It was recently made public that the US entity Deer Park Refining L.P. ("Deer Park"), was the victim of a data breach. Such breach was disclosed to the Texas Attorney General's Office and its available for consult here. However, this data breach is of particular importance for Mexico, since Deer Park was recently acquired by Pemex, Mexico's state-owned oil company.

Therefore, while Deer Park may have complied with the US federal and state data protection laws, it could be possible that it may have to comply with Mexican data protection law too. Under the General Data Protection Law (the "General Law"), which is the law applicable to public entities, all authorities, entities, organs and bodies of the Executive, Legislative and Judicial Branches, autonomous bodies, political parties, trusts and those which receive public funds, are subject to the same.

Assuming that Deer Park has already confirmed that the breach occurred and it has begun to take actions aimed at triggering a comprehensive review of the magnitude of the violation, under the General Law, Deer Park must determine whether the breach significantly affects economic or moral rights. If it is determined that it does - and it may since social security numbers were involved in the breach,- the company would have to inform the data subject promptly, and as appropriate, to National Institute for Transparency, Access to Information and Protection of Personal Data Protection and the guarantor agencies of the Federal Entities, so that the affected data subjects may take the corresponding measures to defend their rights.

If this is the case, Deer Park Refining L.P., must inform the data subject of the following:

  1. The nature of the incident;
  2. The personal data compromised;
  3. Recommendations to the data subject regarding the measures that they may adopt to protect their interests;
  4. The corrective actions carried out immediately, and
  5. Where to obtain further information

After several security incidents in Pemex, we can understand that it is not carrying out a correct management of information security even though its activities are regulated by different countries.