Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Below is a list of the main statutes and regulations that promote cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation and management of incidents:
- the Mexican Constitution;
- the Federal Telecommunications and Broadcasting Law (FTBL);
- the Federal Law of Protection of Personal Data held by Private Parties (Data Protection Law), its regulations, recommendations, guidelines and similar regulations on data protection;
- the Federal Law on Transparency and Access to Public Information;
- the General Law on Transparency and Access to Public Information;
- General Standards as the Mexican Official Standard regarding the requirements that shall be observed when keeping data messages;
- the Law on Negotiable Instruments and Credit Operations;
- the Mexican Federal Tax Code;
- the Credit Institutions Law;
- the Sole Circular for Banks;
- the Industrial Property Law;
- the Mexican Copyright Law;
- the Federal Criminal Code;
- the National Security Law;
- the Federal Labour Law;
- the Federal Law for the Federal Police;
- the National Development Plan 2013-2018;
- the National Strategy of Cybersecurity 2017;
- the National Programme of Public Security 2014-2018; and
- the National Programme of Security 2014-2018.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
There is an industry-specific risk in certain sectors: financial sector, telecommunications and health, not only from the private sector, but also at the governmental level. The financial sector has been actively working with the Officer of the General Prosecutor (PGR), which created a specific unit devoted to the investigation of cybercrimes, on September 2017; such unit is also actively working with the Bank of Mexico to identify and sanction all those responsible for a cyber-attack on several financial institutions on the bank’s interbank electronic payments system.
Has your jurisdiction adopted any international standards related to cybersecurity?
On 14 April 2015, the Ministry of Economy published in the Mexican Official Gazette, the implementation of three Mexican official standards: NMX-I-27001-NYCE-2015 Tecnologías de la Información-Técnicas de Seguridad-Sistemas de Gestión de Seguridad de la Información-Requisitos, which reproduces the provisions set forth in the ISO/IEC 27001:2013 Information Technology-Security Techniques-Information Security Management Systems-Requirements; NMX-I-27002-NYCE-2015 Tecnologías de la Información-Técnicas de Seguridad-Código de Buenas Prácticas para el Control de la Seguridad de la información, which reproduces the provisions set forth in the ISO/IEC 27002:2013 Information Technology-Security Techniques-Code of Practice for Information Security Controls. These Mexican official standards are mandatory in Mexico for all types of organisations, regardless of their nature.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Several activities include specific obligations and sanctions for those who, within the scope of their employment, take part in any of them. For a better reference on who is liable and how they may be held responsible for inadequate cybersecurity, see question 10.
How does your jurisdiction define cybersecurity and cybercrime?
The terms cybercrime and cybersecurity are not defined in Mexican laws; however, the National Strategy of Cybersecurity 2017 defines both terms as follows:
Cybercrimes: Criminal actions carried out by individuals that use information and communication technologies as a means or as an end and that are typified in a criminal code or other national code. Accordingly, the Federal Criminal Code regulates illegal behaviours committed through electronic means that could be identified as cybercrimes by the use of electronic means for their commission.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
According to Mexican laws (specifically, the Mexican Privacy Law), organisations are compelled to implement corrective, preventive and improvement measures to make security measures adequate to avoid a breach. Organisations should be able to differentiate between material and non-material harm under Mexican laws by conducting a risk analysis. Material harm should be prioritised over non-material harm and will always depend on the business, scope, context and processing of the data compromised in the incident. Industry-specific risk identification of material and non-material harm is thus crucial for all companies facing a cybersecurity incident. Certain sectors such as healthcare and banking should provide companies with the required latitude to adapt their own internal policies. Compromising the security of databases, sites, programs or equipment (and this may include failure to implement security measures required) constitutes an administrative infringement of the Mexican Privacy Law, which could be sanctioned with fines of up to 25.6 million Mexican pesos and might be doubled if sensitive data is compromised.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
See question 10.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
See question 10.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
The Mexican Constitution includes the constitutional right to the inviolability of private communications; accordingly, the federal criminal code includes specific provisions to sanction these practices. There are exceptions in the following cases:
- The Federal Law against Organised Crime provides:
- that in the investigation of a crime in which it is assumed on good grounds that a member of organised crime is involved, it is possible to tap private communications; and
- the obligation of concessionaires, authorised entities and any person holding a means or system that could be intercepted, to cooperate with the authorities, prior to a judicial order.
- The General Law to Prevent and Sanction Kidnapping Crimes provides the possibility to intercept private communications.
- The National Security Law, in the case of an immediate threat to national security, provides that the Mexican government must request a judicial warrant to intercept private communications for national security purposes.
- The FTBL, according to articles 189 and 190, provides that concessionaires, authorised entities and service providers of applications or contents are required to:
- allow the corresponding competent authorities to control and tap private communications; and
- provide the support that such authorities request, in terms of the applicable law.
In addition to the federal legislation provided above, there are state laws that allow the interception of individual communications prior to any request from the relevant state authorities (Public Prosecutor of the corresponding state) to a federal judge. Intervention of private communications is not allowed in electoral tax, commercial, civil, labour or administrative matters, or in the case of communications between the alleged perpetrator of a crime and his or her counsel.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
Hacking (ie, unauthorised access): article 211-bis of the Federal Criminal Code provides that whoever, without authorisation, modifies, destroys or causes loss of information contained in systems or computer equipment protected by a security mechanism shall be given a prison sentence of six months to two years, by the relevant authority, as well as a fine of approximately 8,004 to 24,012 pesos. The aforementioned penalty could be doubled in case the information is used for one’s own benefit or to benefit a third party.
- Denial-of-service attacks: the Federal Criminal Code does not provide any definition, or similar definition, for this criminal offence.
- Phishing: the Federal Criminal Code does not provide any definition for phishing; however, such criminal offence could be considered as fraud. According to article 386 of the Federal Criminal Code, a person commits fraud when he or she handles information through deceit, takes advantage of errors or misleads a person with the intent of obtaining a financial gain. In such case, the relevant authority shall impose a prison sentence of three days to 12 years, as well as a fine of approximately 2,400 to 24,012 pesos, depending on the value in each case.
- Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses): the Federal Criminal Code does not provide any definition for this criminal offence; however, this type of behaviour is similar to hacking. The aforementioned penalties are applicable in this case. If the criminal offence is committed against the state, the relevant authority shall impose a prison sentence of one year to four years, as well as a fine of approximately 16,000 to 48,024 pesos.
- Possession or use of hardware, software or other tools used to commit cybercrime (eg, hacking tools): the Federal Criminal Code provides this criminal offence as hacking, which is described above.
- Identity theft or identity fraud (eg, in connection with access devices): the Credit Institutions Law provides that a person who produces, manufactures, reproduces, copies, prints, sells, trades or alters any credit card, debit card or, in general, any other payment instrument, including electronic devices, issued by credit institutions, without authorisation of the holder, shall be given a prison sentence of three to nine years, by the relevant authority, as well as a fine of approximately 2,401,200 to 24,012,000 pesos.
- Electronic theft (eg, breach of confidence by a current or former employee, or criminal copyright infringement): as mentioned, the Credit Institutions Law provides that any person who produces, manufactures, reproduces, copies, prints, sells, trades or alters any credit card, debit card or, in general, any other payment instrument, including electronic devices, issued by credit institutions without authorisation of the holder, shall be given a prison sentence of three to nine years, as well as a fine of approximately 2,401,200 to 24,012,000 pesos. The aforementioned penalties could be doubled if any counsellor, official, employee or service provider of any credit institution commits the criminal offence.
In addition, activities such as espionage, conspiracy, crimes against means of communication, tapping of communications, acts of corruption, extortion and money laundering could be considered as threats to the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data.
Also, the Federal Criminal Code provides that a person who, with or without authorisation, modifies, destroys or causes loss of information contained in credit institutions’ systems or computer equipment protected by a security mechanism shall be given a prison sentence of six months to four years, by the relevant authority, as well as a fine of approximately 8,004 to 24,012 pesos. Moreover, an unauthorised person who knows or copies information from credit institutions’ computer systems or equipment protected by a security mechanism shall be subject to a prison sentence of three months to two years, as well as a fine of approximately 4,002 to 24,012 pesos. All the aforementioned penalties could be doubled if any counsellor, official, employee or service provider of any credit institution commits the criminal offence.
How has your jurisdiction addressed information security challenges associated with cloud computing?
Security challenges associated with cloud computer typically arise because of differences or lack of legal provisions or inefficient contractual structures regulating the relationship among the organisation and the cloud services provider. The Mexican Privacy Laws set forth the importance of entering into service agreements with at least the following contractual conditions for the cloud computing services provider:
- it shall use similar policies to protect personal data to those reflected in Mexican law;
- if the service provided involves subcontracting, such provisions should be transparent;
- it should not assume any ownership of the information regarding the service provided; and
- it should maintain confidentiality with respect to the personal data it holds.
In addition, the cloud computing services provider should as a minimum have mechanisms in place for:
- disclosing changes in its privacy policies and the services provided;
- permitting the data controller to limit the type of processing of personal data included in the service provided;
- establishing and maintaining adequate security measures to protect data included in the service provided;
- ensuring the suppression of data after the service has been provided;
- impeding access to non-authorised parties and informing the data controller if there is an official request of data from a competent authority; and
- informing the data controller of the events of the breach immediately after its occurrence, and providing the data controller with all the necessary information for assessing the extent of the damage caused by the breach, in accordance with Mexican legal provisions.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Yes, Mexican provisions are applicable to organisations doing business in the country.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
Yes, there are non-mandatory guidelines drafted by certain federal regulators (such as the Network for Integrity (INAI)) to complement existing provisions and allow the organisations to implement self-regulations.
How does the government incentivise organisations to improve their cybersecurity?
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
There are several standards of computer security, starting with the group of standards ISO/IEC 27000 , which integrate an information security management system that is focused on the security of information under an explicit administrative control of it.
ISO 15408  is a standard developed in what is known as the Common Criterion and allows many different software applications to be integrated and tested in a secure manner.
RFC 2196  is a memo published by the Internet Engineering Task Force for the development of security policies and procedures for information systems connected to the internet; it provides a broad and general vision of information security, including network security, incident response or security policies. The document is very practical and focused on the day-to-day operations.
For the industrial field, in 2007, with the working group of the International Society for Automation (ISA), the ISA-99 standard called Security for Industrial Automation and Control Systems was started with the publication of the ANSI/ISA-99.00 standard. 01-2007 Security for Industrial Automation and Control Systems: Concepts, Terminology and Models, in conjunction with the technical report ANSI/ISA-TR99.00.01-2007, Security Technologies for Manufacturing and Control Systems. At the beginning of 2009, the ANSI/ISA-99.02.01-2009 standard, Security for Industrial Automation and Control Systems: ANSI approved the establishment of an Industrial Automation and Control Systems Security Program. Finally, in 2010, it was changed to the ISA/IEC 62443 standard to align the numbering of the standard documentation with the corresponding standards of the International Electro Technical Commission (IEC).
Are there generally recommended best practices and procedures for responding to breaches?
There are specific guidelines issued by governmental authorities intended to address best practices on cybersecurity, below are the most frequently used:
- Guidelines for the secure deletion of personal data. Accessible through: http://inicio.ifai.org.mx/DocumentosdeInteres/Guia_Borrado_Seguro_DP.pdf;
- Guidelines to prevent identity theft. Accessible through: http://inicio.inai.org.mx/nuevo/Guia%20Robo%20 Identidad.pdf;
- Guidelines of the Internet Mexican Association. Accessible through: https://www.asociaciondeInternet.mx/es/estudios;
- Cybersecurity Strategy for Financial Institutions. Accessible through: www.banxico.org.mx/spei/d/%7BD8F9F341-00E7-459A-D35D-5F487FA05AA1%7D.pdf; and
- ICC Cybersecurity Guide for Business. Accessible through: www.iccwbo.org/Advocacy-Codes-and-Rules/Areas-of-work/Digital-Economy/Cyber-Security-Guidelines-for-Business/ICC-Cyber-Security-guide-for-business/.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
On 12 June 2018, the Mexican Official Gazette published that Mexico has adopted the Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, and its Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and cross-border data flows. Both are binding international instruments that protect the individual against any abuse of the collection and processing of personal data and at the same time they seek to regulate the cross-border flow of personal data. On 9 September 2017, the PGR announced in the Mexican Official Gazette a new investigation unit to combat cyber and technological crimes and enhance investigations. To March 2018, 312 files were opened by the unit to investigate crimes related to the distribution, storage and production of child pornography, initiated upon notices received from Interpol. The PGR unit is also actively working with the Bank of Mexico to identify and sanction all those responsible for a cyber-attack on several financial institutions on the bank’s interbank electronic payments system.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Yes, insurance for cybersecurity breaches is available and is becoming more common.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The applicable laws empower the following authorities to investigate an Incident: (i) the General Attorney Office; (ii) Public Prosecutors; (iii) the INAI; and (iv) the Federal Telecommunications Institute (IFT). Public Prosecutors in Mexico are in charge of investigating cyber activities and to resolve them, a cyber police has been created to follow up on crimes or unlawful activities committed through the internet. Complaints directed to the cyber police can be submitted via its website, by phone or through a Twitter or email account; in addition, the Federal Police has created a scientific division called the National Centre For Cyber-Incidents Response, specialising in providing assistance to the victims or claimants of cyberthreats and cyberattacks. In the case of data protection, the INAI may conduct investigations to follow up personal data matters. Regarding telecommunications, the IFT is in charge of this sector.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
Public prosecutors in Mexico are in charge of investigating cyber activities and resolving incidents. A cyber police unit has been created to follow up on crimes or unlawful activities committed through the internet. Complaints directed to the cyber police can be submitted via its website, by phone or through a Twitter or email account; in addition, the Federal Police has created a scientific division called the National Centre For Cyber-Incidents Response, specialised in providing assistance to the victims or claimants of cyberthreats and cyberattacks.
In the case of data protection, the INAI may conduct investigations to follow up personal data matters. Regarding telecommunications, the IFT is in charge of this sector. Regarding software, the Mexican Institute of Industrial Property also has investigatory powers.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
The most common enforcement actions brought by authorities relate to the breach of systems aimed at obtaining personal data (either sensitive or financial data) for profit. The private sector has been cooperative when the breach is caused by hackers; however, there are cases where the authorities have imposed fines on the private sector (ie, financial sector, health sector, gaming, etc), as a consequence of the breaches occurred by not having the proper security measures in place.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
See question 10.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Please refer to our response to question 10.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
According to article 32 of the Federal Criminal Code, organisations and companies are civilly liable for the damage caused to third parties by crimes committed by their partners, managers and directors. The state is similarly liable for the crimes committed by its public officials. The Federal Civil Code provides a standard of civil liability established in article 1910, which provides that a party who illegally causes harm to another person shall be obliged to repair the damage, unless he or she proves that the damage was produced because of the victim’s guilt or negligence.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
To be prepared for a security incident and improve security measures within a company, Mexican regulations provide for certain obligations to data controllers, such as:
- prepare an inventory of personal data and processing systems;
- determine the duties and obligations of those who process personal data;
- make a risk analysis of personal data identifying, by level, dangers and estimated risks;
- establish security measures and identify those effectively implemented so far;
- analyse the gap between existing security measures and those missing but necessary for the protection of personal data;
- prepare and update a work plan for the implementation of the missing security measures arising from the gap analysis;
- train personnel; and
- keep a record of personal data storage media.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
When it comes to records containing personal data, organisations should keep records in accordance with the Mexican Privacy Law and for as long as the investigation requires, important attention should be given to sensitive personal data, as the storage and processing of the same could pose a risk for organisations not adopting the applicable provisions of the Mexican Privacy Law.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Under the Mexican Constitution, organisations must cooperate with government agencies regarding incidents; however, no law establishes specific requirements to report incidents or potential incidents.
What is the timeline for reporting to the authorities?
By the interpretation of the Mexican Constitution, organisations must cooperate with government agencies regarding incidents. However, no law establishes specific requirements to report incidents or potential incidents and, consequently, there is no timeline for reporting either.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Rules for reporting threats of breaches that may involve the unauthorised use of personal data are contained in the Mexican Privacy Regulations. Such regulations provide that the data controller must inform only the data subject, not the federal regulator or other authority; as per the timeline, the regulations only provide that such notification should be conducted without delay, and of course, after assessing whether the breach significantly affects the property or non-pecuniary rights of the data subjects upon having conducted an exhaustive review of the magnitude of the breach so that the prejudiced data subjects may take the appropriate measures. Notices of breaches should contain at least the following information mentioned in the Mexican Privacy Regulations:
- the nature of the breach;
- the personal data compromised;
- recommendations to the data subject concerning measures that the latter can adopt to protect his or her interests;
- corrective actions implemented immediately; and
- the means by which he or she may obtain more information in this regard.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
On 7 November 2017, members of the Chamber of Deputies (mainly from the green party) proposed a legal initiative with the aim of introducing specific provisions into the federal criminal system, as well as to adopt the Convention on Cybercrime (Budapest Convention) for Mexico to be part of a global net of countries devoted to securing information in cyberspace, and using it as the basis of all required legal reforms. Currently, the Federal Criminal Code provides for crimes related to IT systems protected by security measures. However, it does have failures that range from the absence of a specific definition for the terms ‘security systems’ and ‘cybercrime’ (the latter only defined in the National Cybersecurity Strategy, whose provisions are non-binding until they are elevated to law), to cyberbullying or malware not being treated as a crime. In particular, legal initiative is intended to designate as cybercrime the following conduct: hacking, phishing, identity theft, child pornography or grooming, and cyber fraud; as well as to incorporate into the National Code of Criminal Procedure the investigative steps required to obtain evidence stored digitally to preserve data and obtain such data, while protecting personal data and collaborating effectively with other jurisdictions to comply with data transfer and other processing restrictions.