ARGENTINA - CYBERSECURITY DATAGUIDANCE
Bethular, Gustavo A.
1. GOVERNING TEXTS
Currently, Argentina does not have general or omnibus legislation on cybersecurity. How- ever, in the past few years several regulations have been enacted on sectoral matters (i.e. personal data, ﬁnancial entities or internet service suppliers, public sector) which reﬂects the increasing importance this matter has for the Government in oﬃce.
As for sectoral legislation, the following are applicable:
Personal Data Protection Act, Act No. 25.326 of 2000 (‘the Act’);
the Argentinian data protection authority’s (“AAIP”) Resolution No. 47/2018 establishing Recommended Security Measures for the Processing and Conservation of Personal Data (‘the Resolution’);
the Argentine Central Bank’s (‘BCRA’) Communication 6354, as amended by Communication 6375 and Communication 6271;
Digital Signature Act, Act No.25.506 of 2001 (‘the Digital Signature Act’), as amended by Decree No. 182/2019 on Digital Signatures; and
Act No. 25.690 on Internet Service Providers.
Each of the above seek to reﬂect the importance of cybersecurity, to establish standards or obligations to protect and safeguard sensitive data and institutional systems, and to prevent cybersecurity incidents.
1.2. Regulatory authority
In Argentina, there are several administrative authorities dedicated to cybersecurity. To date, these authorities have mainly issued regulations directed to the public sector, and currently only approach the private sector for mutual collaboration. Nonetheless, these authorities may eventually develop a regulatory framework on cybersecurity and could is- sue speciﬁc regulation directed to the private sector. These authorities are located within the Modernization Ministry and, so far, none of them have corrective powers but mainly collaboration tasks. These authorities include:
the Undersecretariat of Technology and Cybersecurity (‘the Undersecretariat’), is the main cybersecurity authority. The Undersecretariat aims to, among others, assist the Ministry in the development of a speciﬁc regulatory frame- work that would allow for the identiﬁcation and the protection of the critical infrastructure of the national public sector, and of the civil organizations and private sector that require it, as outlined in Decree No. 898/2016;
the Cybersecurity Committee, which has been assigned to, among other things, promote the enactment of a regulatory framework on cybersecurity and the drafting of an action plan in the implementation of the National Cybersecurity Strategy, in accordance with Decree No. 577/2017;
the National Administration of Critical Information Infrastructure and Cybersecurity (‘ICIC’), which aims to assist the public sector in all cybersecurity matters, protect the critical infrastructure, develop the public sector’s abilities to detect, uphold, reply to and recover incidents, and to draft, in collaboration with the private sector, digital security policies, as outlined in Administrative Decision No. 232/2016. The ICIC depends on the Undersecretariat for Information and Cybersecurity’s Critical Infrastructure Protection; and
the National Oﬃce of Information Technology (‘ONTI’), which has as its main responsibility to intervene in the drafting of policies and enactment of the development and technological innovation for the State’s transformation and modernization promoting the integration of new technologies, its compatibility and interoperability in accordance with the objectives and strategies de- ﬁned in the State’s Modernization Plan, as established in Administrative Decision No. 232/2016.
Other administrative authorities that have issued regulations on cybersecurity which directly aﬀect the private sector include:
the AAPI, which, among other things, controls the fulﬁllment of the regulation on integrity and data security from data controllers (records, registers or data banks), requests information relating to backgrounds, documents, programs or other elements related to personal data processing, and imposes administrative sanctions; and
the BCRA, which, among other things, regulates the ﬁnancial system, con- tributes to the proper functioning of the capital market, and imposes sanctions as established in Law No. 21.526 on Financial Entities (‘the Financial Entities Law’).
1.3. Regulatory authority guidance
There is no guidance from the regulatory authorities. However, on 28 May 2019, the Government Secretariat of Modernization issued Resolution 829/2019, which provides the framework for the National Cybersecurity Strategy. Resolution 829/2019 states that the National Cybersecurity Strategy will direct the development of concrete actions, plans and politics for the beneﬁt of the Argentinean Nation.
In particular, the National Cybersecurity Strategy is structured along the following objectives:
awareness in the safe use of cyberspace;
training and education on the safe use of cyberspace; development of a regulatory framework;
strengthening of prevention, detection and answering abilities;
protection and recovery of the public sector’s information system; promotion of the cybersecurity industry;
international cooperation; and
protection of the infrastructure of national critical information.
The National Cybersecurity Strategy will be carried out by the Cybersecurity Committee, which shall ensure the safe use of cyberspace among the Public Administration, national, provincial or municipal authorities, private sector, non-governmental organizations and academic entities. It should be noted that Resolution 829/2019 also creates an executive unit within the Cybersecurity Committee that will coordinate the functioning of the National Cybersecurity Strategy and will provide administrative assistance to the Cybersecurity Committee.
2. SCOPE OF APPLICATION
2.1. Network and Information Systems
Sections 6 and 7 of the CBA’s Ordinated Text of the Rules on Minimum Operational Requirements of the Area of Information Systems – Information Technology establishes the minimum requirements that an information system should comply with, for e.g. in relation to functional structure, methodological standards, and a speciﬁc informatic security policy.
2.2. Critical Information Infrastructure Operators
According to Section 1.3 of Communication 6375, critical or sensitive information must be protected to prevent its unauthorized use. Section 6.2.4 of Communication 6375 also indicates that all electronic devices that were functional for the storage of critical information and that are no longer used, must be physically destroyed before being shattered.
2.3. Operator of Essential Services
2.4. Cloud Computing Services
According to Communication 6375, ﬁnancial entities may hire cloud services. For that purpose, such suppliers must comply with general and speciﬁc security requirements listed under Section 7 of Communication 6375, such as implementing a ‘uniﬁed access point’ located in Argentina under each entity’s administration, which would allow them to constantly control the activities undertaken by information technology services. It should be noted that all requirements are described within seven categories (each of them with a speciﬁc requirement chart), namely, information security government, training and aware- ness; access control; follow-up and integrity; control and monitoring; incident management; and operational continuity.
As for corporate documents, several rules have been issued to allow for the digitalization of corporate and account books (i.e. Act 27.349 on Support for Entrepreneurship Capital). However, progress on digitalization is withheld because of operating diﬃculties. Speciﬁcally, Section 53 of the General Inspection of Justice’s (‘IGJ’) General Decision 6/2017 demands that:
the server in which the corporate ﬁles are stored is in the corporate headquarters
the corporation saves two copies of every digital ﬁle in two locations other than the corporate headquarters (at least one of them should be digital);
and the corporation inform the IGJ of the location of the two copies and to keep this information updated.
Evidently, the aforementioned criteria obstruct the possibility of hiring cloud services to store corporate documentation and to replace the traditional records.
Finally, regarding the health sector, Act 26.529 speciﬁes that medical records may be drafted in magnetic support if certain measures are taken to ensure the preservation of their integrity, authenticity, unchangeability and durability, and the timely recoverability of storage data. Also, access should be restricted with identiﬁcation keys or any other technique to ensure the integrity of the medical record.
2.5. Digital Service Providers
According to Act 25.690, internet service providers have the obligation to oﬀer protection software to prevent access to speciﬁc sites at the time of supplying internet services, regardless of whether the contract was concluded by telephonic or written means.
In addition, the Digital Signature Act provides the framework for electronic and digital signatures, digital documents and their juridical eﬃciency. This was later complemented by Administrative Decision No. 927/2014 (‘the Decision’) and the Decision’s annexes, which set out, among other things, requirements for applicants of digital certiﬁcations relating to the content of digital certiﬁcations and operational and technological standards of the digital signature infrastructure. These requirements cover the following:
the security plan, which includes security policies and proceedings, and which must fulﬁl the guidelines of the International Organization for Standardization’s ISO/IEC 27002;
the cease of action plan;
the business continuity plan, which includes a response to incidents and disaster recovery plan;
the description of the technologic platform, which states that applicants must enact proceedings that ensure reliability; and
the lifecycle of the certiﬁer’s cryptographic keys, which provides that crypto- graphic keys must be created by the certiﬁer, have a minimum of bits, and be created and stored in devices with security level 3 under FIPS PUB 140-2.
Moreover, applicants must implement proceedings for recovering such keys, and provide a description of the tests made by qualiﬁed third parties on the security of the hardware and software component used.
3.1. Security measures
Communication 6354 establishes speciﬁc requirements for the performance of data processing, IT services and data outsourcing services. It establishes the need to frequently re- view and update the security policy and complementing documents in accordance with, among other things:
the risk assessment and the complexity of the ﬁnancial entity;
the classiﬁcation of information assets according to their criticality and sensitivity;
the security strategy;
access, identiﬁcation, authentication and security standards; control and monitoring; and
In addition, the Resolution provides non-binding recommendations on security measures for the treatment and processing of personal data in computerized means. These re commendations focus on tasks and specialties that data controllers may follow under a cyber- security incident scenario, including:
implementing a complaint process to allow users to alert security events;
having a capable incident management system to show registration date, relevant documentation, people involved and assets aﬀected;
establishing responsibilities and procedures, such as developing a procedure for management in case of cybersecurity incidents and appointing a person responsible for the communication;
preparing a report of the incident, which should be sent attached along with an incident notiﬁcation to email@example.com, with the following minimum content:
the nature of the breach;
categories of personal data aﬀected; identiﬁcation of aﬀected users;
measures taken by the person responsible to mitigate the incident; and
measures applied to avoid future incidents.
The Digital Signature Act deﬁnes the term ‘technically reliable’ as the quality of the set of computing equipment, software, communication and security protocols and the administrative proceedings related that fulﬁl the following requirements:
safeguard against the possibility of intrusion and/or unauthorized use; ensure the availability, reliability, conﬁdentiality and correct functioning; be ﬁt for the performance of its speciﬁc functions;
fulﬁl the appropriate rules of security, according to international standards in the matter; and
fulﬁl the technical and auditing standard set by the application authority.
3.2. Notiﬁcation of cybersecurity incidents
There is no general legal obligation to notify the regulatory authority.
As stated in section 3.1 of the note, according to recommendations of the Regulation, a cybersecurity incident should be reported to the AAIP with the following minimum content:
the nature of the breach;
categories of personal data aﬀected; identiﬁcation of aﬀected users;
measures taken by the person responsible to mitigate the incident; and measures applied to avoid future incidents.
This report must be attached with the incident notiﬁcation to the AAIP to the following email address: firstname.lastname@example.org.
Also, according to Section 188.8.131.52 of Communication 6357, the ‘area of information asset protection’ must register ﬁnancial entities’ incidents and weaknesses in security matters and be immediately informed through the proper information channels, with the purpose of analyzing its causes and enforcing improvements on the information controls to pre- vent their future occurrence.
3.3. Registration with a regulatory authority
Registration with a regulatory authority is not required. However, the National Program of Critical Information and Cybersecurity Infrastructures, created by Resolution 580/2011, and under the direction of ICIC, seeks, among other things, to collaborate with the private sector in drafting policies on safeguarding digital security, drafting annual briefs on the status of cybersecurity, and promoting awareness of the risks in digital media. It should be noted that this program is not mandatory. Adherence to the program is optional for the private sector through the submission of the adherence form, as approved by Provision 3/2011.
Likewise, after the enactment of this program, a registry of security incident response teams was created by Provision 5/2015 in order to coordinate the actions of the informatic emergency response teams and to act as a repository for information on security incidents, tools, protection and defense techniques, standards and good practices. Even though registration is optional for the private sector, the program establishes certain requirements that a corporation must fulﬁll in order to register, such as:
delivering a certiﬁed copy of the corporate bylaws and of the act of appointment of the responsible person;
delivering a ‘constitution letter’, based on the Internet Engineering Task Force’s Request for Comments No. 2350, that provides information on the computer security incident response team, the channels of communication, mission and responsibilities.
3.4. Appointment of a ‘security’ oﬃcer
According to Section 3.1.1 of Communication 6357, ﬁnancial entities must consider within their organizational structure a speciﬁc area in charge of protecting its information assets, establishing the mechanisms for the administration and the security control over the logistical and physical access to their technological and information’s resources. The person in charge of protecting information assets will manage the enactment and maintenance of the security policy established by the director or the equivalent authority of the entity.
Likewise, though it is only a recommendation, the Regulation, applicable to data controllers of databases and data processors, states the need to deﬁne a responsible person in charge of the fulﬁlment of the security measures.
Finally, it should be noted that a draft data protection bill (‘the Bill’) was submitted to the National Congress of Argentina on 19 September 2018.
The Bill intends to fully replace the Act and to mirror the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), reﬂecting international standards and principles. Notable changes included in the Bill concern notiﬁcations of security incidents, the obligation to appoint a data protection oﬃcer in certain circumstances, protection by design and by default, data portability and opposition’s rights. If the Bill were to be enacted, it would be enforced two years after its date of publication in the Oﬃcial Gazette.
3.5. Other requirements
Currently, regulatory authorities that may apply administrative penalties for non-compliance with cybersecurity regulation are the AAIP (Sections 31 and 32 of the Act) and the BCRA (Section 47 of Law No. 24.144 on Organic Charter of the BCRA), notwithstanding the criminal liability that could be applied in the speciﬁc case.
According to Section 31 of the Act, the AAIP may apply the following sanctions to data bank users and/or data processors:
– a warning;
– a suspension;
– ﬁnes of up to a maximum amount of ARS 100,000 (approx. €1,980); or closure of their archive, register or data bank.
As for the administrative penalties that BCRA can apply, these include (Article 41 of the Financial Entities Law):
– a warning;
– temporary or permanent prohibition to use bank current accounts; temporary or permanent disqualiﬁcation to act as a promotor, founder, director, manager, member of the supervisory board, syndicate, liquidator, auditor, partner or shareholder; and
– revocation of authorization to operate.