Colombia roundtable: cybersecurity and data protection in the age of hacking
As cybersecurity and data protection become front of mind issues for businesses across Latin America, The Legal 500 assembled elite in-house counsel from across Colombia to discuss the implications.
On the morning of Pope Francis’s arrival in Colombia – and as Bogotá went into security lockdown – The Legal 500 and sponsor firm Posse Herrera Ruiz held a breakfast roundtable on cybersecurity and data protection. With attendees from a range of industries for which data is their business, such as Microsoft and Hewlett Packard Enterprise; via information-sensitive businesses such as insurance, with representatives from AIG, Liberty Mutual, Allianz Colombia and health insurer Banmedica, to financials (GM Financial), pharmaceuticals (Roche), engineering (Siemens; El Condor), retail (Productos Ramo) and services ranging from Promigas to DirecTV, we were fortunate to count upon a spectrum of participants with differing concerns and perspectives on the subjects in question. Not to mention representatives of the so-called disruptor industries – such as Uber – the very business models of which are reliant upon tech-driven data utilities.
The point of departure was, necessarily, that of Colombia’s current data protection legislation: the principal relevant statutes being 2012’s Law 1581 and 2013’s Decree 1377, which cover ‘data processing’ (ie use, storage, transmission and transferral) by both private and public entities. Arguably, most difficulties have arisen from the issue of consent (stemming from the latter decree) and by the requirement (since November 2015) that databases be registered with the Superintendence of Industry and Commerce. While the period available to reach compliance regarding database registry has recently been extended, strong anecdotal evidence has pointed to the fact that companies are already coming under significant regulatory and administrative pressure (with the concomitant risk of considerable financial penalties). Indeed, the issue of administrative relations, governmental mishandling of data and/or of public regulators overstepping the mark in terms of data seizure, proved to be a recurrent theme.
If the scenario regarding ‘hard data’ is relatively straightforward in law (if undoubtedly complex and potentially expensive to put into practice and maintain), the issues around ‘soft’ – and commercially sensitive – data are even more tricky: the limits, for example, of precisely when knowledge generated by commercial client/external legal service providers is covered by legal privilege is far from clear. As of yet, consideration of such matters would appear to remain largely beyond the remit of Colombian commercial entities’ data protection priorities. Just two days after our discussion, however, news of the massive hack at credit agency Equifax served to remind everyone of the immediacy of the (ever increasing) threat of data loss (and the associated reputational damage), and the inescapability of the issue as a key aspect of a general counsel’s role. As one attendee reiterated: today, all businesses are information businesses.
The Legal 500 and Posse Herrera Ruiz would like to thank all the attendees for their fascinating and forthright comments and interventions; and in addition I would like to note our thanks to Posse Herrera Ruiz, without whom this event would not have been possible.