Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Data security and breach notification
Are there specific security obligations that must be complied with?
Article 19 of the Federal Law for the Protection of Personal Information in Possession of Private Entities requires every data owner to implement and maintain administrative, technical and physical security measures to prevent the loss, alteration, destruction or unauthorised access and use of any collected and stored personal information.
Such measures must be equivalent to those used by the data owner to protect its own information. When implementing such measures the data owner must consider:
- the existing risk and possible consequences for the data subjects;
- how sensitive the data is; and
- the technological development.
Are data owners/processors required to notify individuals in the event of a breach?
Yes, Article 20 of the Federal Law for the Protection of Personal Information requires data owners to immediately notify individuals about any security breach that occurs during any phase of data collection, storage or use, which may significantly affect the individual’s patrimonial or moral rights.
Similarly, Article 64 of the law requires data owners to notify individuals without delay of any breach that significantly affects their moral or patrimonial rights, as soon as the data owner confirms that a breach has occurred and when the data owner takes action to determine the magnitude of the breach.
The data owner must include information regarding:
- the nature of the incident;
- the details of the personal information that has been compromised;
- the recommended actions data subjects can take to protect their interests;
- the corrective measures that have been implemented by the data owner; and
- the means for getting more information regarding the breach.
Are data owners/processors required to notify the regulator in the event of a breach?
Click here to view the full article.