Global Data and Cyber Handbook

Colombia

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 10 December 2024

Yes.

☒   general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 10 December 2024

   public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

   financial services requirements

☒   providers of critical infrastructure

☒   other

If yes, please provide brief details of the relevant law or regulation.

Cybersecurity obligations are set forth in Decree 338 of 2022, which applies to all government agencies and to private entities that carry out public activities, administer critical infrastructure or provide public services.

Furthermore, the SIC issued guidelines for the management of security incidents where it provides details on the types of reports that the data controller and processor must issue in response to an incident, the conservation of internal registrations, the protocol for responding to incidents, and the steps for the response.

Moreover, according to Chapter V, Title IV, Part I of the Basic Circular of the Superintendence of Finance, entities supervised by this entity should implement the necessary policies, procedures and technical and human resources to effectively manage cybersecurity risk.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 10 December 2024

☒      Data privacy

☒      network information security

☒      critical infrastructure

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 10 December 2024

Yes.

Under the Data Protection Law, both data controllers and data processors are required to notify the Data Protection Authority when security code violations occur and the administration of personal data is at risk. The data breach notification provision applies to any type of personal data, as it does not limit the scope to specific types of data affected by the breach. Additionally, Colombian law does not impose a harm threshold for notification. Therefore, if there is a violation of security codes related to the personal data of data subjects residing in Colombia and there is a risk in the management of their data, controllers and processors must notify the SIC of such breaches.

Controllers/Owners have to notify:

Last review date: 10 December 2024

☒   data protection authorities

The SIC's guidelines require that notice be given no later than 15 working days from the date the data breach is detected.

The notification of a data breach should include the following:

  • Type of breach (in the case of controllers registered in the Platform for Data Base Registry (RNBD) one type must be selected from the drop-down list provided by the RNBD system)
  • The cause of the breach
  • Type of personal data that was compromised
  • Date when the breach took place
  • Number of data subjects that were affected by the breach

In addition, it is advisable to include the type of mitigation and remediation actions taken or planned, as well as an indication of how data subjects were informed of the breach, if applicable.

☒    affected individuals

While not mandatory, the accountability principle guidelines issued by the SIC include a recommendation on notifying data subjects, which is deemed by the SIC as an advisable practice that will be seen in a favorable light in case any investigations are initiated pursuant to a data breach report.

There is no specific timeline for reporting the security breach to affected individuals. Nonetheless, the SIC has stated that one purpose of informing affected individuals is to provide tools to mitigate potential or actual damages (e.g., changing usernames and passwords, monitoring the billing statement, etc.). Thus, it is advisable to inform affected individuals within a reasonable timeline.   

Processors/Agents have to notify:

Last review date: 10 December 2024

☒   controller

☒   data protection authorities

There is no specific deadline in the applicable laws regarding the notice that processors must give to data controllers when detecting a security breach. Nonetheless, the deadline of 15 working days to report to the SIC (as set forth in Chapter Two of Title V of the Circular of the Superintendence of Industry and Commerce) applies to both data processors and data controllers.  

The notification of a data breach should include the following:

  • Type of breach (in the case of controllers registered in the Platform for Data Base Registry (RNBD) one type must be selected from the drop-down list provided by the RNBD system)
  • Type of personal data that was compromised
  • Date when the breach took place
  • Number of data subjects affected by the breach

In addition to this, it is advisable to include the type of mitigation and remediation actions taken or to planned, as well as an indication of how data subjects were informed of the breach, if applicable.

☒    affected individuals

While not mandatory, the accountability principle guidelines issued by the SIC include a recommendation on notifying data subjects, which is deemed by the SIC as an advisable practice that will be seen in a favorable light in case any investigations are initiated pursuant to a data breach report.

There is no specific timeline for reporting the security breach to affected individuals. Nonetheless, the SIC has stated that one purpose of informing affected individuals is to provide tools to mitigate potential or actual damages (e.g., changing usernames and passwords, monitoring the billing statement, etc.). Thus, it is advisable to inform affected individuals within a reasonable timeline. 

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 10 December 2024

Yes.

☒       telecommunication requirements

If so, please provide brief details of the relevant law / guidance and indicate which body/bodies must be notified of the breach.

According to Resolution 5569 of 2018, telecommunication services providers (TSPs) must identify security incidents and store the information on the security incident, as well as have it permanently available for the authorities for a one-year period (Article 2 of the Resolution).

TSPs must submit an incident report to the Group of Cybernetic Emergencies in Colombia (colCERT) within three months after the incident. The report must include, among others, the date the incident started, services affected (mobile internet, fixed internet, mobile calls, fixed calls), the number of affected users, the category and severity of the incident, and mitigation acts.

Apart from this report, if the incident is considered "severe" or "very severe," the TSPs must submit a notice before colCERT within the next 24 hours upon the discovery of the incident.

Additionally, TSPs must submit annual reports regarding security incidents to the Communications Regulation Commission.

{{ $store.state.loadingScreen.message }} ...