Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Mexican employers are responsible for informing individuals immediately in cases where a data breach may impact the economic or moral rights of the individual. There is no requirement to register a breach with the data protection authority (Federal Law on the Protection of Personal Data Held by Private Parties).
Breach notifications should include information on:
- the nature of the breach;
- the personal information that was compromised;
- recommendations as to next steps the individual can take to protect their information;
- corrective actions that have been implemented; and,
- how the individual can receive additional information relating to the breach.
HR Best Practices: Incidents in the employment context which might trigger a requirement to notify include a laptop or file left on a train, or an email containing HR information sent massively to incorrect addresses. Employers should develop and implement a data breach action plan with notification, incident documentation and response procedures.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.