Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

There is an increasing awareness of the risks in the use of technology and the internet in both private and public sectors. In the public sector, there are specific draft bills on cyberdefence and cybersecurity in the process of being passed by the national Congress. This is an important step, though there has not been enough public discussion on the matter. In the private sector, firms located in Peru whose parent companies belong to international economic groups are taking the European General Data Protection Regulation (GDPR) – currently in force since May 2018 – as a reference. Some other firms are implementing measures to comply with what Law No. 29,733 (the Personal Data Protection Act (PDPA)), sets forth. Despite the foregoing, in our daily practice we can confirm there are a great number of firms still not aware of their PDPA obligations.

Let’s turn to the main regulatory event this year. In our last report, we mentioned the Budapest Convention on Cybercrime (the Convention) was still pending approval by Congress. In February 2019, Congress approved it though it issued certain statements and restrictions related to its applicability. The Convention aims at harmonising the characteristics and elements of crimes in a context of technological breaches and unlawful access to digital information. It also establishes a quick and effective system of international cooperation between countries for public prosecution.

Relevant statements in the introduction of the Convention into the Peruvian legal system are:

  • ‘illegal access’ requires the crime to be committed in violation of security measures;
  • ‘illegal interception’ needs to be committed with criminal will and such crime must be committed in relation to a computer system connected to another computer system;
  • ‘computer-related forgery’ requires criminal intent to defraud; and
  • requests for mutual assistance between countries shall be directed to the Peruvian central authority.

Regarding relevant restrictions imposed on the Convention’s enforcement, Congress has declared:

  • simply possessing devices or data that enables cybercrimes to be committed is not an offence per se; and
  • producing, offering or distributing pornography of non-minors appearing to be minors, or realistic images representing minors are not offences, for these do not involve the actual participation of a minor.

The approval of the Convention complements the introduction of cybercrimes into the Peruvian Penal Code back in 2000. As previously reported, in 2013 Law No. 30,096 (the Cybercrimes Law) replaced most of the Penal Code provisions and finally Law No. 30,171 amended Law No. 30,096. Before the creation of this legislation, most crimes related to security incidents were prosecuted as new forms of scams. Lately, unlawful access to systems by breaching security measures, unlawful distortion of data, illegal traffic of data and data interception, among other things, are prosecuted as cybercrimes, which are more serious offences than mere scams. The Convention will enable Congress to amend the Peruvian Penal Code to update it and harmonise it with the Convention’s rules.

During 2018 and 2019, the National Authority for the Protection of Personal Data (DPA) has clarified criteria about the implementation of security measures. As a general rule, the data controller and data processor shall arrange and document security measures in order to prevent alteration, loss and unauthorised access to personal data. These measures include technical controls, legal provisions and agreements as well as organisational policies, protocols and norms.

After being queried on measures to be adopted to prevent cyberattacks, the DPA has stated the Information Security Guidelines need to be followed even though they are not mandatory but instructive. According to the DPA, the responsible entity (whether controller or processor) is obliged to guarantee the information security, thus if a cyberattack takes place, such entity may be liable even if certain security measures were implemented. Under this very questionable approach, the controller would have failed to guarantee data security given an illegal access to data has occurred (Report No. 013-2018-DFI-VARS). This opinion corresponds to a strict liability standard, rather than a subjective liability standard, and whether right or wrong firms must be aware of it.

The DPA has responded to another query regarding the applicability of the Information Security Guidelines. Again, even though these guidelines are not mandatory, it is apparent some of them are in practice. For example, as a general rule, controllers and processors must restrict access to web pages, personal emails and USB ports in devices that have access to personal data (Report 03-2018-JUS/DGTAIPD-PDP), despite such restriction is not strictly established in the PDPA.

It is worth mentioning another topic elaborated in the past year. In our 2018 report, we mentioned the DPA had merged with the Authority for Transparency and Access to Public Information. During the past year, the new merged authority has clarified and balanced the delicate relationship between the right to personal data protection and the right to access public information including personal data from public workers and officials. We find relevant the following rules:

  • the PDPA is not applicable to the data managed by public entities, as long as such data is required to exercise the entities’ legal competences;
  • information contained in the email accounts of public workers can be accessed as long as the information does not qualify as confidential, secret or reserved pursuant to the Law of Transparency and Access to Public Information, or does not include personal information of the worker;
  • applicants’ resumes can be temporarily published in the context of a recruitment and selection process for public workers and public workers’ economic income can also be legally accessed; and
  • personal data related to the taxpayer ID can be published by the local tax agency, but contact information cannot be published as it would not be proportional.

These rules confirm the main principles set forth in the PDPA: consent, proportionality and security. Compliance with these has been the focus of recent wider and more detailed supervision activity by the DPA. In such respects, current main obligations under the PDPA are briefly summarised as follows:

  • the data controller shall identify and register its databanks of personal data before the DPA and communicate any cross-border transfer of data;
  • the data controller shall attain the data subject’s informed consent for the processing of their data, provided specific exceptions in the PDPA do not apply;
  • the data controller and data processor shall arrange and document security measures to prevent alteration, loss and unauthorised access to personal data, including technical controls, legal provisions and agreements as well as organisational policies, protocols and norms; and
  • the data controller must arrange a mechanism for the exercise of data subjects’ privacy rights.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

As reported previously, the PDPA does not set forth an explicit obligation to notify data breaches to regulators or consumers, though a draft bill on cybersecurity still being discussed in the Congress may finally establish such obligation. Elsewhere, the Information Security Guidelines issued by the DPA outline the procedure to be followed after a security incident has occurred. Again, these guidelines are not mandatory in theory, but they seem to be enforceable in practice, given current trends in supervision activity.

When a security incident takes place, firms must:

  • identify specific vulnerabilities and find out the incident came to happen;
  • define the scope (type and amount) of compromised data and data subjects that have been affected;
  • implement short-run controls measures such as stopping access, preventing further leaks, eliminating malicious software, among others; and
  • notify data subjects whenever there is a potential danger that can be avoided and whenever data subjects or the DPA can take necessary actions to minimise damage.

The main principle to apply in these cases is to conduct the event with due diligence and to avoid harm to materialise or increase.

For instance, it is estimated that 31 per cent of the attacks that occur today internationally are directed against financial services and e-banking. On 22 August 2018, Peruvian banks detected cyberattacks had been carrying out against different agents of the global financial system. The banks association initiated their security protocols and monitored their own systems to prevent any harm or irregularities of the banking activities in Peru. Some of them even suspended certain services as a means to guarantee their system’s security. Finally, they succeeded in repelling the attacks.

These good practices are to be particularly taken in the context of consumers’ personal data, given the obligation to render ‘suitable services’ set forth in the Consumer Protection Regulation.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

Controlling damages is all about understanding the origin, nature and scope of the incident and rearranging short-run security measures in order to stop the destruction, distortion, leakage, diffusion and any other specific effect of the data incident. During a data security incident, organisations must activate their incident-security policies and take care of their vulnerabilities by quickly implementing technical controls.

Once urgent measures have been taken and the emergency has passed, the company has the responsibility to engage in an internal investigation in order to identify the perpetrator of a conscious or negligent data breach or other incidents. Failure to take legal actions against perpetrators and filing corresponding complaints to competent authorities may bring legal liabilities. For instance, if the company had its security measures duly implemented but the data leakage was possible owing to a voluntary action of an access-privileged employee, then the company will be able to minimise liability claims by cooperating with authorities, issuing a report based on the employee’s traced actions, identifying the addressees of the data and warning them to refrain from using the data. In the end, the will of a bad employee is not under the company’s control, so the company should not take responsibility for that action.

From our experience, we can say most companies lack of security protocols and information fluxes. A culture of compliance and commitment to data protection is not mature enough or disseminated, thus reactive strategies are often preferred to preventive counselling. We should add that there is a draft bill on cybersecurity still being discussed in congress on the creation of a national cybersecurity committee and private security incidents reaction teams.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

The main change we reported last year has been awareness of the risks inherent in the development of technological means. A relevant indicator is investment in cybersecurity. In 2018, Peru has invested 0.07 per cent of its GDP in cybersecurity, closing with around US$180 million. By 2021, that sum is expected to grow to US$220 million.

The PDPA and other sector-specific regulation on information security do not typically specify particular solutions to achieve a higher level of security. Recommended technical measures are those complying with the best practices contained in ISO 27001, which is considered to be the model standard in the data security context. Additionally, access restrictions, the use of passwords and their recovery protocols, and security measures applied to equipment such as wiring, maintenance and screen locking, among others, are necessary for hacking prevention.

Some of the legal security measures include implementing or elaborating on privacy policies, contractual clauses, confidentiality commitments and internal organisational manuals, among others. The purpose of such legal documents is to determine the purpose and liabilities for every channel of data collection (data coming in) and data sharing and transfer (data going out). All data shall be properly protected by consent, declarations and obligations, where applicable. Periodic audits are also advised.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

This is a very important question because many companies still do not see cloud hosting as a critical cross-border transfer of data. Based on our PDPA, cloud hosting means sharing or transferring data to a third party (the host) so the latter is considered a ‘data processor’. The 2017 amendments to the PDPA’s regulations in particular stress the need for contractual arrangements with binding security obligations imposed by the data controller on the data processor and the definition of the scope of the latter’s services. If services are provided within the national territory, then no additional obligations and security measures are required to be implemented than those set forth in the PDPA’s regulations and the Information Security Guidelines. These include encryption for logical transfers, access regulation and traceability, adequate physical conditions for data centres, security controls system configurations, among others.

Nevertheless, if the data processor is located in a different country, then provisions regarding cross-border transfer of data are applicable.

  • Cross-border transfer of data can only be made towards countries that meet adequate levels of protection. If the recipient country does not meet this condition, the exporter (controller) will have the obligation to guarantee that the importer (processor) complies with corresponding levels of protection through contract provisions or other suitable mechanisms.
  • The data controller shall notify the DPA about this cross-border transfer of data and must inform the legal name and address of the data processor, the reason for supporting the transfer, the specific types of data transferred, among other relevant characteristics of the transfer. It is important to provide a physical location for the data rather than stating the data is ‘in the cloud’.
  • The data controller also has the obligation to inform or update the data subjects about this cross-border transfer.

These obligations apply to most cloud services, given servers are located abroad.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

Cybercrime has become more prevalent and this has posed a significant problem as:

  • it is difficult to verify the information circulating on the internet;
  • there is an increasing penetration of telecommunications infrastructure and services, thus an increasing number of users;
  • the anonymity of the cybernauts hinders their prosecution after the commission of a cybercrime;
  • it is often easy to access, share, alter or destroy data owing to a lack of a security culture within organisations; and
  • committing a cybercrime is usually a low-cost activity.

Therefore, illegal access to systems and dissemination of data, ransomware attacks, accounts and data theft due to weaknesses in configurations, cyberespionage, phishing and other misconducts are increasingly common.

As mentioned before, Peru added ‘cybercrime’ into its criminal legislative framework in 2013 and has recently approved the Budapest Convention on Cybercrime to complement regulation on illicit access to systems, attacking the integrity of computer data and systems, illegal interception of data, technological fraud, identity theft, among others. There is also an exclusive department in the Peruvian National Police called the High-Tech Crimes Division, dedicated to identifying cybercrime and striving to be one step ahead of cybercriminals by constantly improving its IT systems.

Nevertheless, it is very difficult to engage in public policy discussions given the lack of detailed statistical data on cybercrime. Public prosecutors, the National Police and the National Institute of Statistics have published generic information on crime rates but there is still a pending assessment of the facts and trends in cybercrime and the real impact of the 2013 Cybercrimes Law.

Available information shows there were 666 criminal complaints opened in the National Police in 2016 and that number grew up to 1,937 in 2017. Nevertheless, opened investigations before the Prosecution Office decreased from 357 to 33. By 2017, there were only two persons condemned for cybercrimes. However, unless better official data and studies are produced, it will be impossible to move forward and discuss how to improve strategy regarding cybercrime and cybersecurity: from more resources for the IT police, to creating specialised prosecutor’s offices and judges and other alternatives.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

A compliance assessment on the target firm is advised. With obligations and security standards in mind, the buyer must identify scenarios of non-compliance and their possible corresponding infringements, and quantify them on the basis of their seriousness. Infringements are expressly foreseen in the PDPA’s regulations: minor infringements can be fined up to US$6,325, while serious and very serious ones can be sanctioned up to US$63,455 and US$126,910 respectively.

As an example, let us assume the target firm requires its workers to provide sensitive data that are disproportionate in relation to their job position. This is a serious infringement sanctioned by up to US$63,455. Maybe the target firm has not arranged security measures to protect sensitive data such as its employee’s economic income (ie, payroll processes are outsourced with no legal confidentiality agreements or audits). This is also a serious infringement sanctioned by up to US$63,455. Alternatively, the target firm does not have a valid privacy policy for collecting its customers’ personal information. This is also a serious infringement sanctioned by up to US$63,455.

Based on the DPA’s criteria, it is possible to quantify possible sanctions and use that number while negotiating the transaction.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

A purely legal approach of cybersecurity and data protection will not suffice given technical and economic processes need to be included in every analysis and strategy. Therefore we recommended that the law firm complements its services with an IT team. This team can be the company’s in-house IT team or the law firm’s team. Experience in privacy and information security is also necessary.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

Privacy and cybersecurity is relatively new to Peru. The Cybercrimes Law was enacted in 2013. The PDPA was issued in 2011 but came fully into force in 2015. There is a lack of sufficient case law to provide precedents and clarity about enforcement criteria and this creates the uncertainty surrounding the DPA’s position. Nevertheless, we believe it is also a valuable opportunity for lawyers to participate in the shaping of reasonable criteria to be applied in future cases.

How is the privacy landscape changing in your jurisdiction?

In 2018, the DPA’s enforcement via dawn raids and sanctioning proceedings has tripled. Sanctioning proceedings have continued stating strict criteria and informative events to the public have broadened the consciousness of privacy rights. Thus, potential contingencies arise not only from the DPA’s activities but also from the data subjects’ legitimate actions. On the other hand, some firms located in Peru that have foreign parent companies and belong to international economic groups are in the process of implementing the GDPR.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

The types of incidents depend on the industry in which the firm operates. For example, in the banking and e-commerce sector, skimming, pharming and phishing are probably the most common cybercrimes.