Legal aspects related to cybersecurity and data protection

In an increasingly digitalized world, dominated by the management of massive volumes of information, cybersecurity and data protection are essential.

Preventing and having the necessary strategies and capabilities to react quickly and efficiently to cyber attacks safeguards the privacy and trust of users by safeguarding their data. 

It also protects companies from financial losses, damage to their reputation and risks to their operational continuity. 

In a context where threats are increasingly sophisticated and constant, Investing in robust cybersecurity strategies is not just a technical necessity, but rather an ethical and strategic commitment to guarantee a safe and trustworthy digital environment.

The objective lies in ensure the integrity, confidentiality and availability of information in an increasingly interconnected digital environment. To achieve this, it is essential to comply with current data protection regulations, both nationally and internationally.

During the development of this article we analyzed together with Daniel Monastersky, cybersecurity specialist and partner of IT Patagonia the main international laws and regulations on cybersecurity and data protection. 

In particular, we address the legal obligations that companies have in the event of a cyber attack and how user consent should be managed for the processing of their personal data.

We also explore how to ensure data protection and cybersecurity by cloud service providers, and how to legally protect against potential vulnerabilities in external IT infrastructures.

We also consider the legal challenges associated with internationally active companies and the risks associated with use technologies such as AI in the management of personal data.

In addition, we assess the role that service level agreements play in managing cybersecurity responsibilities, and the impact of technologies such as blockchain or IoT.

Finally, we wonder whether current legislation is sufficient to address today's cyber threats.

Current indicators linked to cybersecurity 

Latin America is gaining importance in the cyber threat landscape. 

In 2023 it was positioned as the fourth most attacked region worldwide, with Brazil occupying the first regional position with 68% of cyberattacks, followed by Colombia (17%) and Chile (8%). 

The information comes from the report IBM X-Force Threat Intelligence Index 2024, which highlights that the cyberattacks with the greatest impact on organizations were data theft and data leakage, with 32% of the incidents.

For its part, the research, EY Global Cybersecurity Leadership Insights Study, which brings together the perspectives of more than 500 leaders in computer security, revealed the following indicators:

• 62% of Latin American companies have suffered a data breach in the last year.
• 52% of Latin American companies have experienced between one and nine cases of leaks.
• 50% of Latin American companies reported a total investment in cybersecurity of between 10 and 49 million dollars.

In Argentina 63% of companies implement cybersecurity tools, which implies an increase of 9% compared to 2022. 

The data comes from the Digital Intensity Index (DII) prepared by the Productivity and Competitiveness Observatory (OPyC) of the CAECE University, the higher education institution of the Argentine Chamber of Commerce and Services (CAC). 

To understand the impact that having cybersecurity strategies has on the market, data shared by analyst and consultant, Víctor Ruiz, in Infobae, they point out that 80.1% of people would stop purchasing products or services from a brand after a security incident. 

Governance and data protection

The whitepaper Cybersecurity Futures 2030: New Foundations believes that cybersecurity will move from being about protecting the confidentiality and availability of information, to protect its integrity and provenance.

In the face of this challenge, data governance is a set of processes, policies, standards and metrics focused on ensuring the quality, availability, integrity and security of data in an organization. 

The main objective of this discipline is to ensure that data is managed effectively and responsibly. 

But also seeks Improve quality and fidelity, comply with existing regulations, minimize risks and maximize business value.

To learn more about this topic, we recommend reading these articles from our blog:

• Data Governance: objectives, principles and good practices for data management
• How to implement data governance strategies: pain points and challenges to solve

Cybersecurity and data protection: main international laws and regulations

At the international level, the General Data Protection Regulation of the European Union (GDPR) It marked a before and after, establishing standards that many countries are taking as a reference. 

In the United States, the California Consumer Privacy Act (CCPA) It was revolutionary at the time it was passed, and became the first comprehensive privacy law in the country.

While in Latin America, the Brazilian General Law on Personal Data Protection (LGPD) today is the regional standard. 

Argentina has two fundamental regulatory pillars, compliance with which is controlled by the Agency for Access to Public Information (AAIP). 

The Law 26.388 Since 2008, the Cybercrime Act has provided the framework for pursuing cybercrime, while the Law 25.326 personal data protection law has been in force since 2000. 

The key is to understand that compliance with these standards is not a goal, but rather an ongoing journey. 

In this process, the first step is to appoint a Data Protection Officer or DPO, who will be the guardian of privacy in the organization.

However, it is not enough to have a person in charge within the company. It is also necessary to implement an information security management system that includes:

• Regular audits.
• Impact evaluations.
• Up-to-date documentation of all processes (an aspect that many companies neglect).

In addition, it is crucial to develop training and continuing education programs for staff. 

“I have seen companies with the best technology fail because they did not adequately train their resources,” says Daniel.

Legal challenges linked to companies with international activity

Operating in countries with different cybersecurity regulations is one of the biggest headaches for companies with global or regional operations. 

Their main challenge is resolve the conflict between the different regulatory frameworks. 

This is a complex challenge when it comes to simultaneously complying, for example, with the European GDPR, which is very strict regarding data transfers, and with the laws of countries that require local data storage.

“Companies are juggling data localization requirements, managing international transfers and dealing with multiple jurisdictions over the same data set,” Daniel explains. 

In this regard, he warns that complying with one regulation may put you at risk of failing to comply with another regulation. 

Compliance with legal provisions related to cybersecurity and data protection, It is a constant exercise in legal balance.

Legal obligations in the event of a cyber attack 

When an attack occurs that compromises customer data, several immediate obligations arise.

The first of them consists of notify the competent authorities.At this point, timing is critical. 

For example, under GDPR, notification must be made within 72 hours of becoming aware of the incident or data compromise.

It is also essential to be transparent with those affected. The incident cannot be hidden. It is necessary to communicate what data was compromised and what measures are being taken in response. 

“I have seen companies that tried to hide gaps and ended up in much worse situations,” says Daniel.

In these types of situations, it is essential to follow a very specific protocol, which begins with activate an incident response plan.

After notifying the authorities, absolutely everything must be documented and preserved. Every action, every decision, every evidence of the incident.

How should user consent be managed for the processing of their personal data?

Consent must be free, express and informed. This means that the user must really understand what you are agreeing to.

Furthermore, consent must be specific to each use that will be given to the data. It is not a “you accept everything or nothing” approach. 

Another central aspect of the process is that each user You must be able to revoke that consent as easily as you gave it.. 

In addition, the entire process must be documented and auditable. If it cannot be proven when and how consent was obtained, it is legally as if it was not obtained.

It is also important to do regular audits. You can't just set everything and forget about it.

Legal risks when using technologies such as AI in personal data management

We are seeing that many employees are using ChatGPT and other AI models without any guidance or control.

Daniel considers that it is a time bomb from a legal and security point of view, and that it is a absolutely critical and urgent problem. 

This is why it is necessary to clearly define which platforms are permitted and which are not. 

Using an enterprise version with confidentiality agreements is not the same as using free versions where control of the data is lost. 

How to ensure data protection and cybersecurity by cloud service providers

The clauses that must be included in contracts with cloud service providers, to guarantee data protection and cybersecurity, is another aspect to consider.

In this sense, it is essential specify exactly where the data will physically be located. 

As Daniel explains, you can't just accept “in the cloud” as an answer. You need to know which countries the servers will be in.

Very clear clauses should also be included regarding the security measures that the provider must maintain, especially those relating to data protection and notification procedures in the event of incidents.

How to legally protect yourself against potential vulnerabilities in external IT infrastructures

The key for a company to be able to legally protect itself against possible vulnerabilities in external IT infrastructures is in the due diligence or due diligence. 

That is to say, before working with any third-party vendor, it is necessary to do thorough research. 

It is not enough for a supplier to say that it is a safe company.Very robust service level agreements must be in place, with very clear liability clauses and audit rights.

In particular, audit rights imply be able to verify that the supplier is fulfilling what was promised. 

It is also essential to have contingency plans that specify the steps to follow and what actions to take in the event that a supplier fails.

The role of service level agreements in managing cybersecurity responsibilities

When drafting a service level agreement (SLA) in cybersecurity responsibility management, it is very important to clearly define the responsibilities of each party. 

Concrete metrics are needed: 

• Incident response time.
• Service availability.
• Recovery time. 
• Consequences if these levels are not met. 

“Without clear consequences, an SLA is just another piece of paper,” says Daniel.

Impact of technologies such as blockchain or IoT on legal obligations related to cybersecurity

Today there are millions of connected devices, each generating and sharing data. Against this backdrop, the legal challenge is enormous. 

Some questions that should be asked are: Who is responsible if an IoT device is hacked and used to attack others? The manufacturer? The user? The network provider?

These technologies are creating new types of personal data that did not exist before, and are forcing us to rethink basic concepts of data protection.

Evolution of legal regulations in cybersecurity and data protection

According to Daniel Monastersky, we are moving towards an increasingly demanding and complex scenario. 

“I am seeing a clear trend towards unification of criteria at a global level. A bit like what happened with the GDPR, which, although it is European, ended up influencing regulations all over the world,” he says.

On the other hand, regulations will have to become more agile. “We cannot continue with laws that take years to update when technology changes every month,” the expert stresses. 

This is why we are likely to see more flexible regulatory frameworks, with strong general principles, but with the ability to adapt quickly to new threats and technologies.

Are current laws sufficient to address the threats?

Current legislation is falling short, not so much because of a lack of regulation, but rather because of the approach. 

It's not necessarily more regulations that are needed, but smarter regulations.. 

While the need for more rules is being debated, cybercriminals are already using technologies that are not even covered by current laws.

The real challenge is to create a regulatory framework that is robust enough to protect, but also flexible enough to adapt to what comes next.

Conclusion 

In terms of security and personal data protection, a more collaborative approach between countries is needed. Even more so when we take into account that cyberattacks know no borders.

In an increasingly interconnected world, cyberattacks represent a global threat that affects governments, businesses and citizens alike. 

Faced with this reality, an approach of international cooperation based on the exchange of information, the development of common regulations and the creation of strategic alliances is essential. In this way, it will be possible to respond effectively to these threats. 

Cybersecurity cannot be addressed in isolation; it requires a joint effort combining resources, technology and knowledge to protect critical infrastructure and ensure the stability of the digital economy. 

Only through coordinated action can we meet the challenge of an increasingly complex and vulnerable digital environment.

At IT Patagonia we understand that the correct management of data is crucial in today's world, and that is why from our area of Data Innovation We focus on developing solutions that not only maximize the value of data, but also ensure its security and regulatory compliance.

We are committed to continuing to promote good practices in this field and to contributing to the development of professionals trained in this crucial discipline.