The court ruling against Uber’s former security chief over the cover-up of a 2016 data breach is the talk of town in cybersecurity circles. In Latin America’s corner of the cybersec world, though, the conversation has been more reflexive and worrying for different reasons.
“Covering up cybersecurity breaches is common practice in Latin America […] We should reflect on how long this kind of practice will be allowed”, pointed out Mario Robles, Founder and CEO of Costa Rica’s cybersec vendor White Jaguars, in a LinkedIn post that comments on the Uber story.
Robles isn’t the only one holding that opinion. Latin American cybersecurity vendors, IT lawyers and overall experts in the topic have been first-hand witnesses of the lack of transparency and consequence of security breaches in the region, contrasting the compliance landscape with what’s seen in the USA and Europe.
“It’s very uncommon for them [companies] to do that [report security breaches],” commented Jorge Hernández, General Director at Mexican cybersecurity vendor TagSec. “Unlike countries like the US, where companies are compelled to report [data breaches and hackings], in Mexico and Latin America in general, there’s no law that forces them to.”
Cybersecurity is a topic of growing concern for Latin American authorities and regional operators. Several government agencies across the region have been hit by cyberattacks this year, raising questions about the integrity of each country’s digital defenses.
Countries like Mexico, Brazil, Colombia and Costa Rica have been working for years on updating their cybersecurity legislation, incorporating severe punishment for cybercrime into their penal codes, creating regulators of data compliance and adding a digital dimension to their national security strategies.
Nevertheless, there’s a lot of work to be done in the field of regulation of private actors, who tend to be the ones that interact with foreign companies and, in the case of Nearshore outsourcing, manage data of clients overseas.
The little legal language that exists in the region is insufficient, explained Roberto Lemaître, an IT lawyer and professor at the University of Costa Rica. In his country, for example, companies are expected to report data breaches that involve personal data. Yet, there’s no sanction established for not letting regulators know. The law is effectively toothless, Lemaître pointed out.
Costa Rica is, unfortunately, not the exception of the regional trend. Mexico has a federal law that regulates the recollection, protection, management and use of personal data by public and private actors. However, any sanction that might fall on a company in relation to data would be imposed due to an improper management or use of it. The legal landscape is similar for Argentina’s and Colombia’s cybersecurity and data protection frameworks.
Brazil is perhaps the closest thing to an exception in the region. The country’s General Law for Data Protection –known locally as LGPD– compels organizations to notify federal regulators about data breaches, with a detailed account of the data affected, levels of security in place, etc.
It is rather vague about the time frame required, though. The text is based in the European Union’s legal framework, which establishes a 72 hour period for reporting data breaches. Brazil expects the reporting to be done “under a reasonable timeframe, which shall be defined by national authorities.”
Keep Quiet and Fix It
The approach to most companies in the region in the aftermath of a cybersecurity breach is to keep quiet and fix the issue internally, according to experts consulted by NSAM. In the case of ransomware attacks, the possibility of paying ransom is rarely disregarded.
“They mostly work in their recovery processes internally, keeping the appearance of continuity in front of clients and providers,” said Andrés Casas, Co-Founder of Costa Rican cybersec firm BRAKK. “When it comes to payments [for ransomware attacks], it’s all relative to how complicated the scenario of recovery actually is. But there are payment intentions.”
In spite of their approach, it’s not as if companies dismiss the importance of cybersecurity. The cybersec market in Latin America is expected to grow by leaps and bounds towards 2025. Also, IT vendors have noticed that potential clients are positioning cybersec and data protection credentials above ESG compliance and even levels of transparency and corruption in a given territory.
Aside from having no legal tool that compels them to report data breaches, doing so exposes companies to PR firestorms and investigations that might lead to the discovery of sanctionable offenses. IT lawyers have told NSAM that, faced with the possibility of being probed by federal regulators, firms prefer to keep quiet.
“When data breaches happen, it’s like kicking a hornet’s nest,” Casas pointed out. “There’s a lot of anguish and uncertainty relating to how long it might take [to solve the problem] and if they have the resources to deal with an attack.”
“There’s a lack of foresight in communication strategies,” he added. “They rarely have projections for such scenarios and their potential financial effects; no cash flow stress tests.”
This unwilligness to report breaches hinders regulators’ and analysts’ attempts to measure the magnitude of Latin America’s digital security issues, adding another wrinkle to the overall problem. Everyone knows the region is vulnerable, but they lack the hard numbers to determine how much.
Where Are the Lawyers?
Latin American governments can’t build proper legal frameworks to regulate cybersec and data protection because there’s a region-wide lack of IT-specialized lawyers, explained Roberto Lemaître.
Cybersecurity laws are generally drafted by lawyers with little to no knowledge or experience in matters of information technologies. Though their legalese might be on point, they fail in addressing the technical nuances required to pen a precise legal framework on the matter.
“If you look at it from the legal angle, the language itself is perfect, but there was no thought put into the technical elements of the law, which generates a vacuum,” he said.
For Latin America, cybersecurity challenges go beyond legal expertise. Few countries have dedicated government agencies that deal with cybersec. Those which do have yet to implement adequate information-sharing practices and build a strong web of contacts among industry players and other government agencies.
All of the above translates into what Lemaître characterized as poor infrastructure. Without the proper connections and channels for information to flow, everyone is more vulnerable.
In few words: Latin America has much heavy lifting to do.