Cybersecurity 2020

Last Updated March 16, 2020

Chile

Law and Practice

Authors



Magliona Abogados specialises in corporate matters, tax services, complex business litigation and finance structures, telecommunications, technology law, intellectual and industrial property, and management of government relations and public policies, including corporate structuring, due diligence planning, M&A, financial assistance, syndicated loans, liability restructuring and leasing. It has expertise in licensing and software development agreements, technological platforms, franchises, data protection, computer crimes, and distribution, production and financing of film and television. The firm’s clients encompass a wide range of enterprises, both local and multinational, engaged in banking and finance, technology and software, leasing and insurance. It also counsels public agencies and companies in the movie industry, as well as other diverse fields.

In Chile, Law No 19,223 of 1993 establishes criminal offences relating to information technology. Within cybercrime, there is a subcategory relating to the involvement of the logical components of cyberspace (computer programs, computer systems, databases), which are known as computer-related offences. This Act provides for specific criminal offences for the unauthorised access, theft and destruction of information systems. However, this Act does not establish any obligation to communicate cybersecurity risks or loss of information.

Chile has sectorial regulations, such as banking regulations that will be further explained; see 2.5 Financial or Other Sectoral Regulators.

In the public sector, it is important to note the Supreme Decree No 579 that creates the Technical Advisory Commission of the Inter-Ministerial Committee on Cybersecurity, itself created by Supreme Decree No 533; this Decree has a definition of cybersecurity. Likewise, in the public sector, in 2018 the President issued the Presidential Instructive No 8, giving directive to public bodies related to cybersecurity, including urgent measures that should be implemented, such as:

  • appointment of a high-level cybersecurity officer in each public-service, who must be independent of the institution’s IT head;
  • application and updating of technical regulations on cybersecurity;
  • internal cybersecurity measures;
  • detailed revision of networks, systems and digital platforms of public operation;
  • surveillance and analysis of the operation of the technological infrastructure of state administrative bodies – the Coordination Centre of Government Entities (CCEG) will verify compliance with current cybersecurity standards and will carry out cybersecurity exercises;
  • compulsory report of incidents to the CCEG, as soon as they become aware of them;
  • response to cybersecurity incidents – regardless of the regulations issued in terms of cybersecurity by the head of each service, the Ministry of the Interior through the CCEG will arrange the necessary actions to ensure the continuity and proper functioning of the networks;
  • transitional governance of cybersecurity – while the implementation of the new model of national cybersecurity policy is pending, a temporary governance will be defined. This task will be the responsibility of the Ministry of the Interior, who will designate a responsible person who will implement the measures of the National Cybersecurity Policy in terms of transient governance.

Key regulators are the courts and the Financial Market Commission (FMC). In the public sector, there is the Inter-Ministerial Committee on Cybersecurity (CICS), whose main task is to propose a National Cybersecurity Policy. It is composed of the following: the Undersecretariat of the Interior; the Undersecretariat of Defence; the Undersecretariat of Foreign Affairs; the General Undersecretariat of the Presidency; the Undersecretariat of Justice; the Undersecretariat of Economy; the Undersecretariat of Telecommunications; the National Intelligence Agency; and the Undersecretariat of Finance.

In Chile there is no cybersecurity regulator nor data protection authority. Any procedures regarding cybersecurity offences are dealt with in courts and sectorial fields such as banking, followed by the Financial Market Commission.

In Chile there are no subnational norms, but there are sectorial rules; as mentioned above, the sectorial rule that exists today is exclusively applicable to banks.

The major governmental organisation is the Inter-ministerial Committee on Cybersecurity, within the Ministry of the Interior and Public Security, CSIRT. In addition, according to the Presidential Instruction No 8 of 2018, state administration bodies should report all cybersecurity incidents to the CSIRT as soon as they become aware of them; this duty is mandatory.

This issue has not arisen in the firm’s jurisdiction.

Supreme Decree No 579 created the Technical Advisory Commission of the Inter-Ministerial Committee on Cybersecurity, itself created by Special Decree No 533 (7 January 2020). This Decree modified Special Decree No 533, creating a Technical Advisory Commission of the Inter-Ministerial Committee on Cybersecurity. It also contains the following definition of cybersecurity: "cybersecurity is defined as the condition characterised by a minimum of risks and threats to technological infrastructures, the logical components of information and the interactions that take place in cyberspace, as well as the set of policies and techniques designed to achieve this condition".

Pending changes on the horizon over the next 12 months are as stated below.

The Bill that establishes rules on computer crimes entered the Senate, repealing Law No 19,223 and modifying other legal bodies in order to adapt them to the Budapest Convention, and is currently under discussion in Congress (Bill No 12.192-25). The Bill is moving in the right direction in order to update Chilean legislation on computer crimes and cybersecurity, bringing it into line both with the requirements of the Budapest Convention and with the evolution of information and communication technologies that exist today.

The Bill on data protection (Bill No 11.144 – 07): the precepts in the bill are consistent with recent international standards such as the European Data Protection Regulation, safeguarding respect for and protection of the rights and fundamental freedoms of people over their personal data.

The Undersecretary of Telecommunications of Chile (SUBTEL) submitted to public consultation the proposed Regulation for the Interoperation and Broadcasting of Alert Messaging, Declaration and Protection of Critical Telecommunications Infrastructure and Information about Significant Failures in Telecommunications Systems,

The new CMF Cybersecurity Standard is also forthcoming.

All of the above include cybersecurity incident-breach communications.

There is a public consultation on the Regulation on Critical Infrastructure Telecommunications, Data Centres and Fibre Optics. However, such Regulation does not include provisions regarding cybersecurity threats.

See 1.2 Regulators.

In Chile, the CICS is the overarching cybersecurity agent.

Currently, in Chile there is no data protection authority.

In processing bank data, the former Superintendent of Banks and Financial Institutions (now the Financial Market Commission, or FMC) issued a ruling regarding incidents/breaches of security or cybersecurity, in which it is mandatory for banks to report all the incidents related to cybersecurity that have occurred in the current month, including updated information or information supplementary to incidents reported in previous periods. A cybersecurity incident is understood as any event that threatens or adversely affect the information assets of the institution, as well as the infrastructure that supports it; it will consider alerts to those events registered but not materialised.

More specifically, on 31 August 2018, the SBIF issued amendments to chapters 1-13 and 20-8 of the RAN. Chapter 1-13 was reformed to include the consideration of cybersecurity issues within the bank’s board of directors’ responsibilities. Chapter 20-8 on incident reporting was amended as follows.

The current obligation to notify the SBIF of the occurrence of an operational incident was modified, setting a very short-term, 30-minute deadline from the occurrence of the incident. The previous obligation only required that the communication be made “as soon as the incident was identified”. In addition, the content of the communications made to the CMF is detailed with greater precision.

An obligation to communicate the occurrence of the incident to users or customers of the affected financial institution was introduced, as well as a new obligation regarding communication between industry members.

Agencies previously mentioned are the only ones referred to cybersecurity issues.

In Chile, the following ISO rules apply to cybersecurity matters, according to the government site of cybersecurity:

  • NCh-ISO27000:2014: information security management system – overview and vocabulary;
  • NCh-ISO27001:2013: information security management system – requirements;
  • NCh-ISO27002:2013: codes of practice for information security controls;
  • NCh-ISO27003:2014: information security management system implementation guide;
  • NCh-ISO27005:2014: information security risk management;
  • NCh-ISO27013:2013: guidance on integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1;
  • NCh-ISO27014:2015: information security governance;
  • NCh-ISO27018:2015: code of practice for the protection of personally identifiable information (PII) in public clouds performing the role of PII processors;
  • NCh-ISO27031:2015: guidelines for preparing information and communication technologies for business continuity;
  • NCh-ISO27032:2015: guidelines for e-protection;
  • NCh-ISO27036/1:2015: information security in supplier relations – part 1, overview and concepts;
  • NCh-ISO27036/2:2015: information security for supplier relations – part 2, requirements;
  • NCh-ISO27036/3:2015: information security for supplier relations – part 3, guidelines for information and communication technology supply chain security;
  • NCh-ISO27040:2015: storage security;
  • NCh-ISO27003:2014: information security management system implementation guide;
  • NCh-ISO27005:2014: information security risk management;
  • NCh-ISO27031:2015: guidelines for preparing information and communication technologies for business continuity;
  • NCh-ISO27037:2015: guidelines for the identification, collection, acquisition and preservation of digital evidence.

This issue has not arisen in the firm’s jurisdiction.

There is no Cybersecurity Framework Act yet, but one of the documents that contains information about cybersecurity measures is the Presidential Instruction No 8 of 2018. Therefore, the measures are addressed to the public sector.

Incident Response Plans

See 1.5 Information Sharing Organisations.

Appointment of Chief Information Security Officer or Equivalent

Each head of service of the state administration must designate a cybersecurity officer, who will be responsible for the computer security of his or her service.

Insider Threat Programmes

Each head of service of the state administration will be responsible for taking measures conducive to compliance with the advanced level of security under the terms of Supreme Decree No 83 of 2005.

Use of Cloud, Outsourcing, Offshoring

The amendment of Chapter 20-7 of the Updated Compilation of Standards on Outsourcing Services of the CMF established minimum guidelines for the outsourcing by financial institutions of services using cloud computing.

In general terms, RAN 20-7 has as its scope the hiring by banking institutions of external service providers to carry out operational activities that could also be carried out internally by the entity with its own resources. After a period of public consultation, the update to RAN 20-7 came into effect on 27 December 2017.

New definitions were added as cloud services, private cloud, public cloud, technology infrastructure and information security infrastructure.

Cloud services (cloud computing) is understood as the "model of service provision that can be configured according to demand, for the provision of services associated with information technologies over networks, based on technical mechanisms such as virtualisation, under different approaches or supply strategies".

A private cloud is defined as "infrastructure provided for the exclusive use of an entity comprising multiple users (eg, business units). It can be owned, managed and operated by the same entity, a third party or a combination of both; and it can be located both inside and outside the contractor's facilities". The public cloud is defined as: "cloud infrastructure provided for the use of various entities. The infrastructure is owned, managed and operated by a provider of cloud services. This infrastructure is located on the cloud provider's premises".

This issue has not arisen in the firm’s jurisdiction.

The issue of personal data has not arisen in the firm’s jurisdiction.

Currently, Law No 19,628 on Privacy Protection does not contain any security requirement regarding cybersecurity matters.

Likewise, Law No 19,223 does not contain any provision in this regard.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

As previously mentioned, it is currently only in the banking sector that there is an obligation to report cybersecurity threats. See 2.5 Financial or Other Sectoral Regulators.

It depends on the sector – if a data breach comes from a financial threat, then financial data must be covered. As previously stated, there is no Cybersecurity Framework Act as yet.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

In the public sector, the task of monitoring networks for cybersecurity rests with the CSIRT. Each head of service of the state administration must provide information about any incident to the CSIRT.

Cybersecurity, privacy and data protection are areas that are intimately linked. Cybersecurity endeavours to shield data subjects from cyberthreats. 

However, such intersection is weak in Chile regarding the laws that covers data protection and cybersecurity. The main reason is that both laws are outdated, and they are currently being reviewed by the Congress.

Since 1999, Chile has had a Data Privacy Act, but this is currently outdated regarding new technologies. Therefore, legal amendments to that body of law are currently being made in Congress. The same is true of cybersecurity: the bill that establishes rules on computer crimes entered the Senate, repealing Law No 19,223 and modifying other legal bodies in order to adapt them to the Budapest Convention is currently under discussion in Congress (Bill No 12.192-25).

As previously stated in 2.5 Financial or Other Sectoral Regulators, banks have the duty to report incidents of cybersecurity.

This issue has not arisen in the firm’s jurisdiction.

Act No 19,223 on cybercrimes, regulates unauthorised access to databases or information, unauthorised disclosure of such information, among other criminal actions. This obsolete law is not enough to address the size and significance of today’s events on breach of security or cybercrimes. The punishment for those actions ranges from 541 days to five years.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

Class actions in this regard are not regulated in Chile.

There are no provisions in Chilean law regarding due diligence in cybersecurity matters, nor any guidelines that establish requirements for such procedure.

This issue has not arisen in the firm’s jurisdiction.

There are no other significant issues.

Magliona Abogados

Andrés Bello 2687
Piso 24, Las Condes
Santiago, Chile

+56 2 3210 0030

+56 2 2 377 9451

contacto@magliona.cl www.magliona.cl
Author Business Card

Law and Practice

Authors



Magliona Abogados specialises in corporate matters, tax services, complex business litigation and finance structures, telecommunications, technology law, intellectual and industrial property, and management of government relations and public policies, including corporate structuring, due diligence planning, M&A, financial assistance, syndicated loans, liability restructuring and leasing. It has expertise in licensing and software development agreements, technological platforms, franchises, data protection, computer crimes, and distribution, production and financing of film and television. The firm’s clients encompass a wide range of enterprises, both local and multinational, engaged in banking and finance, technology and software, leasing and insurance. It also counsels public agencies and companies in the movie industry, as well as other diverse fields.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.