Share

Argentina

Government Structure

Do they designate a lead cyber security agency within the government? Yes, the National Program for Critical Information Infrastructure and Cybersecurity (ICIC). This agency provides strategies and recommendations for safeguarding both public and private organizations from cyber threats. See Cyber Policy Portal: UNIDIR (June2019); National Cybersecurity Directorate, Argetina.gob, (last visited Dec. 16, 2019).

​Is oversight provided on a centralized or sectoral basis? Sectoral (i.e. the Argentine Central Bank has developed cybersecurity standards for financial institutions.)

Designation of Critical Infrastructure

Why sectors do they designate as critical information infrastructure? Four Sectors: the Energy Sector, the Transportation Sector, the Water Sector, and the Communications Sector. See Decree No. 1/2015, Secretary for Civil Protection and Comprehensive Approach to Disasters and Emergencies (June 2, 2015).

How do they designate within these sectors? Whole sector. Argentina's 2019 Cyber Security Strategy does not differentiate between entities within the sectors. See Resolution 829/2019, Official Bulletin of the Republic of Argentina (May 24, 2019).

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes but only for specific sectors. Although cybersecurity measures promulgated by the national authority are voluntary, several regulatory entities have mandatory security requirements. The Argentine Central Bank requires that financial institutions have encryption capabilities and minimum security standards under Communication A 6354. Regulation 704-E/2017, which is only applicable to listed companies and capital market agencies regulated by the National Securities Commission, requires that data be encrypted under "internationally recognized" standards. See Argentina: Law and Practice, Chambers and Partners (Feb. 29, 2019).

Does it take a risk-based approach? Likely yes. Although the 2019 Cybersecurity Strategy does not necessarily embrace a risk-based approach, the National Office of Information Technology enacted the Model Information Security Policy, which takes an explicit "risk management" approach to cybersecurity for public agencies. See Provision 3/2013, Model Information Security Policy, National Public Administration, (last visited Dec. 16, 2019).

Do the security measures enable the use of international standards? Generally, no. Argentina's draft data protection bill however, references the adoption of "international standards" generally. Draft Law, Protection of Personal Data (Sep. 19, 2018).

Are security measures NIST CSF compatible? (Possible to comply through this approach?) Not currently.

Do they include prescriptive or technology-based security measures? No.

Incident Reporting

Are there mandatory incident reporting requirements? Not nationally. The data protection bill contains mandatory incident reporting requirements. Additionally, Communication A 6,354 appears to include incident reporting requirements for financial institutions. See Section 7.3, Communication A 6354, Central Bank of Argentina (Mar. 11, 2017).

Are there clear thresholds above which an incident should be reported? No.

How do they determine the timeline within which an incident must be reported? No.

Threat Information Sharing

Have they established a national threat information sharing entity? Yes. The threat information sharing entity is ICIC and the incident response entity is ICIC-CERT. About ICIC-CERT (last visited Dec. 20, 2019); National Cybersecurity Directorate, ICIC (last visited Dec. 20, 2019).

Does this entity share information out to industry, as well as receiving information? Yes.

Is threat information sharing mandatory for any private sector entity? No.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities? Yes. Article 62(h) of the Argentine Digital Act requires that information and communication technology providers grant access to government authorities for inspection purposes. See Law No. 27,078, Argentine Digital Law (Dec. 18, 2014). Furthermore, Communication A 6,354 allows regulators to access financial institution facilities. See Communication A 6,354, Section 2.2.5, Argentine Central Bank (Mar. 11, 2017).

Are there requirements to cede control of facilities in an emergency situation? No.

Are there requirements to provide source code or other decryption capabilities? No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel? No.

Are there requirements to localize data? No. International data transfers are restricted, but not prohibited. There is no physical location requirement under the PDPA.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty? It depends on the sector. Under the PDPA, the Argentine Agency of Access to Public Information (AAPI) may impose financial penalties for violations of the PDPA related to the mishandling of data and failure to obtain consent to transfer data. Such penalties may range from $1,000 to $100,000 under Section 31. See Law No. 25,326, Personal Data Protection Act, Section 31.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Under Article 157 of the Penal Code, unauthorized access to personal bank accounts through hacking or other means carries a penalty of one month to two years in prison. The penalty is up to four years when the perpetrator is a public official. Furthermore, Article 153 states that computer hacking carries a criminal penalty of 15 days to six months. Penal Code of the Argentine Nation, Articles 153 & 157.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The PDPA has been in force since 2000. The Argentine AAPI issued Resolution 4/2019 in January 2019 which establishes guidelines and best practices under the PDPA. Resolution 4/2019, Public Information Access Agency (Jan. 13, 2019). The Argentine Digital Law was promulgated in 2014, and updates were made to the law in December 2015. Law No. 26,522 and No. 27,078. Modifications, Decree 267/2015 (Dec. 29, 2019). Communication A 6,354 of the Argentine Central Bank Regulations was enacted in March 2017. Section 7.7, Communication A 6354, Central Bank of Argentina (Mar. 11, 2017).

Brazil

Government Structure

Do they designate a lead cyber security agency within the government? Yes, the Institutional Security Office (GSI). See Brazilian Draft Cybersecurity Strategy, 2019

Is oversight provided on a centralized or sectoral basis? Sectoral. Oversight of the 5 critical infrastructure sectors will be conducted by their respective sectoral regulators; e.g. BACEN (Financial), Anatel (Telecommunications), etc. See Brazilian Draft Cybersecurity Strategy, 2019

Designation of Critical Infrastructure​

Which sectors do they designate as critical information infrastructure? Five Sectors: the Telecommunications Sector, the Transportation Sector, the Energy Sector, the Water Sector, and the Financial Sector. See National Cyber Security Strategy (E-Cyber). These sectors were established in 2018 pursuant to Decree No. 9,573 issued on November 22, 2018.

How do they designate within these sectors? Sector-Level Regulation: Brazilian agencies responsible for IFC sectors promulgate cybersecurity regulations for private entities within those sectors. National Cyber Security Strategy (E-Cyber), at 18. For example, the Brazilian National Monetary Council published Resolution No. 4,658 in April 2018 to regulate financial institutions. Any private companies regulated by the Brazilian Central Bank are covered. Additionally, Circular 3,909 was promulgated in August 2018 to regulate electronic payment companies. Katie Llanos-Small, Brazil tightens cybersecurity rules for payment processors, iupana (Aug. 23, 2018).

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Not on a National Level. GSI/PR published Complementary Standard No. 4, which sets voluntary guidelines for the Information and Communications Security Risk Management process in Federal Public Administration ("AFP") bodies and organizations. National Cyber Security Strategy (E-Cyber), at 10. Brazil's Internet Law regulations require Internet connection and application providers to follow certain security standards.See Brazil: Cybersecurity - National Law, International Bar Association (last visited Nov. 15, 2019);

Does it take a risk-based approach? Yes. Brazil appears to take a risk-based approach that is dependent on the industry or organization adopting the voluntary guidelines. However, the Strategy also proposes to adopt more standardized security measures in the future. See National Cyber Security Strategy (E-Cyber), at 10.

Do the security measures enable the use of international standards? It is unclear. While the National Cyber Security Strategy advocates for the use of international standards, there is no indication as to what those standards are. See National Cyber Security Strategy (E-Cyber), at 28. Decree No. 9,637/2018 implementing the National Information Security Policy also references initiatives to implement security standards, but does not define them.

Are security measures NIST CSF compatible? (Possible to comply through this approach?) Not at this time. See Amy Mahn, Picking Up the Framework's Pace Internationally, NIST: Cybersecurity Framework (June 13, 2019).

Do they include prescriptive or technology-based security measures? Technology-based by industry. While there are guidelines provided by GSI/PR, each public agency adopts its own security measures that are based on the relevant digital environments. This is evident given the differing cybersecurity standards for Internet providers and financial institutions. See National Cyber Security Strategy (E-Cyber), at 11.

Incident Reporting

Are there mandatory incident reporting requirements? No. There are sectoral regulations, such as National Monetary Council Regulation No. 4,658, which require that financial institutions have breach plans in place. Full compliance is not required until 2021. Additionally, the Brazil General Data Protection Law will require companies that control the personal data of persons in Brazil to report security incidents to the DPA. See Article 48, Brazil General Data Protection Law. Brazil: Cybersecurity - National Law, International Bar Association (last visited Nov. 15, 2019).

Are there clear thresholds above which an incident should be reported? No. National Monetary Council Regulation No. 4,658 requires that financial institutions and their cloud storage partners keep track of "incidents," but that term is not defined. However, once the Brazil General Data Protection Law takes effect, companies will be required to report any security incidents where such occurrences "may create risk or relevant damage to the data subjects." See Article 48, Brazil General Data Protection Law.

How do they determine the timeline within which an incident must be reported? There are no mandatory incident reporting temporal requirements in place. Companies need only revise their cybersecurity reports annually under Regulation No. 4,658. When the Brazil General Data Protection law takes effect, incidents will have to be reported to the DPA "within a reasonable time period." See Article 48, Brazil General Data Protection Law.

Threat Information Sharing

Have they established a national threat information sharing entity? Yes but it is fragmented. There are eight categories of cyber incident treatment and response centers throughout Brazil that coordinate regarding threats. The two national treatment and response centers are the Brazilian Center for Security Incident Studies, Response, and Treatment (CERT.br) and the Government Cyber Incident Handling and Response Center (CTIR Gov), which is focused on government networks in Brazil and is a subordinate agency to DCSI-GSI within the Institutional Security Office of the President of the Republic. The military cyber defense system in Brazil is run by the Cyber Defense Command (ComDCiber). See A Strategy for Cybersecurity Governance in Brazil, at 6-7 (Sep. 30, 2018).

Does this entity share information out to industry, as well as receiving information? Yes, there is information sharing but it is disjointed. CERT.br handles computer security incident reports related to Brazilian networks connected to the Internet. See About CERT.br (last visited Nov. 15, 2019). CERT.br coordinates with CTIR Gov on incident reporting and response. See Alerts and Recommendations, CTIRGov (Nov. 15, 2019).

Is threat information sharing mandatory for any private sector entity? Not currently. However, Resolution 4,658/2018, requires information sharing on the part of financial institutions and their data storage and cloud computing services. Institutions do not have to be fully compliant until 2021. See Chs. 22 & 24, Resolution 4,658/2018.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities? No. Resolution 4,658/2018 requires that the Brazil Central Bank be able to access the cloud storage agreements, stored data, and relevant backups and access codes of financial institutions. See Brazil: Cybersecurity - National Law, International Bar Association (last visited Nov. 15, 2019). Additionally, the Brazil General Data Protection Law reserves the right for the Brazil DPA to determine data accessibility. See Article 40, Brazil General Data Protection Law.

Are there requirements to cede control of facilities in an emergency situation? No.

Are there requirements to provide source code or other decryption capabilities? No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel? No. Under the Brazil Data Protection Law, a data protection officer or third party is required, but they do not need to be located in Brazil. The new law will take effect in August 2020.

Are there requirements to localize data? Not explicitly within the geographical boundaries of Brazil. The Brazil Data Protection Law will require personal data to be stored "in a format favoring the exercise of the holder’s right of access, and by extension enabling holder’s request for a full electronic copy of his personal data in a format allowing its further processing." See Privacy Rights Under the Brazilian LGPD vs. GDPR (August 16, 2018).

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty? No. Failure by an organization to implement cybersecurity measures is not a criminal offence in Brazil. Nor does the draft National Cyber Security Strategy (2019) outline any changes to this approach.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty? No. Failure by an organization to implement cybersecurity measures is not a criminal offence in Brazil. Nor does the draft National Cyber Security Strategy (2019) outline any changes to this approach.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Brazilian National Monetary Council published Resolution No. 4,658 in April 2018 to regulate financial institutions. Additionally, Circular 3,909 was promulgated in August 2018 to regulate electronic payment companies. The Brazil General Data Protection Regulation takes effect in August 2020, and any business that collects or processes the personal data of a person in Brazil or offers goods or services to persons in Brazil will be regulated by the Data Protection Authority ("DPA")

Chile

Government Structure

Do they designate a lead cyber security agency within the government? Yes. In 2017, Supreme Decree No. 533 created the Interministerial Committee on Cybersecurity ("CICS"). CICS is responsible for promulgating a national cybersecurity policy in Chile. See CICS, CIBERseguiridad (last visited Dec. 2, 2019).

Is oversight provided on a centralized or sectoral basis? Sectoral. Although Chile's 2017-2022 cyber strategy envisions technical oversight bodies for each sector of critical infrastructure, only some sectors have cybersecurity regulations. For example, Article 24H of Chile's General Telecommunications Law requires that Internet Service Providers take measures to preserve user privacy and network security. See General Telecommunications Law, BCN (Aug. 20, 2019); Telecoms and Media, Getting the Deal Through (June 2019). The Superintendent of Banks and Financial Institutions has also developed cybersecurity standards and incident reporting measures. See Telecoms and Media, Getting the Deal Through (June 2019).

Which sectors do they designate as critical information infrastructure? 10 Sectors: Energy, telecommunications, water, health, financial services, public security, transport, the civil service, civil protection, and defense. National Cybersecurity Policy 2017-2022, Government of Chile (2017), at 16-17. See CICS, CIBERseguiridad (last visited Dec. 2, 2019).

How do they designate within these sectors? Whole sector: Where there are sectoral regulations or laws, they appear to apply to the entire industry.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes, but only for specific sectors. The SBIF issued banking regulations in 2018 that required companies to maintain a database of cybersecurity breaches. They also required companies to carry out tests to evaluate the resilience of security systems. Chile - Safety and Security, export.gov (Nov. 27, 2019). Additionally, in October 2018, the President of Chile issued a Presidential Instructive on Cybersecurity containing emergency measures that public bodies must take to update security provisions. This includes updating technical regulations on cybersecurity and appointing an official to serve as a cybersecurity officer in each agency. President Pinera signs Bill to Fight Cybercrime, Gob.cl (Oct. 25, 2018).

Does it take a risk-based approach? Yes. Chile's 2017-2022 Cybersecurity Strategy takes a risk management approach to confronting and recovering from cybersecurity incidents. See Alfonso Silva and Eduardo Martin, Telecoms and Media: Chile, Telecoms and Media, Getting the Deal Through (June 2019); National Cybersecurity Policy 2017-2022, Government of Chile (2017), at 16, see CICS, CIBERseguiridad (last visited Dec. 2, 2019).

Do the security measures enable the use of international standards? Yes. Chile's 2017-2022 Cybersecurity Strategy specifically references compliance with ISO 27000 pertaining to the confidentiality of electronic documents. National Cybersecurity Policy 2017-2022, Government of Chile (2017), at 31, see CICS, CIBERseguiridad (last visited Dec. 2, 2019).

Are security measures NIST CSF compatible? (Possible to comply through this approach?) No.

Do they include prescriptive or technology-based security measures? No. Although a 2018 Presidential Instructive updated cybersecurity requirements for public bodies, neither this directive nor the 2017-2022 Cybersecurity Strategy include technology-based security measures. See Paulina Silva, Chile: Presidential Instructive On Cybersecurity (Nov. 5, 2018).

Incident Reporting

Are there mandatory incident reporting requirements? Only for the banking industry. Chilean Law No. 19.628 does not contain any mandatory incident reporting requirements. See Chile: Data Protection 2019, ICLG (Mar. 7, 2019). There is currently a bill being discussed by the Chilean Congress that would overhaul the data protection regime and create a national authority for data protection. See Data Protection & Privacy: Chile, Telecoms and Media, Getting the Deal Through (June 2019). The 2019 updates to the SBIF regulations (Chapter 20-8) require that financial institutions report cybersecurity incidents to their clients, other institutions, and the SBIF. See Getting the Deal Through (June 2019).

Are there clear thresholds above which an incident should be reported? No.

How do they determine the timeline within which an incident must be reported? Financial institutions must report cybersecurity incidents to customers and regulators "promptly." There is a digital platform for reporting such incidents. See David Feliba, Chile's SBIF issues regulatory changes for banks on cybersecurity (Sep. 3, 2018).

Threat Information Sharing

Have they established a national threat information sharing entity? Yes. Threat information sharing is handled by CSIRT Gob. See About Us, CSIRT (last visited Dec. 2, 2019).

Does this entity share information out to industry, as well as receiving information? Yes. CSIRT Gob promotes general awareness of cybersecurity threats to both government agencies and the public. See About Us, CSIRT (last visited Dec. 2, 2019).

Is threat information sharing mandatory for any private sector entity? Yes. The 2019 updates to the SBIF regulations (Chapter 20-8) require that financial institutions report cybersecurity incidents to their clients, other institutions, and the SBIF. See Getting the Deal Through (June 2019).

Government Access Requirements

Are there requirements to provide government officials physical access to facilities? Unclear. However, this is likely not the case, as there is no provision allowing for law enforcement to access data. See State of Privacy in Chile, Privacy International (Jan. 2019).

Are there requirements to cede control of facilities in an emergency situation? Likely no. Law 20,478 provides for coordination between telecommunications providers and government agencies during emergency situations. However, there is no express right of agency officials to enter or seize facilities.See Law No. 20,478, BCN (last visited Dec. 15, 2019).

Are there requirements to provide source code or other decryption capabilities? No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel? No.

Are there requirements to localize data? No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty? Depending on the sector, yes. Data protection breaches caused by improper data processing may lead to fines under Law 19.628 where the breach was the result of negligent or willful conduct. These may range from 48,741 Chilean pesos to 487,410 Chilean pesos. If the breach involves financial data, that penalty could range from 487,410 Chilean pesos to 2.437 million Chilean pesos. Compensation is established by a civil judge in summary procedure, taking into account the severity of the monetary or non-monetary damages. See Data Protection & Privacy: Chile, Getting the Deal Through (August 2019); Law 19.628, Article 23 (last modified Feb. 17, 2012).

Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Yes. Chile's computer crimes law is Law No. 19,223. However, Chile plans on adding eight new cybercrimes to comply with the Budapest Convention on Cybercrime. The new crimes carry jail time ranging from 61 days in prison to five years. See Carlos Gonzalez Isla, Chile will update cybercrime law for the first time in 24 years (Aug. 16, 2017). However, the old law has not yet been updated. The current law makes unauthorized access, theft, and destruction of information systems a crime. Maximum penalties are not specified. See Law 19,223, BCN (last visited Dec. 15, 2019).

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? Chilean Law No. 19,628, the Chilean data protection law, was promulgated in 1999. The legislature is currently considering changes to the law. State of Privacy Chile, Privacy International (January 2019). The latest breach reporting regulations promulgated by the SBIF were issued in August 2018. Chile - Safety and Security, export.gov (Nov. 27, 2019).

Mexico

Government Structure

Do they designate a lead cyber security agency within the government?​ Yes. The Interministerial Commission for the Development of the Electronic Government (CIDGE) through the Subcommittee on Cybersecurity, which is chaired by the Secretariat of the Interior through the National Commission for Security . See Mexico National Cybersecurity Strategy.​

Is oversight provided on a centralized or sectoral basis?​ Sectoral. While Mexico's Federal Police, specifically the National Center for Cyber Incidents Response (CERT-MX), are responsible for investigating cybercrimes at the national level, many other agencies provide oversight in their respective sectors (i.e., INAI- personal data; IFT- telecommunications). See Begona Cancino, Creel García-Cuéllar Aiza y Enriquez SC, Cybersecurity in Mexico, Lexology.​

Designation of Critical Infrastructure

​​Which sectors do they designate as critical information infrastructure?​ They have not officially designated sectors as critical information infrastructure. ​

How do they designate within these sectors?​ N/A​​

Security Measures​

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?​ No. ​

Does it take a risk-based approach?​ N/A.​

Do the security measures enable the use of international standards?​ N/A.​

Are security measures NIST CSF compatible? (Possible to comply through this approach?) N/A.

Do they include prescriptive or technology-based security measures?​ N/A.​

Incident Reporting​

Are there mandatory incident reporting requirements?​ For some sectors, yes. The Mexican Privacy Regulations require a data controller to inform the data subject (not the regulator) of a breach that invovles the unauthorized use of personal data. See Data Protection Regulations, Article 64. ​

Are there clear thresholds above which an incident should be reported?​ It depends on the sector, but generally no. The Mexican Privacy Regulations requires the data controller report a breach involving the unauthorized use of personal data after assessing whether the breach significantly affected the property or non-pecuniary rights of the data subjects" See Data Protection Regulations, Article 64.​

How do they determine the timeline within which an incident must be reported?​ The regulations only provide that such notification should be conducted 'without delay'. See Data Protection Regulations, Article 64.​

Threat Information Sharing​

Have they established a national threat information sharing entity?​ Unclear, the The Scientific Division of Mexico's Federal Police operates CERT-MX, which helps facilitate information sharing. See The State of Cybersecurity in Mexico: An Overview, Wilson Center Mexico Institute (Jan. 2017).​

Does this entity share information out to industry, as well as receiving information?​ CERT-MX serves as the point of contact between Interpol and the Department of Justice. The main roles of CERT-MX is 1) the identification and follow up of cyber-related incidents, 2) protection of the national critical infrastructure, and 3) the promotion of the national interest in information technology security. ​

Is threat information sharing mandatory for any private sector entity?​ Unclear. Under the Mexican Constitution, organizations must cooperate with government agencies regarding incidents; however, no law establishes specific requirements to report incidents or potential incidents. See also Begona Cancino, Creel García-Cuéllar Aiza y Enriquez SC, Cybersecurity in Mexico, Lexology.​

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?​ No.​

Are there requirements to cede control of facilities in an emergency situation?​ No.​

Are there requirements to provide source code or other decryption capabilities?​ No.​

Localization Requirements​

Are there requirements to establish a local presence - either officer or personnel?​ No.​

Are there requirements to localize data?​ No.​

Penalties​

Are there financial penalties outlined? If so, what for and what is the maximum penalty?​ Penalties are sector-specific. Breach of the Data Protection Law may result in monetary penalties up to 320,000 times the Mexico City minimum wage (currently MX $88.36). Sanctions may also be doubled for violations involving sensitive data. See Data Protection Law, Article 63.​

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?​ Yes. A person who for profit causes a security breach affecting the databases under its custody may face up to three years of imprisonment (penalties will be doubled if sensitive personal information is involved). See Data Protection Law, Article 63.​

Effective Dates​

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?​ Federal Law on Protection of Personal Data Held by Individuals was approved by the Mexican Congress on April 26, 2010 and was published on July 5, 2010.