Mexico’s National Transparency, Information Access, and Data Protection Institute (INAI) recently announced an impending fine of almost $2 million USD to be levied against Grupo Financiero Banorte, the third largest bank in Mexico. According to a statement by an INAI official, the bank failed to immediately notify as many as 20,000 clients of a hack impacting their information. Under Mexico’s Federal Law on Protection of Personal Data Held by Private Parties, security breaches that materially affect an individual’s property or personal rights must be reported to the individual. The fine is the largest that the INAI expects to levy this year. The National Banking and Securities Commission, the bank’s regulator, is also investigating the incident.
TIP: This case is a reminder that data breach notification requirements exist outside of U.S. Multinational companies that suffer a breach should bear this in mind as they prepare their response strategies.