Do you know how much of your data is available online? Do you change your passwords frequently? Do you verify the origin and veracity of a message before clicking on a link?

In January 2024, it was revealed that 26 billion records were leaked from different companies, such as DropBox, LinkedIn, X (formerly Twitter) and Canva, to name a few[1]. The databases found contained emails, passwords, full names, phone numbers, addresses, among other data. All this information, obtained illicitly, can be used to impersonate these individuals, and create convincing fake profiles that serve to fool even the most careful person, or to gain unauthorized access to their accounts.

Technology companies are not the only ones facing these cybersecurity challenges. Prestigious financial institutions have suffered breaches of their credit card and other sensitive data of millions of customers. In 2023, more than 133 million medical records were leaked in the United States (U.S.). That same year, the U.S. Department of Transportation suffered an attack that exposed the personal information of 327,000 federal workers.

In short: we are constantly at risk of becoming victims of cybercrime.

Multiple cases have turned into legal battles initiated by affected organizations and individuals. These disputes have concluded with multi-million-dollar settlements, making data breaches a risk that cannot be ignored today.

The Economic Impact of Data Breaches

Data breaches happen when any security incident takes place in which unauthorized persons gain access to sensitive data or confidential information of others. They can stem from external sources (such as from a malware attack) or internal sources (such as when a user falls for a phishing scam, for example).

In today's digital economies, these attacks are becoming more frequent. IBM research found that in 2023 the average cost per data breach was US$4.45 million. This represents a 15% increase over the last three years.

The average execution time of ransomware –a malware that hijacks its victims' data and/or devices– went from taking more than 60 days in 2019 to just 3.85 days in 2021. Hackers can act relatively quickly and infiltrate. This is even more concerning considering that in 2022 it took companies, on average, 326 days to identify and contain attacks of this type.

Thanks to the increased sophistication of the attacks, half of the companies that suffered them in 2021 were also victims of a data breach. If that wasn't enough, the costs to recover from the attack caused 10% of those affected to enter a payment suspension scenario the following month.

These threats are already occurring daily in Guatemala and in the region. Therefore, it is essential to know how to respond to a data breach, and what precautions to take to manage legal risks.

Guatemalan Regulatory Framework

Currently, there is no single regulatory framework that explicitly covers the methods of obtaining and protecting personal data that any customer or user may entrust to third parties. However, there are legal tools to act in the event of a data breach.

There are rules in the Guatemalan criminal legislation that regulate the conservation of books or records that require a review of the handling of physical and digital data of a company. A person or organization affected by a data breach could invoke computer crimes such as, for example, alteration of programs, prohibited registrations, manipulation of information, to mention a few. Additionally, there are other crimes against copyright and industrial property that could be determined applicable according to each case and its particularities.

The Civil Code states that professionals must be diligent with their clients' secrets. They are liable if this information is disclosed, but what happens in the day-to-day lives of others? For example, a salesperson requesting your data for a membership is a common scenario.

In the field of services, the contracts that document these relationships usually include clauses on the handling of information, especially that which is personal and/or has a high commercial value. Consideration should be given to why a data breach could be considered a contractual infringement in a given case, how it can compromise the integrity of a business, and even its effects if the necessary precautions have been taken.

Recommendations

To manage potential risks, we share some recommendations:

• Adequately define in the corresponding contracts or agreements what information will be considered as trade secrets and/or industrial property. In the digital era, consumer data has a high commercial value.
• Define which situations could be considered force majeure and therefore outside the responsibility of the organization that may suffer a data breach. To this end, security and response protocols can be agreed upon. If your organization complies with such protocols and nevertheless suffers a data breach, you could mitigate legal risks with these types of provisions and your compliance to them.
• Train and constantly monitor members of your organization at all levels as appropriate. This will help protect both your company's data, your customers' data, and your employees' personal information.

In the event of a data breach, it is essential to inform the organization or individuals concerned as soon as possible. This allows us to work together to resolve and manage the legal risks arising from possible complaints from affected individuals.

Data breaches can happen at any time, even when you have robust cybersecurity protocols in place. If you have any questions about legal tools that can assist you in your business, please do not hesitate to contact us.