On 17 September 2021, the Agency for Access to Public Information (AAPI), which is the controlling authority of the Personal Data Protection Law (No. 25,326) (PDPL), penalised Cencosud SA for violating the provisions of the data protection legal framework because of a security incident.

The AAPI became aware of a data breach that affected the systems of Cencosud – a multinational conglomerate that operates in Argentina through the companies Jumbo, Easy, Vea and Disco Supermarkets – in November 2020. The security incident was triggered by a computer attack known as "Egregor ransomware", a malware that encrypts information.

The National Directorate for the Protection of Personal Data (NDPPD), a governmental body within the administrative structure of the AAIP, considered that this security incident could involve the leakage of Argentine data subjects' personal data, thus affecting the protective principles of the PDPL, as well as Cencosud's security and confidentiality duties. Consequently, the NDPPD requested that the company provide information about the incident.

The defences filed by Cencosud were considered insufficient. The NDPPD determined that neither preventive measures nor corrective measures to minimise the data breach's impact or prevent future violations had been properly taken. Also, it highlighted the fact that, after the NDPPD's request had been sent to the company, some users had received fraudulent emails under a "phishing" scheme.

Therefore, the NDPPD penalised the company for the following serious infringements:

  • failure to take the technical and organisational preventive measures necessary to guarantee the security of the information, which constitutes an infringement pursuant to AAIP Rule No. 7/2005;
  • failure to take the necessary technical and organisational corrective measures to guarantee the security duty within the organisation;
  • failure to report to its clients at the first opportunity that they could be affected by personal data leaks due to the security incident; and
  • failure to report to its clients that they could be affected by fraudulent emails under a "phishing" scheme as a consequence of the second security incident suffered by the organisation.

Consequently, the AAPI imposed on Cencosud a fine of 290,000 Argentine pesos (approximately $2,938) for committing the above-mentioned infringements.

To reach this conclusion, the AAIP took into consideration the following aspects:

  • The company did not adopt any of the security measures provided for in AAPI Resolution No. 47/2018 to prevent security incidents by design or those concerning incident management.
  • Both incidents (the ransomware attack and the subsequent data leak resulting from the fraudulent emails sent to Cencosud's clients) exposed the data subjects' personal information.
  • Cencosud, as a data controller, should have proactively reported the incident to affected users, allowing them to take preventive measures to avoid possible illegal manoeuvres and/or to exercise their rights under the PDPL if they considered it necessary. The notification duty, which is not provided for in the PDPL, is nevertheless contemplated in the Standards for Data Protection approved by the Ibero-American Data Protection Network or the updated Principles of the Inter-American Legal Committee on Privacy and Personal Data Protection.
  • Pursuant to Resolution No. 47/2018, security measures must be adopted by organisations within the context of the accountability principle considering "the organic structure that best suits its interests and operation".

For further information on this topic please contact Mariano Peruzzotti at Ojam Bullrich Flanzbaum by telephone +54 11 4549 4900 or email ([email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.