/ Cybersecurity and protection of personal data6 January, 2020
The latest developments have given a new degree of urgency to the need for a legal framework that allows the assessment of risks and the establishment of adequate models of compliance, to prevent not only very visible risks such as fire, but also those regarding cybersecurity.
In the last weeks many companies have seen their tangible assets affected due to a risk that for most is foreseeable and controllable: fire. But what about the intangible assets, such as for example all the data of a company, among which is the personal data of their clients and workers. To what risks are they exposed? It is said that information is the new petrol, but how can we protect intangible assets? We must ask ourselves whether our personal information is safeguarded, and what is the standard of care required in this matter.
According to the draft law which modifies the Law on the Protection of Privacy, one of the obligations of the party responsible for data processing is the duty of safekeeping and reserve of the personal information. Under the understanding that this information is stored in servers, electronic systems, it is necessary to refer to cybersecurity.
Cybersecurity is the practice of defending computers and servers, mobile devices, electronic systems, networks and data from malicious attacks. Cybersecurity encompasses everything from computer security to retrieval after disasters, as well as the education of the end user.
Returning to the last months in Chile, as a country we are greatly exposed to such a basic risk as fire, imagine then how exposed we must be regarding cybersecurity risks? We must remember the leak that affected the national police regarding investigations carried out on the relationships of social organizations, politicians and social actors. Even a commission of inquiry was formed, not with the purpose of finding the source of the leak, but to discover the reason behind the investigations. Prior to this, on December 15th, 2019, the Army confirmed that a group of cybercriminals published the content of six email addresses on Twitter, pertaining to the army domain @ejercito.cl.
How to forget the hacking of the diagnostic imaging provider of the public health system, whose general manager declared that there was nothing to worry about, as the data was backed up. Is that to say, it was already leaked? Where is the responsibility of the police, the army and the provider, regarding safekeeping and confidentiality? Who will be responsible when a person is discriminated based on their condition of health or due to personal facts revealed by these events?
The private sector has not been free of these events, hacking of banks, leaking of credit card information, phishing, usurpation of email addresses, hacking of e-commerce, etc.
The project which modifies Law 19.628 establishes the responsibility of the data administrator who infringes on the previously mentioned obligations. However, this is not yet law. The role established in the last years by Chile’s National Consumer Service (SERNAC) as guarantor in the protection of personal data of consumers is related to this. The director of said institution has publicly declared that, in the absence of an agency and legislation which protects these rights, SERNAC will protect consumers. A concrete example of this is the lawsuit filed against the Chilean mail service (Correos de Chile), for the credit card leaks which occurred in 2018.
The government announced the Cybersecurity Agenda in 2018, contemplating different bills: Information Privacy, Cybersecurity Framework Law, Critical Infrastructure, Cybercrime, among others. Such legal framework was already an indispensable necessity, and the current events make it even more urgent today, as it was made apparent that we lack a code of conduct which allows calculation of risks and the establishment of adequate compliance models to prevent evident risks such as fire, as well as related to cybersecurity.
We hope that soon the legislative discussions are retaken regarding the government’s cybersecurity agenda, and that we may adopt policies which permit the safekeeping of general company assets as well as the personal information of all citizens.
Senior associate – Alessandri