Insights

Deadline to Comply with New York's Cybersecurity Regulation Is Approaching

Fourth Annual Latin America Privacy & Cybersecurity Symposium

EGADE Auditorium
EGADE Business School
Tecnológico de Monterrey
Av. Carlos Lazo 100, Sante Fe
Álvaro Obregón, 01389
Mexico City

On May 15-16, Jones Day produced and hosted the Fourth edition of the Annual Latin America Privacy & Cybersecurity Symposium, in Mexico City. The Symposium brings together private practice, government officials and experts to discuss privacy and cybersecurity legal trends in the region. More than 300 attendees joined the event this year, which welcomed an impressive set of panels that included representatives from the U.S. Federal Bureau of Investigations–Cyber Division, regional banking regulators, data protection agencies, and other similar agencies from Chile, Brazil, Costa Rica, and Mexico.

The event featured many current topics in cybersecurity and privacy regulations—from the evolving nature of regulation, to managing cyberattacks, to challenges in data privacy compliance posed by emerging technologies, such as intelligent systems.

The tremendous success of this year’s event would not have been possible but for the support and collaboration of this year’s sponsors: KPMG, One Trust, Fortinet, ICC Mexico, IAPP, EGADE Business School, BMA and S21SEC

Some of the key takeaways from the several sessions: 

  • The Data Protection Compliance Landscape in Latin America Keeps Evolving. Experts agree that data privacy concepts are constantly evolving with technology (e.g., accessibility, consent, and privacy-by-design). New laws are being adopted following a model similar to Europe's approach to data protection. Brazil's new data protection law (LGPD), for example, resembles the EU GDPR and comes into force in August 2020. On the other hand, Chile is issuing a data protection law to further a digital economy strategy, and Costa Rica is hoping to join the 108 Convention. Mexico has a long data protection tradition and is working on reinforcing the data protection and cybersecurity landscape with new regulation.  
  • Enforcement of Data Protection Regulations in Mexico Is Increasing. In the last couple of years, the INAI has closed 167 investigations related to the protection of data, and imposed almost 10 million U.S. dollars in fines. The main industries affected by the INAI enforcement actions are the financial and insurance services, the communications sector, and small businesses. Additionally, investigations for noncompliance with the Federal Law on Protection of Personal Data Held by Individuals vastly increased last year - specially in the professional, scientific and technical sector - with no signs of coming to a halt in 2019. The INAI is also responsible for conducting administrative investigations of the public sector, for which 113 cases have been evaluated in the last year. These alarming figures do not include pending lawsuits related to data incidents and unlawful processing of personal data. 
  • The EU GDPR, the Main Model – But Not the Only One - to Look At for Compliance in the Region. We know the territorial scope of the EU GDPR may extend to Latin American companies, but it is also a fact that due to new data protection regulations in the region – in some cases, similar to the EU GDPR (e.g. Brazil’s LGPD) - companies may choose to adopt GDPR-like principles and standardize their setup for processing personal data. Companies should pay close attention to the guidelines and position papers issued in the EU regarding the enforcement of the regulation, as these may be setting the tone not only for Europe but also for countries with similar regulations. At the same time, companies need to look into other legal systems and the models these are adopting. For instance, in the U.S., the California Consumer Privacy Act or CCPA, focuses primarily on consumer rights and disclosures required to consumers, and requires compliance efforts additional to those of the GDPR. Notably, it also adds a private right of action with statutory damages for data breaches. Although the scope is different to GDPR, companies outside of the U.S, can also be subject to this regulation, its potential amendments and other state or federal privacy laws.
  • Mexico Leads the Cybersecurity Efforts in the Region: While cyberattacks are increasing in the LatAm region, the new Mexican government is pushing for a telecom regulation, a new security information law, and the addition of a cybersecurity agency. The speakers noted that careful consideration needs to be taken to protect the privacy of data and to foster new technology adoption in the country. Data shows that the average cost of a security breach is approximately $1,000,000 USD per month. The critical period to notify a cyber-attack is 72 hours but in practice the average response period takes up to 69 days. Mexico is also considering changing its consumer protection law to create an opt-in registry for call centers.
  • FinTech, A Growing Industry that May Need More Regulatory Oversight: Every 20 hours a FinTech is created in LatAm. In 2017, Fintech companies grew a 73.5%, 72.7%, 92.2%, 93.3% and 50%  in countries like Brazil, Mexico, Colombia, Argentina and Chile, respectively. E-commerce companies, such as Alibaba, Facebook, or Amazon, are becoming FinTech companies and developing their own payment platforms. The speakers expressed concern that there is relatively little regulatory oversight of e-commerce companies and the payment platforms they are adopting. Some argued that the special privacy rules applicable to financial institutions should also apply to the e-commerce entities. Also, there is greater risk of cyber breaches for FinTech entities, particularly emerging companies, which do not appear to have the maturity or resources to adopt effective cyber defense capabilities. For crowdfunding FinTech companies, speakers stressed the importance of maintaining strict internal controls to authenticate and identify clients, and of developing an adequate business continuity plan for cases of data breach. 

The following Jones Day lawyers in the Cybersecurity, Privacy & Data Protection Practice moderated the panel discussions or were featured speakers, including Mauricio Paez (New York), Richard Martinez (Minneapolis), Olivier Haas (Paris), Guillermo Larrea (Mexico City), and Marina Moreno (Washington). Sergio Alvarez-Mena (Miami), Boris Dolgonos (New York), and Mauricio Castilla (Mexico City) also moderated panels throughout the event.

Additionally, please find attached the presentations of the following speakers:

We use cookies to deliver our online services. Details of the cookies and other tracking technologies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you consent to our use of cookies.