Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

To be prepared for a security incident and improve security measures within a company, Mexican regulations provide for certain obligations to data controllers, such as:

  • prepare an inventory of personal data and processing systems;
  • determine the duties and obligations of those who process personal data;
  • make a risk analysis of personal data identifying, by level, dangers and estimated risks;
  • establish security measures and identify those effectively implemented so far;
  • analyse the gap between existing security measures and those missing but necessary for the protection of personal data;
  • prepare and update a work plan for the implementation of the missing security measures arising from the gap analysis;
  • train personnel; and
  • keep a record of personal data storage media.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

When it comes to records containing personal data, organisations should keep records in accordance with the Mexican Privacy Law and for as long as the investigation requires, important attention should be given to sensitive personal data, as the storage and processing of the same could pose a risk for organisations not adopting the applicable provisions of the Mexican Privacy Law.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Under the Mexican Constitution, organisations must cooperate with government agencies regarding incidents; however, no law establishes specific requirements to report incidents or potential incidents.

Timeframes

What is the timeline for reporting to the authorities?

By the interpretation of the Mexican Constitution, organisations must cooperate with government agencies regarding incidents. However, no law establishes specific requirements to report incidents or potential incidents and, consequently, there is no timeline for reporting either.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Rules for reporting threats of breaches that may involve the unauthorised use of personal data are contained in the Mexican Privacy Regulations. Such regulations provide that the data controller must inform only the data subject, not the federal regulator or other authority; as per the timeline, the regulations only provide that such notification should be conducted without delay, and of course, after assessing whether the breach significantly affects the property or non-pecuniary rights of the data subjects upon having conducted an exhaustive review of the magnitude of the breach so that the prejudiced data subjects may take the appropriate measures. Notices of breaches should contain at least the following information mentioned in the Mexican Privacy Regulations:

  • the nature of the breach;
  • the personal data compromised;
  • recommendations to the data subject concerning measures that the latter can adopt to protect his or her interests;
  • corrective actions implemented immediately; and
  • the means by which he or she may obtain more information in this regard.