sergio Alvarez-Mena (Miami), Mark Rasmussen (Dallas); of counsel Guillermo Larrea (Mexico City), Javier Cortés (Mexico City), Olivier Haas (Paris); and associate Marina Moreno (Washington) moderated and presented on the panels throughout the event.
Takeaways from the Symposium on current trends to follow from a region where data privacy and cybersecurity regulations are being issued or under review are shared below.
Increased interest on cybersecurity and technology, and issues such as blockchain & digital currencies, artificial intelligence, autonomous vehicles, robotics, data driven developments, and the cloud are being carefully analyzed by regulators and companies in the region and will drive the legal industry in the following years. Players see dangers in the unrestricted used of data and cybersecurity breaches with new technologies.
Mexico and Brazil lead the development of financial institutions technology (Fintech) in the region. According to the CNBV, this is based on the principle of financial inclusion and innovation, among others. The new Fintech law in Mexico is an example of the importance new technologies are acquiring in the region and may become a precedent for other neighboring countries that observe technology changes and their applications. Brazil has a strong Fintech sector driven by innovation; the new regulation on Cybersecurity Policies and Requirements for Data Processing and Storage issued by Brazil's National Monetary Council will bring more certainty but heavy obligations to financial institutions.
Latin American countries further develop privacy and data protection regulations in harmony with EU regulations. With Argentina, Costa Rica, and Chile recently adhering to the Budapest Convention on cybercrime and with other countries, such as Mexico, Colombia, and Paraguay, evaluating a potential adherence thereto; with the publication of the Standards for Data Protection for the Ibero-American States by the Red Iberoamericana on June 2017, which used the EU data protection regulation (GDPR) as a base; and with regions enforcing laws and regulations based in EU Directive 95/46/CE, such as Uruguay, and others, such as Argentina or Costa Rica, using EU regulations to continue developing their region's regulations, including the data protection draft bill for Chile 11.092-07 and 11.144-07, we see Latin America is directed to implementing comprehensive data protection regimes similar to the European model.
Latin American countries lean towards a data incident notification to the authority model following the already established obligations in the U.S. and the EU. Some Latin American countries, such as Mexico or Peru, have laws requiring notification to the data subjects but not to the authority. Mexico recently issued a proposal where notification of data breaches would also be required to the authority. Other countries like Colombia already have notification requirements to the authority.
Cyber-attacks significantly present in the region. During the days after the Symposium, Banco de Mexico issued a statement that three banks experienced "incidents" with the Interbank Electronic Payment System known as SPEI that required them to connect under contingency schemes. The incidents caused significant interruption and delays in banking transfers that lasted for days although the infrastructure of the system and clients' savings seemed not to be affected. The cyberattack was not successful but it came a few months after hackers intended to illegally take funds from Bancomex, the export-import bank of the Mexican Government. Likewise, in the days prior to the Symposium, the Colombian Industrial Cybersecurity Center published a study on the number of incidents. All this was a reminder that these issues have become real in the region and that companies and the financial industry is unprepared.
Summary of Key Takeaways:
- There is an increased interest on cybersecurity and technology in Latin America
- Mexico and Brazil lead the development of Financial Technology Institutions (Fintech) in the region
- Latin American countries further develop privacy and data protection regulations in harmony with EU regulations.
- Latin American countries lean towards a data incident notification to the authority model following the already established obligations in the U.S. and the EU.
- Cyber-attacks are significantly present in the region.