Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Jun 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Mexico: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

Currently, Mexico does not have general or sectoral legislation specifically addressing cybersecurity. Besides national cybersecurity strategies, federal and state legislation regulating security obligations, and ICT-related crimes, data protection laws applicable to private and public entities have proved to be the origin of cybersecurity measures to be adopted when data controllers process personal data within 'digital environments.'

General Legislation

National Digital Strategy

The National Digital Strategy 2021-2024 (only available in Spanish here) ('NDS'), published on 6 September 2021 as part of the National Development Plan 2019–2024 (only available in Spanish here), provides for harnessing the potential of information and communication technologies, by incorporating them into people's daily lives and into the Federal Public Administration, to achieve a Welfare State.

On the same day, the Government of Mexico published an agreement on policies and provisions to promote the use and exploitation of information technology, digital government, information and communication technologies, and information security in the Federal Public Administration.(only available in Spanish here) ('the ICT Agreement').

Through this ICT Agreement, the previous administrative manual that outlines the processes that federal entities should implement on ICT and information security (only available in Spanish here) ('the MAAGTICSI') was fully repealed.

The ICT Agreement includes a special chapter regarding Information Security (Chapter VI) where it provides that Federal institutions must have an Information Security Management Framework (MGSI for its acronym in Spanish) aligned to a general information security policy, aimed at guaranteeing certainty in the continuity of the operation and the permanence and integrity of institutional information.

National Cybersecurity Strategy

Despite the enactment of the NDS, the National Cybersecurity Strategy 2017 (only available in Spanish here) ('NCSS'), published on 13 November 2017, remains the same and continues outlining a general vision on the government's cybersecurity objectives, and establishes the general actions that Mexico should develop in order to obtain the maximum benefit for ICT in a resilient and trustworthy environment. In particular, the NCSS proposes five strategic objectives, which require the development of eight considerations, where all actions of each consideration rely on three guiding principles.

The Guiding principles of the NCSS are the following:

  • risk management;
  • human rights perspective; and
  • multidisciplinary collaboration.

The strategic objectives of the NCSS are the following:

  • society and rights;
  • economy and innovation;
  • public institutions;
  • public security; and
  • national security.

The considerations of the NCSS are the following:

  • cybersecurity culture;
  • capabilities development;
  • coordination and collaboration
  • ICT research, development, and innovation;
  • technical standards and criteria;
  • critical infrastructure;
  • legal framework and self-regulation; and
  • measurement and monitoring.

In addition, it is worth mentioning that under the objectives of the NCSS, the Mexican Federal Telecommunications Institute ('IFT') issued its Action Plan on Cybersecurity 2018 (only available in Spanish here) ('the Action Plan') proposing five strategic objectives:

  • devices and infrastructure security;
  • networks security;
  • collaboration on security and justice matters;
  • cybersecurity culture; and
  • collaboration for the implementation of the NCSS.

Notably, the Action Plan also proposes two strategic objectives for devices, infrastructure, and network security, namely, to establish an agile and flexible regulatory framework to provide safer devices and infrastructures, and to preserve network security.

Note that regarding the cybersecurity culture objective, the IFT developed and maintains its own Cybersecurity website.

The National Strategy on Public Security

On 16 May 2019, a new national strategy on public security (only available in Spanish here) was published in the Mexican Official Gazette. This document does not include any special provisions on cybersecurity. It only provides that, during the new administration, the Cyber Police division of the National Guard will be fully operative and that, in general, the government will promote the training and updating in the use of new technologies.

Readers should note that on 30 April 2019, the government presented the National. Development Plan 2019-2024 (only available in Spanish here) does not include any special provisions on cybersecurity.

Criminal Law

Criminal law includes the Federal Penal Code 1931 (only available in Spanish here), and several state criminal codes that punish illegal access to systems and computers, as well as the deletion or modification of information contained in private or public systems or computers.

Federal Law of the Protection of Personal Data Held by Private Parties 2010

The Federal Law of the Protection of Personal Data Held by Private Parties 2010 ('the Law') regulates personal data processing principles, as well as confidentiality and security obligations that private data controllers (i.e. companies and professional individuals) must comply with in order to protect personal data (Articles 6 to 18 of the Law).

The Law also provides that data controllers must inform data subjects of any data breach that may affect their economic or moral interests (Article 20 of the Law).

General Law on the Protection of Personal Data in the Possession of Obliged Subjects 2017

The General Law on the Protection of Personal Data in the Possession of Obliged Subjects 2017 (only available in Spanish here) ('the Public Sector Law') regulates personal data processing principles, as well as confidentiality and security obligations that data controllers (public entities) must comply with in order to protect such information (Articles 16 to 366 of the Public Sector Law). The law explicitly provides that data controllers must implement an ISMS (Article 34 of the Public Sector Law).

This law also provides that data controllers must inform data subjects and the National Institute for Access to Information and Protection of Personal Data ('INAI') of any data breach that may affect data subjects' economic or moral interests (Articles 37 to 41 of the Public Sector Law).

Sectoral Legislation

Federal Law on Private Security 2006

The Federal Law on Private Security 2006 (only available in Spanish here) regulates the activities and authorisations granted to private companies carrying out security activities, including information and cybersecurity services.

General Regulations Applicable to Credit Institutions 2018

The General Regulations Applicable to Credit Institutions 2018 (only available in Spanish here) ('the Credit Institutions Regulation') provisions require credit institutions such as banks to implement a Master Security Plan (Article 168 Bis 12 of the Credit Institutions Regulation).

A Master Security Plan is the document that establishes the security strategy of a bank to ensure the proper management of information security and to prevent information security incidents that could negatively affect the bank as an organisation, including their clients' information (Article 1(CXXXVI) of the Credit Institutions Regulation).

The new provisions of the Credit Institutions Regulation also establish that, by November 2020, Mexican banks must have implemented adequate information security measures, controls, and procedures. Moreover, the regulation provides templates to report security breaches to the National Banking and Securities Commission ('CNBV').

The new provisions of the Credit Institution Regulation are included in Section 8 Bis, Chapter VI, Title 2.

General Regulations Applicable to FinTech Institutions

The General Regulations Applicable to FinTech Institutions (only available in Spanish here) ('the FinTech Institutions Regulation') provisions require crowdfunding service providers to implement a Master Security Plan (Article 64 of the FinTech Institutions Regulation).

A Master Security Plan is the document that establishes the security strategy of a crowdfunding institution in the short, medium, and long term to ensure the proper management of information security and to prevent information security events materialising into information security incidents (Article 2(XXX) of the Fintech General Regulation).

The new provisions of the FinTech Institutions Regulation establish that crowdfunding service providers must have adequate information security measures, controls, and procedures in place (Article 63 of the FinTech Institutions Regulation).

Moreover, the FinTech Institutions Regulation provides templates to report security breaches to the CNBV. The new provisions of the Fintech Institutions Regulation are included in Title3, Chapter 

Moreover, the General Regulations Concerning Companies Authorised to Operate Innovative Models Referred to by the Law to Regulate Financial Technology Institutions (only available in Spanish here) ('the Innovative Models Regulation') are applicable to companies authorised to operate innovative sandbox models, and provide reporting obligations regarding security breaches (Article 11 of the Innovative Models Regulation).

General Regulations Concerning the Standardized Computer Application Programming Interfaces Referred to in the Law to Regulate Financial Technology Institutions

The General Regulations Concerning the Standardized Computer Application Programming Interfaces (only available in Spanish here) ('the APIs Regulations') were issued to regulate the exchange of open non-confidential financial data through programming interfaces of standardised applications. The APIs Regulations contain information security provisions, including the requirement to implement security incidents management procedures.

1.2. Regulatory authority 

The Regulatory Auth in Mexico is the  National Institute for Access to Information and Protection of Personal Data ('INAI').

1.3. Regulatory authority guidance

Guidelines for Implementing a Personal Data Security Management System

The Guidelines for Implementing a Personal Data Security Management System (only available in Spanish here) provide information to data controllers on how to implement an ISMS to protect personal data, and are based on the 'Plan-Do-Check-Act cycle ('the PDCA Cycle')'. It proposes the following actions:

  • Phase 1: plan the Personal Data Security Management System ('PDSMS'):
    • Step 1. Define the scope and objectives;
    • Step 2. Develop a personal data management policy;
    • Step 3. Establish roles and obligations of those who process personal data;
    • Step 4. Prepare a personal data inventory;
    • Step 5. Perform a personal data risk analysis; and
    • Step 6. Identification of security measures and gap analysis.
  • Phase 2: Implement and operate the PDSMS:
    • Step 7. Implementation of security measures applicable to personal data.
  • Phase 3. Monitor and review the PDSMS:
    • Step 8. Reviews and audit.
  • Phase 4. Improve the PDSMS:
    • Step 9. Continuous improvement and training.

Manual on Personal Data Security for Micro and SMEs

The Manual on Personal Data Security for Micro, Small, and Medium Enterprises (only available in Spanish here) provides, among other things, guidelines, and templates for data controllers of SMEs that wish to assess their compliance with security measures against the digital work environment.

Recommendations for Handling Security Incidents of Personal Data

The Law was the first federal law to provide direct obligations for data controllers suffering data breaches. The Law does not require the notification of data breaches to the data protection authority, and the communication of data breaches to data subjects is mandatory under few circumstances. Data breach notifications and communications by public entities subject to the Public Sector Law are also mandatory under a few circumstances.

However, the Recommendations for Handling Security Incidents of Personal Data (only available in Spanish here) propose the implementation of a response plan for security incidents, as well as a process to address a security incident, even if such an incident does not require notification.

Recommendations Regarding Personal Data Security

Based on various standards of the International Organization for Standardization ('ISO'), such as ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27055, the Recommendations Regarding Personal Data Security (only available in Spanish here) were issued by the INAI to provide data controllers with a recommendation on providing data security by adopting an ISMS based on the PDCA Cycle.

Guidelines for the contracting of cloud computing services involving the processing of personal data

In Mexico, the data protection laws are the only laws in force that provide provisions that explicitly regulate the contracting of cloud computing services by data controllers. The Guidelines for the Contracting of Cloud Computing Services Involving the Processing of Personal Data (only available in Spanish here) directly identify cloud providers as data processors and, for that reason, stipulates that they are subject to various requirements when providing services to data controllers. In addition, they address contractual requirements, as well as reputation, location, and transparency issues related to cloud services, which must be considered by data controllers when deciding on a cloud provider.

Guidelines on how to carry out Privacy Impact Assessments

Under current provisions in Mexico, Privacy Impact Assessments ('PIAs') are not mandatory for private parties and even when the Public Sector Law provides those public entities shall carry out PIAs when adopting new technologies or services that may impact citizen’s data protection rights, this data controllers may avoid doing so arguing an urgency on the decision to implement such services or technologies.

Despite the above, the 'Guidelines on how to carry out Privacy Impact Assessments' ('the  PIA Guidelines') issued by the INAI on December 2020 (only available in Spanish here), had established a new reference for private and public data controllers on how to identify and manage data processing activities likely to result in a high risk to the data protection right of individuals.

Federal Police / MPSCP

Basic Cybersecurity Handbook for Micro, Small, and Medium Enterprises

The Federal Police published, on 7 November 2018, a handbook for SMEs that provides information on the development of basic cybersecurity action plans (only available in Spanish here) on the following subject matters:

  • employees;
  • mobile devices;
  • networks security;
  • data privacy and security;
  • hardware and web security;
  • email security;
  • security policies;
  • security incidents management;
  • operations security;
  • electronic payments security; and
  • physical security.

2. SCOPE OF APPLICATION

Currently, Mexico does not have general or sectoral legislation specifically addressing cybersecurity.

3. DEFINITIONS

Information security program: There is no definition of 'information security program' under Mexico law. However, the Guidelines for Implementing a Personal Data Security Management System 'personal data security management' as a general management system to establish, implement, operate, monitor, review, maintain and improve the treatment and security of personal data based on the risk of the assets and the basic principles of legality, consent, information, quality, purpose, loyalty, proportionality and responsibility provided for in the Law, its Regulations, secondary regulations and any other principle that good international practice stipulates in the matter.

Database: is defined as the ordered set of personal data referring to an identified or identifiable person. 

Cybersecurity incident: is defined as the impact or interruption of ICT assets, essential and/or critical information infrastructures, including unauthorised or unscheduled access to them. 

Cybersecurity/information security officer: There is no definition of cybersecurity/information security officer under Mexico law.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

According to the Guidelines for Implementing a Personal Data Security Management System mentioned in section 1.3., there are six steps for correct implementation of an ISMS:

  1. definition of the scope and purpose of the personal data management;
  2. drafting of a personal data management policy;
  3. definition of the role and obligations of those who manage the personal data;
  4. drafting a personal data inventory;
  5. analysing the risks to which personal data is subjected; and
  6. identify the security measures and perform the breach analysis.

4.1.Cybersecurity training and awareness

The new ICT Agreement provides that any Federal institution’s MGSI must include a training program on information security for all public servants of each institution (Article 76 (i) of the ICT Agreement). On the private sector side, readers can find that Article 48 of the Regulations to the Federal Law of the Protection of Personal Data Held by Private Parties 2011 (only available in Spanish here) ('the Regulations') provides that as a security measure, the data controllers can implement a training and awareness program regarding personal data protection obligations.

4.2. Cybersecurity risk assessments

Federal institutions must carry out risk analysis (assessments) in order to identify information security threats and vulnerabilities (Article 76, c) of the ICT Agreement).

INAI’s PIA Guidelines can be read as a document to consider that (cyber)security risk assessment must be part of new services, projects, and activities having a relevant impact on the rights and freedoms of individuals.

4.3. Vendor management

There are no specific cybersecurity vendor management obligations in Mexico, however,  some specific requirements for cloud computing vendors are provided (Article 52 of the Regulations).

4.4. Accountability/record keeping

There are no specific cybersecurity requirements regarding accountability or record keeping, however, there are some requirements in data protection regulations addressing the following:

The responsible party may consider the implementation of the following actions (Article 61 of the Regulations):

  • assessments or audits;
  • personal data inventory; and
  • record the means of storage of personal data.

Article 30 of the Public Sector Law establishes the obligation to implement, among others, mechanisms of personal data protection by design and by default.

The Law and the Public Sector Law provide that data controllers must establish, implement, and maintain adequate security measures to process and protect personal data. Security measures include (Article 19 of the Law, and Articles 31 to 37 of the Public Sector Law):

  • administrative security measures:
    • policies and procedures for the management, support, and review of information security at an organisational level;
    • the identification, classification, and secure erasure of information; and
    • the awareness and training of personnel on data protection;
  • physical security measures:
    • actions and mechanisms aimed at protecting the physical environment of personal data and the resources implicated in data processing; and
  • technical security measures:
    • actions and mechanisms using hardware and software technology to protect the digital environment of personal data and the resources implicated in data processing.

In addition, the Credit Institutions Regulation and the FinTech Institutions Regulation require these entities to implement an ISMS and develop a Master Security Plan to protect their clients' information.

5. DATA SECURITY

The Law and the Public Sector Law provide that data controllers must establish, implement, and maintain adequate security measures to process and protect personal data. Security measures include (Article 19 of the Law and Articles 31 to 37 of the Public Sector Law):

  • administrative security measures:
    • policies and procedures for the management, support, and review of information security at an organisational level;
    • the identification, classification, and secure erasure of information; and
    • the awareness and training of personnel on data protection;
  • physical security measures:
    • actions and mechanisms aimed at protecting the physical environment of personal data and the resources implicated in data processing; and
  • technical security measures:
    • actions and mechanisms using hardware and software technology to protect the digital environment of personal data and the resources implicated in data processing.

In addition, the Credit Institutions Regulation and the FinTech Institutions Regulation require these entities to implement an ISMS and develop a Master Security Plan to protect their clients' information.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

Data protection provisions

Under the Law, security incidents do not need to be notified to the INAI. Nevertheless, certain security incidents, such as data breaches which may have an adverse effect on the economic or moral rights of data subjects, must be communicated to data subjects. The communication is done once the data breach has been confirmed by the data controller, and once the data controller has implemented measures that define the magnitude of the breach. Failure to notify the data subjects of a data breach can result in sanctions by the INAI.

In the event of a data breach, and in notifying the affected data subject, the data controller must include the following information:

  • the nature of the breach;
  • the personal data compromised;
  • recommendations to the relevant data subjects regarding measures that they can adopt to protect their interests;
  • corrective actions implemented immediately by the data controller; and
  • the means by which data subjects may obtain more information about the breach.

The Law and the Public Sector Law define data breaches as:

  • the loss or unauthorised destruction of personal data;
  • theft, misplacement, or unauthorised copying of personal data; or
  • unauthorised use, access, or processing of personal data, or unauthorised damage, alteration, or modification of personal data.

Please note that under the Public Sector Law, data controllers must notify data breaches of this type to the INAI and also communicate

7. REGISTRATION WITH AUTHORITY

No registration requirements exist regarding cybersecurity matters under Mexico law.

8. APPOINTMENT OF A SECURITY OFFICER

Under Article 168 Bis 13 of the Credit Institutions Regulation and Article 65 of the FinTech Institutions Regulation, banks, and crowdfunding service providers must appoint a Chief Information Security Officer ('CISO')

Both regulations provide that the CISO must, at least:

  • participate in the definition and verify the implementation and permanent compliance of the entity's security policies and procedures;
  • develop the Master Security Plan;
  • verify, annually at a minimum, the initiation of access profiles to the technological infrastructure of the entity;
  • verify, annually at a minimum, or after an information security incident, the correct access profiles assignment to the technological infrastructure of the entity;
  • approve and verify that the measures adopted to correct any deficiency on access profiles settings or assignment have been complied with;
  • manage the information security alerts issued by the CNBV or other parties, as well as information security incidents;
  • coordinate and direct the team responsible for detection and response to information security incidents;
  • inform the occurrence of any information security incident, as well as any correction measures adopted to prevent future incidents;
  • propose and coordinate training courses on information security for all personnel, and verify the effectiveness of such training; and
  • submit a monthly report on information security management to the CEO.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services

The Credit Institutions Regulation and the FinTech Regulation are both relevant herein.

Both regulations require banks and crowdfunding service providers respectively to implement a Master Security Plan, as well as outline minimum obligations for the CEO.

Internal control system requirements may be found in Articles 63 of the FinTech Institutions Regulation and 168 bis 11 of the Credit Institutions Regulation.

The CEO's obligations are described in Articles 64 of the FinTech Institutions Regulation and 168 bis 12 of the Credit Institutions Regulation.

The internal control system requirements include:

  • that each of its components must provide the functions for which it was designed, developed, or acquired;
  • that each process, functionality, and configuration, including its development methodology or acquisition, record changes, updates, and detailed inventory of the components of the technological infrastructure must be documented;
  • the information security aspects in the definition of projects to acquire or develop each of its components, including then during the various stages which follow must be taken into account;
  • that each component must be tested before being implemented or modified, using quality control mechanisms that prevent data from being used in said tests of the production environment, confidential or security information from being disclosed, or entering into any unrecognised functionality for that component;
  • holding the licences or authorisations for use;
  • maintaining security measures for their protection, as well as for access and use of the information that is received, generated, transmitted, stored, and processed in its own technological infrastructure;
  • maintaining backup mechanisms and information retrieval procedures that mitigate the risk of interruption of the operation;
  • maintaining audit records, including detailed access information or access attempts and the operation or activity carried out by the users of the technological infrastructure;
  • maintaining management processes that ensure detection, classification, attention, containment, investigation, digital forensic analysis, diagnosis, report to competent areas, solution, monitoring, and communication to authorities, clients, and counterparts for drawing attention to any information security events and incidents compromising the security of the information;
  • submission of annual planning and review exercises to measure its ability to withstand its operation;
  • maintaining automated controls or controls that minimise the risk of elimination, exposure, alteration, or modification of information;
  • maintaining controls to detect the alteration or falsification of books, records, and digital documents related to operations;
  • maintaining processes to measure and ensure availability levels and times of response, which guarantees the execution of the operations carried out;
  • maintaining automated devices or mechanisms to detect and prevent information security incidents, as well as for preventing unauthorised inbound or outbound connections and data flows and information leakage; and
  • making sure that, throughout the strategy, design, transition, operation, and improvement phases, the integrity of the technological infrastructure is protected as well as the integrity, confidentiality, and availability of the information received, generated, processed, stored, and transmitted.

The CEO's obligations regarding information security include:

  • approving the Master Security Plan and evidencing its implementation;
  • carrying out safety reviews, focussed on verifying the adequacy of controls applicable to the technological infrastructure;
  • developing an annual calendar for conducting breach scan tests that allow for the detection of errors or security breaches;
  • classifying detected security breaches;
  • developing remediation plans from findings in the reviews and tests;
  • implementing monitoring processes to comply with remediation plans;
  • implementing annual training programs;
  • searching for fraud alerts or threats; and
  • implementing controls that allow the institution to ensure the confidentiality, integrity, and availability of the information of the user public and of the institution itself.

Both regulations also provide the obligation to appoint a CISO, as well as determining his activities (see section 3.4.).

The CISO must, at least:

  • participate in the definition and verify the implementation and permanent compliance of the entity's security policies and procedures;
  • develop the Master Security Plan;
  • verify, annually at a minimum, the initiation of access profiles to the technological infrastructure of the entity;
  • verify, annually at a minimum, or after an information security incident, the correct access profiles assignment to the technological infrastructure of the entity;
  • approve and verify that the measures adopted to correct any deficiency on access profiles settings or assignment have been complied with;
  • manage the information security alerts issued by the CNBV or other parties, as well as information security incidents;
  • coordinate and direct the team responsible for detection and response to information security incidents;
  • inform the board of directors of the occurrence of any information security incident, as well as any correction measures adopted to prevent future incidents;
  • propose and coordinate training courses on information security for all personnel, and verify the effectiveness of such training; and
  • submit a monthly report on information security management to the CEO.

Cybersecurity incidents affecting banks

Under the Resolution that Modifies the Provisions Applicable to Credit Institutions 2018 (only available in Spanish here) ('the Credit Institutions Resolution'), which provides information security provisions added to the Credit Institutions Regulation, banks must notify information security incidents to the CNBV (Article 168 Bis 16 of the Credit Institutions Regulation).

When a 'severe' security incident occurs, immediate notification must be sent to the CNBV at: [email protected]. The notification must include, as a minimum (Article 168 Bis 16(I) of the Credit Institutions Regulation):

  • the date and time of when the incident occurred;
  • an indication of whether the incident is ongoing or has ended (in this case, an indication of the duration of the incident as well);
  • a description of the incident; and
  • an initial impact or severity assessment of the incident.

A severe security incident occurs when (Article 168 Bis 16(I) of the Credit Institutions Regulation):

  • it causes economic or information losses or a disruption of the bank's services;
  • its modus operandi may replicate that of other banks;
  • it may affect the banks' clients, the stability of the financial system, the central payment systems; or
  • the bank assesses it as a severe incident.

During the next five business days, the bank must notify the CNBV (using the same email account as that provided above) of the information required (Article 168 Bis 16(I) of the Credit Institutions Regulation) through the use of information security incidents templates ('ISIT') (Annex 64 of the Credit Institutions Resolution).

The ISIT requires, among other things, the following information:

  • date and time of the incident;
  • date and time that the incident was detected;
  • location of the affected premises;
  • whether the incident may cause a monetary loss to the bank or its clients;
  • compromised personal data, such as:
    • names and surnames;
    • addresses;
    • telephone numbers;
    • email accounts;
    • biometric data;
    • account numbers;
    • passwords or personal identification numbers;
    • users' identifiers; and
    • banking operations.
  • the type of information security incident, such as:
    • physical attack;
    • accidental information or assets loss;
    • natural disasters;
    • failures or malfunctions;
    • data interception; and
    • malicious activities.

In addition, 15 days after the end of the security incident, the affected bank must deliver to the CNBV an action plan which outlines the measures to eliminate or mitigate the risks and vulnerabilities that allowed the incident to occur (Article 168 Bis 16(II) of the Credit Institutions Regulation).

If the security incident results in the extraction, loss, deletion, alteration, or unauthorised access to individuals' sensitive information, the bank must inform individuals of the incident, within 48 hours of the occurrence of the incident or as soon as it becomes aware of the incident. Banks must inform individuals of the risk associated with the security incident, and the subsequent measures that will be implemented. If applicable, banks must provide new authentication factors (Article 168 Bis 16(II) of the Credit Institutions Regulation).

The Credit Institutions Regulation defines 'sensitive information' as information which contains the names, addresses, telephone numbers, or email accounts, jointly with bank account numbers, banking card numbers, or other financial information, as well as individuals' identifiers or authentication information (Article 1(LXXXII) of the Credit Institutions Regulation).

Crowdfunding Service Providers

The FinTech Institutions Resolution made additions regarding information security obligations applicable to crowdfunding service providers.

These regulations provide the following timeline:

  • when a 'relevant' security incident occurs, an immediate notification must be sent to the CNBV at: [email protected]. The notification must include, as a minimum (Article 67(I) of the FinTech Institutions Regulation):the date and time of when the incident occurred;
  • an indicate of whether the incident is ongoing or has ended (in this case, an indication of the duration of the incident as well);
  • a description of the incident; and
  • an initial impact or severity assessment of the incident.

A relevant security incident occurs when:

  • it may affect the crowdfunding service provider, its clients, counterparts, vendors, or other entities of the financial system; and
  • it involves 'sensitive information', identification images, and biometric data.

These FinTech General Regulations define 'sensitive information' as that which contains the names, addresses, telephone numbers, or email accounts, jointly with bank account numbers, banking card numbers, balances or other financial information, as well as individuals' identifiers or authentication information (Article 2(XXI) 67of the Fintech Institutions Regulation).

During the next five business days, the crowdfunding service provider must notify the CNBV (using the same email account as that provided above) of the information required (Article 67(I) of the FinTech Institutions Regulation) through an ISIT (Annex 11 of the FinTech Institutions Resolution).

The ISIT requires, among other things, the following information:

  • date and time of the incident;
  • date and time that the incident was detected;
  • whether the incident may cause a monetary loss to the crowdfunding institution or its clients;
  • compromised personal data, such as:
    • names and surnames;
    • addresses;
    • telephone numbers;
    • email accounts;
    • biometric data;
    • account numbers;
    • passwords or personal identification numbers; and
    • users' identifiers.
  • the crowdfunding institution’s information, such as:
    • access codes;
    • security configurations;
    • ports or services identifications
    • IP addresses; and
    • versions of software, operating systems, or databases.
  • the type of information security incident, such as:
    • physical attack;
    • accidental information or assets loss;
    • natural disasters;
    • failures or malfunctions;
    • data interception; and
    • malicious activities.

In addition, 15 days after the end of the security incident, the affected crowdfunding service provider must deliver to the CNBV an action plan which outlines the measures to eliminate or mitigate the risks and vulnerabilities that allowed the incident to occur (Article 67(II) of the FinTech Institutions Regulation).

If the security incident involves the extraction, loss, deletion, alteration, or unauthorised access to individuals' sensitive information, the crowdfunding service provider must inform the affected individual of the incident, within 48 hours of the occurrence of the incident or as soon as it became known. Crowdfunding service providers must warn individuals about the risks resulting from the security incident and inform individuals about the subsequent measures that will be implemented. If applicable, crowdfunding service providers must issue new authentication factors.

Health

The legal framework in the health sector does not contain specific provisions on cybersecurity. Health sector providers (both public and private) shall comply with the data protection laws applicable to them when processing health data, which is deemed as 'sensitive data'(Article 3, VI of the Law and Article 3, X of the Public Sector Law).

The Ministry of Health has issued three Mexican Official Standards ('NOM') (binding and mandatory technical regulations that allow different government agencies to establish evaluable parameters to avoid risks to the population) on requirements to process health information, including electronic clinical records systems.

Official Mexican Standard NOM-024-SSA3-2012 on Systems of Electronic Health Record Information and the Exchange of Health Information 2012

The Official Mexican Standard NOM-024-SSA3-2012 on Systems of Electronic Health Record Information and the Exchange of Health Information 2012 (only available in Spanish here) provides security requirements for the processing of health information in the public and private sectors.

It explicitly requires health service providers to implement an ISMS to protect health records.

The Official Mexican Standard NOM-024-SSA3-2012 Electronic Registration Information Systems for Health. Exchange of Health Information (only available in Spanish here) regulates electronic registration information systems for health and provides means for health service providers to register, exchange, and consolidate information securely, ensuring interoperability, interpretation, and confidentiality.

The Official Mexican Standards NOM-035-SSA3-2012 on Health Information (only available in Spanish here), establishes the criteria and procedures that must be followed to produce, capture, integrate, process, systematise, evaluate, and disclose health information.

The Official Mexican Standards NOM-004-SSA3-2012 on the Clinical Record (only available in Spanish here), establishes the obligatory scientific, ethical, technological, and administrative criteria in the integration, use, handling, filing, storing, ownership, and confidentiality of clinical records.

10. PENALTIES

Administrative Penalties

Federal Law of the Protection of Personal Data Held by Private Parties 2010

Under the Law, if a data controller fails to implement security measures to protect personal data which results in a data breach, the data controller may be subject to fines that range from MXN 16,898 up to MXN 27,036,800 (approx. €803 to €1,285,438) (Articles 63(IX) and 64(III) of the Law).

Violations of information security provisions set forth by the Credit Institutions Regulation are subject to fines that range from MXN 2,534,700 up to MXN 8,449,000 (approx. €120,510 to €401,700) (Article 108(V) of the Credit Institutions Regulation).

FinTech Regulation

Violations of information security provisions set forth by the FinTech Institutions Regulation are subject to fines that range from MXN 2,534,700 up to MXN 12,673,500 (approx. €120,510 to €602,549) (Article 103(IV) of the FinTech Institutions Regulation).

Criminal Penalties

The Law

The Law provides offences related to the breach of personal data for profit (Articles 67 to 68):

  • Article 67 sets out the offence of causing, for an undue profit, a security breach of the databases under a person's custody, when authorised only for the purpose of access. In addition, it sets out a penalty for such offences as three months to three years imprisonment; and
  • Article 68 sets out the offence of causing undue profit through the processing of personal data in order to deceive, taking advantage of the error in which the data subject or the person authorised to transfer them is. In addition, it sets out the penalty for such an offence as six months to five years with imprisonment.

Both penalties may be duplicated if sensitive data is being processed.

The Law to Regulate Financial Technology Institutions (only available in Spanish here) ('the FinTech Law') provides criminal penalties related to:

  • offences for the protection of the assets of the clients of financial institutions and companies authorised to operate with new models (Articles 119 to 122);
  • offences against the proper operation of financial technology institutions, or authorised companies to operate with new models (Articles 123 to 126); and
  • offences for the protection of the assets of financial technology institutions and authorised societies who operate with new models (Articles 130 to 133).

Penal Code

 'Electronic crimes' applicable to financial institutions. (Article 211 Bis 4 – Bis 5 of the Penal Code):

  • Article 211 bis 4 states that it is an offence to modify, destroy, or cause the loss of, information contained in computer systems or equipment of the institutions that integrate the financial system, when it is not authorised. The applicable penalty will be six months to four years with imprisonment and from 100 to 600 days fine.
  • It is also an offence to copy knowledge of information contained in computer systems or equipment of the institutions that integrate the financial system, when it is not authorised for such purposes. The applicable penalty will be three months to two years with imprisonment and a fine of 50 to 300 days.
  • Article 211 bis-5 of the Penal Code states that it is an offence to cause the modification, destruction, misuse, or loss of computer systems and equipment of the institutions that integrate the financial system, when it is authorised with the only purpose of access. The applicable penalty will be six months to four years imprisonment and a 100 to 600 day fine.
  • It is an offence to copy the information of computer systems and equipment of the institutions that integrate the financial system, when the offender is authorised only for the purpose of access. The applicable penalty will be three months to two years imprisonment and a 50 to 300 days fine.

The Penal Code also provides criminal penalties related to the breach of the obligation regarding keeping the confidentiality of the information, as well as penalties related to illegal access and the deletion or modification of information contained in private or public systems or computers (Articles 210 – 211 bis 5).

  • Article 211 bis-2 states that it is an offence to cause the modification, destruction, or loss of information contained in State computer systems or equipment when it is not authorized for such purposes. The applicable penalty will be one to four years with imprisonment and a two to 600 days fine.
  • It is an offence to copy the information contained in computer systems or equipment of the State.
  • The applicable penalty will be six months to two years imprisonment and a fine of 100 to 300 days.
  • It is an offence to cause the obtention, knowledge, copy, or use of information contained in any system, public security computer equipment, or storage medium. If the person responsible is or would have been a public official in a public security institution, dismissal, and disqualification from four to ten years of work in another job, position, or public commission shall be imposed. The applicable penalty will be four to ten years imprisonment and a fine of 500 to 100 days general minimum wage in force in Mexico City.

The previous penalties will be doubled when the conduct obstructs the administration of justice.

  • Article 211 bis 3 states that it is an offence to cause the modification, destruction, or loss of information of computer systems and equipment of the State, when it is authorised for the purpose of access alone. The applicable penalty will be to eight years imprisonment and a fine of 300 to 900 days.
  • It is also an offence to copy information from computer systems and equipment of the State, when it is authorised for the only purpose of access. The applicable penalty will be one to four years imprisonment and 150 to 450 days fine.
  • It is an offence to cause the obtention, copy, or use of information contained in any system, public security computer equipment or storage, when it is authorised for the only purpose of access. The applicable penalty will be four to ten years imprisonment and a fine of 500 to 1,000 days general minimum wage in force in Mexico City.
  • Article 424 bis section II states that it is an offence to manufacture for profit a device or system whose purpose is to disable the electronic protection devices for a computer program. The applicable offence will be six months to six years imprisonment and 5,000 to 30,000 UMA (approx.€16,800 to €100,800).
  • Article 426 section I and II state that it is an offence to import, sell, or lease a device or system to decipher a signal encrypted satellite, carrier of programs, without authorisation of the legitimate distributor of said signal (section I), and;
  • carrying out for profit any act in order to decipher a satellite signal encrypted, carrier of programs, without authorisation of the legitimate distributor of said signal (section II). The applicable penalty will be six months to four years with imprisonment and 300 to 3,000 days fine.

11. OTHER AREAS OF INTEREST

Critical information infrastructure operators

The ICT Agreement and MAAGTICSI provide that federal must identify their own critical information infrastructures and elaborate a relevant catalog in this respect, and an ISMS must be established to protect these types of assets (Article 23 of the ICT Agreement, and the Information Security Management Process Annex of MAAGTICSI).

MAAGTICSI defines critical information infrastructures as those essential information infrastructures considered strategic, because of their relation to the provision of goods and essential public services, and whose impact could compromise national security.

The Information Security Management Process Annex of MAAGTICSI outlines its specific objectives which are:

  • to establish, operate, and maintain an information security governance model;
  • to carry out the identification of essential information infrastructures and, where appropriate, critical infrastructures, as well as key assets of the institutions, and draft the respective catalogues;
  • to establish risk management mechanisms that allow identifying, analysing, evaluating, treating, and monitoring risks;
  • to establish an ISMS to protect the information assets of the institutions, with the purpose of preserving its confidentiality, integrity, and availability;
  • to establish mechanisms for the immediate response to information security incidents;
  • to monitor the ISMS' established mechanisms and performance, in order to anticipate deviations and maintain a continuous improvement; and
  • to promote a culture of information security in the institutions.

Operator of essential services

MAAGTICSI provides that federal institutions must identify their own essential information infrastructures and elaborate a relevant catalogue in this respect. An ISMS must be established to protect these types of assets (Article 23 of the ICT Agreement, and the Information Security Management Process Annex of MAAGTICSI).

MAAGTICSI defines essential information infrastructures as the networks, services, equipment, and facilities associated, or linked to, information assets, ICT and operation technologies, whose impact, interruption, or destruction would have a greater impact on the operation of the institutions.

Essential information infrastructures do not relate to national security, but their protection shares the same objectives within the Information Security Management Process Annex of the MAAGTICSI that each federal body must implement.

Cloud computing services

The Regulations and the Public Sector Law define 'cloud computing' as 'the model for the external provision of computer services on demand that involves the supply of infrastructure, platform, or software distributed in a flexible manner, using virtual procedures on resources dynamically shared' (Articles 52 of the Regulations and Article 3 (VI) of the Public Sector Law).

The Regulations and the Public Sector Law regulate the use of cloud computing services by data controllers, providing that cloud providers (as data processors) must implement adequate security measures to protect personal data. Both provisions require that cloud provider's contractual clauses and policies comply with requirements assuring the protection of personal data processed on behalf of data controllers (Article 52 of the Regulations, and Articles 63 to64 of the Public Sector Law).

Cloud providers shall:

  • have and use policies addressed to protect personal data that are similar to applicable principles and duties set forth in the Law and the Public Sector Law;
  • provide transparent information regarding sub-processors;
  • refrain from using contractual provisions authorising or providing to their ownership of the information to be processed; and
  • assure confidentiality over the personal data that will be processed.

Cloud providers shall also have the means to:

  • communicate changes to their privacy policies or their service terms and conditions;
  • allow data controllers to limit data processing activities carried out by the cloud provider;
  • provide and maintain adequate security measures to protect personal data related to the service;
  • ensure the deletion of personal data once the service is terminated and that the data controller may recover such data; and
  • prevent unauthorised personnel from accessing personal data related to the service and inform data controllers when the data processor is required to provide access to competent authorities.

MAAGTICSI promotes the use of cloud computing as a means to benefit from economies of scale, efficiency in government management, and the standardisation of ICT, taking into account information security and personal data protection provisions. If an institution defines the use of cloud computing services, it must include them in its own ICT Projects Portfolio (Article 5 of the ICT Agreement).

Digital service providers

General security and safety provisions under the Federal Law on Telecommunications and Broadcasting 2014 (only available in Spanish here) ('the Telecommunications Law') provide that concessionaries and authorised entities who provide internet access services must abide by the general guidelines issued by the IFT, and follow certain principles such as 'privacy,' which requires these concessionaries and authorised entities to protect users' privacy and the network's security (Article 145(3) of the Telecommunications Law).

Not establishing the necessary measures to guarantee the confidentiality and privacy of the users' communications is deemed as an administrative infringement (Article 298(D)(V) of the Telecommunications Law).

Héctor Guzmán-Rodríguez Head of the Data Protection and Privacy Practice
[email protected]
BGBG Abogados, Mexico City

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback