The National Insurance and Bonds Commission recently amended Provision 4.10.18 of the Sole Provisions on Insurance and Bonds and eliminated the corresponding Appendix 4.10.18, removing the obligation for insurers and bonding companies to inform the commission when their users' sensitive information is:

  • altered;
  • extracted;
  • lost;
  • deleted; or
  • suspected of having been accessed without authorisation or compromised.

As of 11 September 2018, where one of the above occurs with regard to a user's sensitive information, the corresponding insurer or bonding company must immediately conduct an investigation to determine whether the information has or may be misused. Companies must also notify affected users of the data breach within three working days in order to alert them of the potential risks arising from the misuse of their information and the measures that must be taken.

Under the Sole Provisions on Insurance and Bonds, a user's 'sensitive information' constitutes:

  • their personal information (eg, name, address, phone number or email address);
  • information on the contracts that they have entered into with the insurer or bonding company;
  • any identifying information; and
  • their authentication information.

For further information on this topic please contact Carlos Ramos Miranda at Hogan Lovells BSTL SC by telephone (+52 55 5091 0172) or email ( The Hogan Lovells BSTL SC website can be accessed at

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.