Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

To be prepared for a security incident and to improve security measures within a company, Mexican regulations provide for certain obligations of data controllers, such as:

  • prepare an inventory of personal data and processing systems;
  • determine the duties and obligations of those who process personal data;
  • make a risk analysis of personal data identifying, by level, dangers and estimated risks;
  • establish security measures and identify those effectively implemented so far;
  • analyse the gap between existing security measures and those missing but necessary for the protection of personal data;
  • prepare and update a work plan for the implementation of the missing security measures arising from the gap analysis;
  • train personnel; and
  • keep a record of personal data storage media.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

When it comes to records containing personal data, organisations should keep records in accordance with the Federal Law on the Protection of Personal Data held by Private Parties (the Mexican Privacy Law) for as long as the investigation requires. Particular attention should be given to sensitive personal data as its storage and processing could pose a risk for organisations that do not adopt the applicable provisions of the Mexican Privacy Law.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Under the Mexican Constitution, organisations must cooperate with government agencies regarding incidents; however, no law establishes specific requirements to report incidents or potential incidents.

Time frames

What is the timeline for reporting to the authorities?

By the interpretation of the Mexican Constitution, organisations must cooperate with government agencies regarding incidents. However, no law establishes specific requirements to report incidents or potential incidents and, consequently, there is no timeline for reporting either.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Rules for reporting threats of breaches that may involve the unauthorised use of personal data are contained in the Mexican Privacy Regulations. These Regulations provide that the data controller must inform only the data subject, not the federal regulator or other authority. As per the timeline, the regulations only provide that this notification should be conducted without delay, and after assessing whether the breach significantly affects the property or non-pecuniary rights of the data subjects upon having conducted an exhaustive review of the magnitude of the breach, so that the prejudiced data subjects may take appropriate measures. Notices of breaches should contain at least the following information, as mentioned in the Mexican Privacy Regulations:

  • the nature of the breach;
  • the personal data compromised;
  • recommendations to the data subject concerning measures that the latter can adopt to protect his or her interests;
  • corrective actions implemented immediately; and
  • the means by which he or she may obtain more information in this regard.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

12 December 2020.