Last review date: 31 December 2024

Yes.

☒        general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒       other

Financial institutions are subject to specific IT measures and obligations regarding security controls to protect personal data.

Last review date: 31 December 2024

Yes.

☒       public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks)

☒       financial services requirements

☒       other

Financial institutions are subject to specific obligations to protect systems from cyberattacks. The particular obligations are regulated by different laws and regulations, depending on the nature of the institution.

In addition, while no specific obligations are applicable to providers of critical infrastructure, in general, there are some particular obligations for providers to the Mexican Federal Government, as described in the Resolution issuing the policies and provisions to promote the use and exploitation of information technology, digital government, information and communication technologies, and information security in the Federal Public Administration.

☒      Data privacy

☒      telecommunications

Last review date: 31 December 2024

Yes.

According to the FDPL, a personal data breach is any (i) loss or unauthorized destruction; (ii) theft, misplacement or unauthorized copying; (iii) unauthorized use, access or processing; or (iv) unauthorized damage, alteration or modification of personal data.

Last review date: 31 December 2024

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

• Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby: the controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
• The processor/agent is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Answer: Yes

Last review date: 31 December 2024

While Processors/Agents have a mandate to implement security measures and maintain confidentiality, the FDPL does not provide an express mandate to notify any of the involved parties. This is usually addressed contractually.

Last review date: 31 December 2024

Yes.

☒       public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒       financial services requirements

Financial institutions are required to notify affected users (within the next three business days after the occurrence of the event).

Details regarding the identified data security breach notification requirements

The event where user's sensitive data is extracted, lost or the Institutions supposes or suspects an incident that involves unauthorized access to said information.

All data breach notifications should include: (i) the nature of the incident occurred; (ii) the personal data involved; (iii) recommendations of measures that data subject may take to protect their interests; (iv) immediate actions taken by data controller; and (v) additional information regarding where data subject may obtain information regarding the incident.