Mexico

Regarding the imposition of obligations concerning IT Security in the above laws, the Federal Law for the Protection of Personal Information in Possession of Private Entities only imposes as an obligation of the data controller, to safeguard and be accountable of any PI under its custody, or any PI that it has shared with any vendor, either in Mexico or abroad. In order to comply with this principle, the Controller must make use of any best international practices corporate policies, self-regulatory schemes, or any other suitable mechanism for this effect.
Furthermore Article 19 of the Federal Law for the Protection of Personal Information in Possession of Private Entities requires from every data controllers to implement and maintain administrative, technical and physical security measures, which prevents the collected and stored personal information from any loss, alteration, destruction, or from any unauthorized access and use.
Said measures cannot be lesser than those used by the data owner to protect its own information, and for its implementation the data owner must consider the existent risk the possible consequences for the data subjects, the sensibility of the data and the technological development.
There is no legal requirement to report data breaches to the Mexican DPA, and so far there are no guidelines for voluntary breach reporting to Mexican DPA.
However, the Law requires that if any phase of the data collection, storage or use, may, in any way, affect in a significant manner the patrimonial or moral rights of individuals, data controllers shall immediately notify this situation to individuals.
Likewise, Article 64 of the Regulations of the FLPPIPPE requires data controllers to notify individuals without any delay, as to any breach that significantly affects their moral or patrimonial rights, as soon as the data controller confirms that a breach has occurred, and when the data owner has taken any actions tending to start an exhaustive process to determine the magnitude of the breach.
In said notification data controllers must inform at least:
The nature of the incident;
The compromised PI;
Recommendations for the data subjects to protect their interests.
The corrective measures immediately implemented by the data controller.
The means for getting more information regarding the breach.
On the other hand, the Federal Law for the Protection of Personal Information in Possession of Obliged Subjects contemplate similar obligations tha the ones mentioned above, but raises the standard for the “obliged subjects”, thus binding them to:
Document all the measures adopted for the handling of PI.
To prepare and keep an updated inventory of all PI collected.
To keep records of the functions and obligations of the persons handling PI.
To carry out a risk analysis.
To carry out a breach analysis.
To keep an ongoing training program. (Article 35).
Article 36 imposes as an obligation, in case of any security breach, to analyze the causes that generated the breach, and to implemente in the work plan all preventive and corrective measures, in order to avoid a new security breach.
Article 39 imposes as an obligation to keep a detailed and accurate record of all the breaches occurred, expressing the date of the happening; the reason that caused the breach, and the corrective measures implemented immediately and definitively.
Article 40 imposes as an obligation to inform the data subjects, as well as the Mexican DPA as to any breaches occurred, that may significantly affect the patrimonial or moral right of the data subjects, as soon as the breach is confirmed, so that the data subjects may adopt all available measures in defense of their rights.