Global Data and Cyber Handbook

Chile

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 29 December 2023

Yes.

☒        general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒        obligation to take specific security measures e.g., encryption

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 29 December 2023

Yes.

☒       public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks)

☒       health regulatory requirements

☒        financial services requirements

☒       telecommunication requirements

☒       providers of critical infrastructure

☒       other

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 1 January 2025

☒      Data privacy

☒      health

☒      financial services

☒      critical infrastructure

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 1 January 2025

The Cybersecurity Act mandates notification for several industries deemed essential and/or critical. The Personal Data Protection Act will also make notification mandatory once it comes into force in December 2026.

Controllers/Owners have to notify:

Last review date: 1 January 2026

       data protection authorities

       cybersecurity authorities

Processors/Agents have to notify:

Last review date: 1 January 2025

       cybersecurity authorities

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 1 January 2025

Yes.

☒       public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒       financial services requirements

☒        other

 

Details regarding the identified data security breach notification requirements

Banks and financial institutions are subject to specific notification requirements in the case of cyberattacks and any incidents "related to cybersecurity," including any incidents that might put at risk the continuity of the business, their funds or resources of the relevant entity or its clients, service quality or the entity's image. This is in accordance with Chapter 20-8 of the Updated Compilation of Rules issued by the Chilean Commission for the Financial Market ("Chapter 20-8"). Chapter 20-8 provides a non-exhaustive list of possible incidents, which includes "technology issues affecting information security," and "loss of information of the bank or its clients."

Among other requirements, Chapter 20-8 includes:

  • Having an officer especially appointed to deal with these types of events
  • Establishing a communication channel with the Commission for the Financial Market (CMF)
  • Reporting the incident to the CMF within 30 minutes from the moment it takes place, including as much information as possible
  • Once closed, providing a new report to the CMF including all information listed in Chapter 20-8
  • Informing clients or users and keeping them up-to-date, but only if the incident affects the service quality or continuity or is of public knowledge
  • Sharing information on the incident with the rest of the industry

The CMF may also require them to implement a specific contingency plan, if deemed necessary.

{{ $store.state.loadingScreen.message }} ...