Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

During the past year, there have not been any material amendments to the Mexican data protection laws and its regulations (Mexican Privacy Law). Nevertheless, the enactment of the National Security Act, on 8 November 2019 allows Mexican authorities to rule judicial decisions to intervene in private communications for national security purposes. This Law also anticipated the replacement of the Centre of Investigation and National Security by the newly created National Intelligence Centre, a Mexican intelligence agency controlled by the Ministry of Security and Civilian Protection, whose main purpose is to preserve the state’s integrity, stability and endurance, this was a radical structural change in the Mexican government as the former intelligence agency used to be under control of the Ministry of Interior, the purpose is to reinvent the image of the agency as an authority focused on security, instead of conducting ‘authorised’ espionage. In 2019, the National Intelligence Centre hosted an official meeting where representatives of the National Bureau of Investigation and the Department of Justice agreed with the Mexican government on a programme to coordinate efforts to reinforce the exchange of information concerning to cybersecurity, including best practices to cope with activities that pose a risk for Mexico and the United States.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

The Mexican Privacy Law regulations provide that the data controller must inform only the data subject, not the federal regulator or other authority. As per the timeline, the regulations only provide that such notifications should be conducted without delay and, of course, after assessing if the breach significantly affects the property or non-pecuniary rights of the data subjects upon having conducted an exhaustive review of the magnitude of the breach so that the prejudiced data subjects may take the appropriate measures.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

Companies shall confirm first if personal data is compromised and if so, what type of personal data was (sensitive or not) and how many subjects were affected by the breach (this, along with the proper identification of the affected parties, which is crucial for notification purposes). In addition, companies must implement corrective, preventive and improvement steps to make the security measures adequate to avoid a repeated breach. These measures should be informed to the data subjects, along with the nature of the breach, the personal data compromised, the recommendations to data subjects after the breach and the means available for data subjects to obtain more information of the event, if that notification is necessary, under Mexican provisions.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

To be prepared for a security incident and improve security measures within the company, the Mexican regulations provide that companies comply with certain obligations as data controllers, such as:

  • preparing an inventory of personal data and processing systems;
  • determining the duties and obligations of those who process personal data;
  • making a risk assessment, establishing security measures and identifying those effectively implemented so far;
  • analysing the gap between existing security measures and those missing but necessary for the protection of personal data;
  • preparing and updating a work plan for the implementation of the missing security measures arising from the gap analysis; and
  • training personnel and keeping a record of personal data storage media.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

The Mexican Privacy Law provides that any (national or international) transfer of personal data to third parties (other than data processors) generally needs to be set forth in the privacy notice and requires the consent (express or implied, as the case may be) of the relevant data subject. Cloud hosting companies might process personal data under data controller’s instructions and on its behalf and therefore might be considered as data processors. Although the transfer of personal data to data processors does not need to be disclosed in the privacy notice, nor does it require the consent of the relevant data subjects, companies will be required to communicate the corresponding privacy notices to any such third parties and adopt necessary measures to ensure that they comply with the terms of such notices and the Mexican Privacy Law, which might be accomplished through the execution of a written agreement with such data processors.

In addition, considering that cloud computing is a model for the external provision of computer services on demand that involves the supply of infrastructure, a platform or software distributed in a flexible manner, using virtual procedures, on resources dynamically shared, a data controller should enter into service agreements with at least the following contractual conditions for the service provider:

  • it shall use similar policies to protect personal data as those reflected in Mexican Privacy Law;
  • if the service provided involves subcontracting, such provisions should be transparent;
  • it should not assume any ownership on the information about which the service is provided; and
  • it should maintain confidentiality with respect to the personal data about which it provides the service.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

Public prosecutors in Mexico are in charge of investigating cyber activities and to resolve them, a cyber police force has been created to follow up on crimes or unlawful activities committed through the internet. Complaints directed to the cyber police can be submitted via its website, by phone or through a Twitter or email account; in addition, the federal police have created a scientific division called the National Centre For Cyber-Incident Response, specialised in providing assistance to the victims or claimants of cyberthreats and cyberattacks. In the case of data protection, the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) may conduct investigations to follow up personal data matters. Regarding telecommunications, the Federal Telecommunications Institute is in charge of this sector. Regarding software, the Mexican Institute of Industrial Property also has investigatory powers.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

In M&A deals, companies must be cautious from the very beginning about the pitfalls around exchanging and processing personal data and the different treatment of such data in every stage of the process, whether the matter is a purchase of assets or a purchase of stocks. Depending on the type and purpose of the M&A process, companies should think about splitting the case into stages and using mechanisms to preserve such information in confidentiality as long as possible, by implementing anonymisation proceedings, being very focused on complying with the duty of confidentiality and, also, ensuring their own representatives execute sufficiently stringent non-disclosure agreements for the stage of the process. At a certain point, companies will be prepared to disclose key information to the other party and that would imply the execution of a new document allowing the exchange and level of information sought to be disclosed. Companies’ representatives should monitor the use of all personal data provided within the context of the M&A transaction to be sure that no one will be misusing the information and, by doing so, putting the company at risk. A manual of good practices when processing personal data should facilitate the communication between the parties and the analysis of personal data.

The Inside Track 

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

A lawyer specialised in cybersecurity should be able to differentiate between material and non-material harm under Mexican law by conducting a risk assessment to provide client with alternatives to move forward to avoid breaches and misuse. Lawyers should also have a good relationship with the Mexican regulator.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

The fact that terms such as ‘cybercrime’ and ‘cybersecurity’ are understood as criminal actions carried out by individuals who use information and communication technologies as a means or as an end; and are typified in a criminal code or other national code.

How is the privacy landscape changing in your jurisdiction?

The Mexican government has implemented legal changes to grant faculties in different authorities (other than those under the Ministry of Interior) to prosecute matters related to cybersecurity. This may pose challenges due to lack of expertise from the authorities. In 2019, the federal regulator on data privacy issues ruled several guidelines and recommendations for individuals to prevent a misuse of their personal data through the use of mobile applications. The amount of misuse in these environments increased during vacations specifically in the context of services provided by travel agencies. These guidelines have been issued in the context of the collaboration agreement between the INAI and the consumer protection agency, which is expected to be crucial during 2020 in the context of the covid-19 outbreak.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

The most common are related to breach of systems for obtaining personal data for profit. The private sector has cooperated when the breach is caused by hackers; however, sometimes the authorities have imposed fines on the private sector as a consequence of the breaches for not having the proper security measures in place.