Colombia Roundtable: Cybersecurity and data protection in the age of hacking

As cybersecurity and data protection become front of mind issues for businesses across Latin America, The Legal 500 assembled elite in-house counsel from across Colombia to discuss the implications.

On the morning of Pope Francis’s arrival in Colombia – and as Bogotá went into security lockdown – The Legal 500 and sponsor firm Posse Herrera Ruiz held a breakfast roundtable on cybersecurity and data protection.

With attendees from a range of industries for which data is their business, such as Microsoft and Hewlett Packard Enterprise; via information-sensitive businesses such as insurance, with representatives from AIG, Liberty Mutual, Allianz Colombia and health insurer Banmedica, to financials (GM Financial), pharmaceuticals (Roche), engineering (Siemens; El Condor), retail (Productos Ramo) and services ranging from Promigas to DirecTV, we were fortunate to count upon a spectrum of participants with differing concerns and perspectives on the subjects in question. Not to mention representatives of the so-called disruptor industries – such as Uber – the very business models of which are reliant upon tech-driven data utilities.

The point of departure was, necessarily, that of Colombia’s current data protection legislation: the principal relevant statutes being 2012’s Law 1581 and 2013’s Decree 1377, which cover ‘data processing’ (ie use, storage, transmission and transferral) by both private and public entities. Arguably, most difficulties have arisen from the issue of consent (stemming from the latter decree) and by the requirement (since November 2015) that databases be registered with the Superintendence of Industry and Commerce. While the period available to reach compliance regarding database registry has recently been extended, strong anecdotal evidence has pointed to the fact that companies are already coming under significant regulatory and administrative pressure (with the concomitant risk of considerable financial penalties). Indeed, the issue of administrative relations, governmental mishandling of data and/or of public regulators overstepping the mark in terms of data seizure, proved to be a recurrent theme.

If the scenario regarding ‘hard data’ is relatively straightforward in law (if undoubtedly complex and potentially expensive to put into practice and maintain), the issues around ‘soft’ – and commercially sensitive – data are even more tricky: the limits, for example, of precisely when knowledge generated by commercial client/external legal service providers is covered by legal privilege is far from clear. As of yet, consideration of such matters would appear to remain largely beyond the remit of Colombian commercial entities’ data protection priorities. Just two days after our discussion, however, news of the massive hack at credit agency Equifax served to remind everyone of the immediacy of the (ever increasing) threat of data loss (and the associated reputational damage), and the inescapability of the issue as a key aspect of a general counsel’s role. As one attendee reiterated: today, all businesses are information businesses.

The Legal 500 and Posse Herrera Ruiz would like to thank all the attendees for their fascinating and forthright comments and interventions; and in addition I would like to note our thanks to Posse Herrera Ruiz, without whom this event would not have been possible.

Dr Georg Boettcher, General counsel Latin America, Siemens

photo of Georg BoettcherThe digital world changes everything. Everyone and everything gets connected and artificial intelligence and big data analytics are taking over our decisions. Simultaneously the risk of theft or manipulation of data is also constantly growing. Therefore, data privacy and cybersecurity are becoming crucial factors for the success of the digital economy. This also holds true for Latin America.

As both become front-of-mind considerations for Latin American countries – and subsequently their businesses and counsel – we’ve found as both a company and a legal department that we have been working closely with local regulators. Generally speaking, local regulations in the data privacy field are yet not as strict as the European ones, which means that if you comply there, you’ll be above the requirements locally. We as a company comply company-wide with the highest standards even though they are not required by local regulators. We do so by implementing so-called Binding Corporate Rules which establish binding rules that every company within the Siemens group has to comply with. Having said this, we support all legislative initiatives that aim at a global level playing field in both areas and that help to establish an adequate protection level.

But data privacy is only one aspect of data protection. It ‘only’ protects personal data – your address, name, age, and gender, etc – but for us and the economy, sensitive business information needs protecting too. That makes cybersecurity another matter entirely. Imagine a huge power plant – if you have a blackout there, the issue isn’t personal data being lost so much as the fact that there is no energy anymore. Cybersecurity for so-called critical infrastructure, like power plants, grids, public transport, hospitals etc, is key.

Digital offerings are an area which stands to grow massively in the region moving forward. Specifically in Latin America, customers are very technology friendly and open to using new technology. At the same time, high speed implementation and a lack of risk awareness can create problems. At the moment, I think we’re in a period where people in Latin America want to embrace information and technology, where the concern surrounding risk is there, but has not yet come to the forefront.

There’s an educational aspect to all of this. I think it’s a crucial part of our strategy. If you want to sell a digital business solution, you have to talk about cybersecurity – and you can advise on cybersecurity itself. You cannot sell a digital solution without educating clients about the risks and the mitigation measures – which you can sell as part of a complete solution. Cybersecurity with its product and service offerings is a rapidly growing business field. It will be important for service providers that they not only understand the IT office world, but also the specifics of industrial software and the specific protection needs for software that runs and controls critical infrastructure.

Internally at Siemens, both data privacy and cybersecurity are already top priorities – and have been for more than 30 years – as well as an important pillar of our digitalisation strategy. In each country and region, we have designated people responsible for data privacy issues and Siemens has about 1,275 cybersecurity experts worldwide.

However, it is everyone´s task. You need a minimum standard of protection along the entire value chain globally. No company alone can ensure this and governments and regulators need to lead the way even though eventually it is up to the companies to establish standards and to comply with them. At the moment we see some isolated legislative initiatives in the US, the EU and Asia, but very little in Latin America. We are promoting this, but we see that there is a long way to go until everyone is on the same page. What we need is multilateral collaboration in regulation and standardisation to set a level playing field matching the global reach of WTO and the inclusion of rules for cybersecurity into Free Trade Agreements.

That is why Siemens has created and signed with other partners, at the Munich Security Conference in February 2018, the so-called Charter of Trust. The Charter contains ten principles that should make the digital world more secure and also sets three important goals:

a) Protect the data of individuals and companies;

b) Prevent damage to people, companies, and infrastructures; and

c) Create a reliable foundation for instilling trust in a networked, digital world.

One of the Charter’s aims is to anchor the responsibility for cybersecurity at the highest governmental and business level, eg with Digitalisation and Cybersecurity Ministries and chief cybersecurity officers. Another aim is to set minimum general standards for cybersecurity that are in keeping with the requirements of state-of-the-art technology. A third aim is to make cybersecurity an integral part of the curriculums at schools and universities.