What does this cover?
For those who consider Mexico a virgin market for cyber or data protection insurance policies, think again and consider the development of its data protection legal framework. This month there has been a lot of activity from the National Data Protection Agency (the INAI – Instituto Mexicano de Transparencia, Acceso a la Información y Protección de Datos Personales); integrating the National Transparency System (the SNT), its commissions and the latter’s coordinators. The SNT is integrated, among others, by “guarantor agencies”, one per each of the States of Mexico, which have full autonomy for enacting the information access and data protection provisions within its respective jurisdiction.
On April 2015, Mexico adopted an open data protection framework the Ley General de Transparencia y Acceso a la Información Pública (the Transparency Law), as a result of the combined efforts of local authorities, society actors and international bodies. Accordingly, all public entities, authorities and any other private entities that receive, use or benefit from public funds, must abide with the Transparency Law and the resolutions issued by the SNT or its guarantor agencies.
The Transparency Law provides the adoption of a National Open Government Platform, which is still under construction, but will allow citizens to have full access to government records. Those caught by the Transparency Law will be required to abide with the “Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados”, which is under development. In the interim, they will be required to abide with the "Federal Data Protection Law", which is in full force, and this has been a source of liability for many of those caught by the Act. Related to this, the 'Federal State Liabilities Law', as well as some of the Mexican states' liability regulations, provides that some of those caught by the Transparency Law must have in place an insurance policy which covers the losses arising from any violation, which, under the Transparency Law, would extend to data protection and/or cyber risks. However, these entities tend to seek “all risks” policies, for which cyber could be offered as an additional coverage, leaving no room covering the isolated risk.
Despite to this date there being no confirmation on the topic, the common view is that the local “guarantor agencies” will undertake, at a local level, the activities currently performed by INAI at a Federal level, in the observation of data protection obligations. This could result in an increase on the number of visits and data protection procedures followed by data protection agencies, potentially increasing the exposure of those caught by the Transparency Law.
As part of other developments achieved by INAI in enforcing its data protection duties, we highlight that INAI recently executed an agreement with Secretaría de Hacienda (the local tax collection authority), with the objective of sharing information over the incomes and economic situation of citizens, which will allow it to determine penalties against those who violate data protection law, which are proportional to their economic situation.
What action could be taken to manage risks that may arise from this development?
Financial services companies should review whether their operations in Mexico in any way are in receipt of, use or benefit from public funding of the type that could make their Mexican branch(es) subject to the Transparency Law. In addition, companies operating within the insurance sector could review the potential of increased insurance demand (cyber coverage) as a result of the Transparency Law.. Other financial services companies may wish to review cyber coverage availability in respect of their business.
Submitted by José Luis Arce Fernández and Rodrigo Fernández-Guerra of DAC Beachcroft – Mexico City, Mexico in partnership with DAC Beachcroft.