Companies struggle when they suffer a data breach, but what is consider a data breach under Mexican law? and, what types or reporting are required under the same?
The Law for Protection of Personal Data Held by Private Parties ("LPPDHPP"), its implementing Regulation and the Recommendations to Manage Security Incidents and Data Breaches (the "Recommendations") (altogether the "Federal Data Protection Law") define data breach as any security incident that affects personal data, at any stage of its processing, including (i) loss or unauthorized destruction; (ii) theft, loss or unauthorized copying; (iii) use, or unauthorized processing or access; or (iv) damage, alteration or unauthorized modification of any personal data in any phase of the processing. While this definition follows international standards, it is broad enough to encompass many different activities, which some companies suffer on an regular basis.
However, do data controllers really need to report all of these to the National Institute of Transparency, Access to Information and Protection of Personal Data ("INAI") and/or to the data subjects?
The answer can be short, but is often complex. Once an incident has been confirmed as a data breach, the Federal Data Protection Law provides only an obligation to report or notify the data subjects that have been involved in the data breach. Therefore, there is no obligation to report or notify the INAI. That might not seem so complicated; however, the complexity lies on determining the nature of the breach, since under the Federal Data Protection Law, data controllers are only obliged to notify data subjects of data breaches that significantly affect their patrimonial or moral rights.
The Federal Data Protection Law does not cast a lot of light as to how to determine when something significantly affects patrimonial or moral rights. Therefore, data controllers need to analyze on, a case by case basis, whether a particular breach significantly affects such rights or not. Nonetheless, it is recommendable then to document the basis for the decision, in order to have evidentiary support, if ever audited by the INAI.
It is worth mentioning that in case a data controller decides to notify data subjects, such notification must (i) be made as soon as the data breach has been confirmed; and (ii) the data controller has all of the necessary information to comply with the information requirements that need to be disclosed in the notification to the data subjects.
With the increase we've seen with cyberthreats, it would be recommendable that companies are well aware of their reporting obligations and to have diligent response plans.
Under the Federal Data Protection Law, data controllers are only obliged to notify data subjects of data breaches that significantly affect their patrimonial or moral rights.