Cyber Law in South America

Brazil

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes, the Institutional Security Office (GSI). See Brazilian Draft Cybersecurity Strategy, 2019 

Is oversight provided on a centralized or sectoral basis?

Sectoral. Oversight of the 5 critical infrastructure sectors will be conducted by their respective sectoral regulators; e.g. BACEN (Financial), Anatel (Telecommunications), etc. See Brazilian Draft Cybersecurity Strategy, 2019 

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

Five Sectors: the Telecommunications Sector, the Transportation Sector, the Energy Sector, the Water Sector, and the Financial Sector. See National Cyber Security Strategy (E-Cyber). These sectors were established in 2018 pursuant to Decree No. 9,573 issued on November 22, 2018. 

How do they designate within these sectors?

Sector-Level Regulation:  Brazilian agencies responsible for IFC sectors promulgate cybersecurity regulations for private entities within those sectors. National Cyber Security Strategy (E-Cyber), at 18. 

For example, the Brazilian National Monetary Council published Resolution No. 4,658 in April 2018 to regulate financial institutions. Any private companies regulated by the Brazilian Central Bank are covered. Additionally, Circular 3,909 was promulgated in August 2018 to regulate electronic payment companies. Katie Llanos-Small, Brazil tightens cybersecurity rules for payment processors, iupana (Aug. 23, 2018).

 

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Not on a National Level.  GSI/PR published Complementary Standard No. 4, which sets voluntary guidelines for the Information and Communications Security Risk Management process in Federal Public Administration ("AFP") bodies and organizations. National Cyber Security Strategy (E-Cyber), at 10.  Brazil's Internet Law regulations require Internet connection and application providers to follow certain security standards.See Brazil: Cybersecurity - National Law, International Bar Association (last visited Nov. 15, 2019);

 

Does it take a risk-based approach?

Yes. Brazil appears to take a risk-based approach that is dependent on the industry or organization adopting the voluntary guidelines. However, the Strategy also proposes to adopt more standardized security measures in the future. See National Cyber Security Strategy (E-Cyber), at 10. 

Do the security measures enable the use of international standards?

It is unclear. While the National Cyber Security Strategy advocates for the use of international standards, there is no indication as to what those standards are. See National Cyber Security Strategy (E-Cyber), at 28. Decree No. 9,637/2018 implementing the National Information Security Policy also references initiatives to implement security standards, but does not define them. 

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Not at this time. See Amy Mahn, Picking Up the Framework's Pace Internationally, NIST: Cybersecurity Framework (June 13, 2019). 

Do they include prescriptive or technology-based security measures?

Technology-based by industry. While there are guidelines provided by GSI/PR, each public agency adopts its own security measures that are based on the relevant digital environments. This is evident given the differing cybersecurity standards for Internet providers and financial institutions. See National Cyber Security Strategy (E-Cyber), at 11. 

Incident Reporting

Are there mandatory incident reporting requirements?

No. There are sectoral regulations, such as National Monetary Council Regulation No. 4,658, which require that financial institutions have breach plans in place. Full compliance is not required until 2021. Additionally, the Brazil General Data Protection Law will require companies that control the personal data of persons in Brazil to report security incidents to the DPA. See Article 48, Brazil General Data Protection Law.  Brazil: Cybersecurity - National Law, International Bar Association (last visited Nov. 15, 2019). 

Are there clear thresholds above which an incident should be reported?

No. National Monetary Council Regulation No. 4,658 requires that financial institutions and their cloud storage partners keep track of "incidents," but that term is not defined. However, once the Brazil General Data Protection Law takes effect, companies will be required to report any security incidents where such occurrences "may create risk or relevant damage to the data subjects." See Article 48, Brazil General Data Protection Law.

How do they determine the timeline within which an incident must be reported?

There are no mandatory incident reporting temporal requirements in place. Companies need only revise their cybersecurity reports annually under Regulation No. 4,658. When the Brazil General Data Protection law takes effect, incidents will have to be reported to the DPA "within a reasonable time period." See Article 48, Brazil General Data Protection Law.

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes but it is fragmented. There are eight categories of cyber incident treatment and response centers throughout Brazil that coordinate regarding threats. The two national treatment and response centers are the Brazilian Center for Security Incident Studies, Response, and Treatment (CERT.br) and the Government Cyber Incident Handling and Response Center (CTIR Gov), which is focused on government networks in Brazil and is a subordinate agency to DCSI-GSI within the Institutional Security Office of the President of the Republic. The military cyber defense system in Brazil is run by the Cyber Defense Command (ComDCiber).

 

See A Strategy for Cybersecurity Governance in Brazil, at 6-7 (Sep. 30, 2018). 

Does this entity share information out to industry, as well as receiving information?

Yes, there is information sharing but it is disjointed. CERT.br handles computer security incident reports related to Brazilian networks connected to the Internet. See About CERT.br (last visited Nov. 15, 2019). CERT.br coordinates with CTIR Gov on incident reporting and response. See Alerts and Recommendations, CTIRGov (Nov. 15, 2019). 

Is threat information sharing mandatory for any private sector entity?

Not currently. However, Resolution 4,658/2018, requires information sharing on the part of financial institutions and their data storage and cloud computing services. Institutions do not have to be fully compliant until 2021. See  Chs. 22 & 24, Resolution 4,658/2018. 

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No. Resolution 4,658/2018 requires that the Brazil Central Bank be able to access the cloud storage agreements, stored data, and relevant backups and access codes of financial institutions. See Brazil: Cybersecurity - National Law, International Bar Association (last visited Nov. 15, 2019). Additionally, the Brazil General Data Protection Law reserves the right for the Brazil DPA to determine data accessibility. See Article 40, Brazil General Data Protection Law.  

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No. Under the Brazil Data Protection Law, a data protection officer or third party is required, but they do not need to be located in Brazil. The new law will take effect in August 2020.

Are there requirements to localize data?

Not explicitly within the geographical boundaries of Brazil. The Brazil Data Protection Law will require personal data to be stored "in a format favoring the exercise of the holder’s right of access, and by extension enabling holder’s request for a full electronic copy of his personal data in a format allowing its further processing." See Privacy Rights Under the Brazilian LGPD vs. GDPR (August 16, 2018).

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

No. Failure by an organization to implement cybersecurity measures is not a criminal offence in Brazil. Nor does the draft National Cyber Security Strategy (2019) outline any changes to this approach. 

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

No. Failure by an organization to implement cybersecurity measures is not a criminal offence in Brazil. Nor does the draft National Cyber Security Strategy (2019) outline any changes to this approach. 

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Brazilian National Monetary Council published Resolution No. 4,658 in April 2018 to regulate financial institutions. Additionally, Circular 3,909 was promulgated in August 2018 to regulate electronic payment companies. The Brazil General Data Protection Regulation takes effect in August 2020, and any business that collects or processes the personal data of a person in Brazil or offers goods or services to persons in Brazil will be regulated by the Data Protection Authority ("DPA").

Mexico

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The Interministerial Commission for the Development of the Electronic Government (CIDGE) through the Subcommittee on Cybersecurity,  which is chaired by the Secretariat of the Interior through the National Commission for Security . See Mexico National Cybersecurity Strategy.

Is oversight provided on a centralized or sectoral basis?

Sectoral. While Mexico's Federal Police, specifically the National Center for Cyber Incidents Response (CERT-MX), are responsible for investigating cybercrimes at the national level, many other agencies provide oversight in their respective sectors (i.e., INAI- personal data; IFT- telecommunications). See Begona Cancino, Creel García-Cuéllar Aiza y Enriquez SC,  Cybersecurity in Mexico, Lexology.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

They have not officially designated sectors as critical information infrastructure.  

How do they designate within these sectors?

N/A​

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

No. 

Does it take a risk-based approach?

N/A.

Do the security measures enable the use of international standards?

N/A.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

 

N/A.

Do they include prescriptive or technology-based security measures?

N/A.

Incident Reporting

Are there mandatory incident reporting requirements?

For some sectors, yes. The Mexican Privacy Regulations require a data controller to inform the data subject (not the regulator) of a breach that invovles the unauthorized use of personal data. See Data Protection Regulations, Article 64

Are there clear thresholds above which an incident should be reported?

It depends on the sector, but generally no. The Mexican Privacy Regulations requires the data controller report a breach involving the unauthorized use of personal data after assessing whether the breach significantly affected the property or non-pecuniary rights of the data subjects"  See Data Protection Regulations, Article 64.

How do they determine the timeline within which an incident must be reported?

The regulations only provide that such notification should be conducted 'without delay'.  See Data Protection Regulations, Article 64.

Threat Information Sharing

Have they established a national threat information sharing entity?

Unclear, the The Scientific Division of Mexico's Federal Police operates CERT-MX, which helps facilitate information sharing. See The State of Cybersecurity in Mexico:
An Overview, Wilson Center Mexico Institute
(Jan. 2017).

Does this entity share information out to industry, as well as receiving information?

CERT-MX serves as the point of contact between Interpol and the Department of Justice. The main roles of CERT-MX is 1) the identification and follow up of cyber-related incidents, 2) protection of the national critical infrastructure, and 3) the promotion of the national interest in information technology security. 

Is threat information sharing mandatory for any private sector entity?

Unclear. Under the Mexican Constitution, organizations must cooperate with government agencies regarding incidents; however, no law establishes specific requirements to report incidents or potential incidents.  See also Begona Cancino, Creel García-Cuéllar Aiza y Enriquez SC,  Cybersecurity in Mexico, Lexology.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No.

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Penalties are sector-specific. Breach of the Data Protection Law may result in monetary penalties up to 320,000 times the Mexico City minimum wage (currently MX $88.36). Sanctions may also be doubled for violations involving sensitive data. See Data Protection Law, Article 63.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Yes. A person who for profit causes a security breach affecting the databases under its custody may face up to three years of imprisonment (penalties will be doubled if sensitive personal information is involved). See Data Protection Law, Article 63.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

Federal Law on Protection of Personal Data Held by Individuals was approved by the Mexican Congress on April 26, 2010 and was published on July 5, 2010. 

Additional Countries

Argentina, Chile

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.