By: Luis Gerardo Ramírez Villela
Cybersecurity attacks have been increasing recently and it is necessary that every corporation create as part of their internal regulations - besides of the obligations to comply with applicable laws - specific policies creating awareness for the protection of third parties with whom they collaborate.
Cybersecurity should not be considered as separate from data protection. Together, they provide the necessary tools to protect the personal data of third parties collaborating with each corporation and for such reason they should be considered as inseparable.
In Mexico, there are currently three organizations with jurisdiction over cybersecurity: (i) the Cyber Incident Response Center of the General Scientific Directorate of the National Guard (Centro de Respuesta a Incidentes Cibernéticos de la Dirección General Científica de la Guardia Nacional), (ii) the Federal Police (Policia Federal) and the (iii) National Institute for Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI).
The Mexican Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) provides for the protection of personal data to guarantee privacy and the right to self-determination of information.
The data processing must be adequate and relevant in connection with the purposes set out in the privacy notice that each corporation provides to its employees and third parties, and such notice must be available not only through the website but also in situ.
The management of sensitive personal data should correspond to a specific area of each corporation (i.e. compliance) and the responsible of the information must make all reasonable efforts to limit the period of treatment of such data to the minimum necessary and inform internally about the processing and management of the information periodically.
It should be mentioned that, in case of breach of the aforementioned, the owner of the personal data may file a claim before the INAI, and therefore administrative sanctions and procedures would proceed, which are generally punished with fines or even criminal actions depending on the violation of sensitive personal data.
Please note that currently there is a project to be approved for the implementation of the Federal Cybersecurity Law (Ley Federal de Ciberseguridad) which would create independent authorities and specific crimes in connection therewith.