Managing the threat of a data breach in Bolivia

Extract of an interview to Alejandro Trujillo, Senior Associate of T&F SERVICIOS LEGALES, by Latin American Corporate Counsel Association online magazine.

The interview was part of a news feature for LACCA on how more Latin American companies are improving their data security efforts, as well as what legal teams and law firms should be doing to help prevent data breaches.

1. Does your Law Firm help companies legal departments implement any protocols or policies/tools in place to avoid data security breaches? If possible, please give details on them and how the legal department ensures their success.

In absence of specific regulation regarding data-privacy in Bolivia, many companies are still postponing the implementation of proper Data-Protection Policies, our corporate compliance division is in charge of helping our clients, many of them regulated companies in the IT, Health and Financial sectors, to develop on-going programs that focus on Due Diligence procedures regarding “sensitive areas”, “mechanisms to implement” and “actions in case of breaches”, which provide them clear and actionable instruments.

Recently, we implemented data protection policies and procedures for one of our clients, focusing on the following key components:

– Data Inventory and development of a Data map. Focusing on a complete categorization of information, appointment of responsible officers, housing and backup, designation of departments that handle the data.

– Drafting privacy related policies. Considering the parties involved and sensitive areas of the company.

– Data Breaches Response Plans. Our firm provides training to the officials in charge of overseeing compliance of data protection policies, focused on processes of internal investigation, evidence preservation, reputational risks management and testing.

This reactive strategy helps us and the in-house department to anticipate risks, take preventive measures and allocate responsibilities in case of breaches or incidents.

2. What advice would you give to legal teams working at a company that finds itself suffering a data security breach?

There are many approaches to handle breaches, but the most important recommendation for an in-house department is to be prepared to execute their incident response plan, it is impossible to anticipate every type of breach, instead efforts must be focused on designing a proper framework to open an investigation, to take measures that minimize impact and to handle potential claims by affected parties.

Another key takeaway from our experience advising companies in Bolivia, is that every response plan must be tested by the appointed official, in most cases it would be the in-house counsel in close coordination with the IT and Public Relations department, among other key areas. A recurring concern by our in-house peers is that the company’s response plan has never been tested and that it lacks specificity regarding responsibility allocation, external communications and budget allocation.

Both legal liability and reputational risks must be handled by the Legal and PR departments in close coordination, balancing the pressure to convey information to the impacted public vis-a-vis the need to wait until a proper investigation is completed. We always recommend retaining an external consultant to help manage communications and consumer relations.

3. What advice would you give to in-house teams at companies in jurisdictions like Bolivia where there is still a need for updated data protection laws? What should legal teams keep in mind/be concerned about in a legal landscape where the rules for data protection remain unclear?

Regulation related to data protection is still incomplete in Bolivia, where only general provisions are in place in the Constitution and some secondary laws such as the Telecommunications and Information Technologies Law and the Digital Citizenship Law.

We recommend companies and their in-house teams to stop postponing the implementation of data-protection policies and to avoid strategies that focus on meeting the minimum standard, which may seem cost efficient in the short term, but have many shortcomings that end up risking the integrity of the entire organization and its operations. Bolivia is a particularly complex landscape for companies, mainly because of the regulatory pressure over commercial entities, which can be held criminally liable under specific regulations already in place. Companies with interests and operations in jurisdictions like Bolivia, should be aware of the risks related to data-privacy and must be willing to implement strategic and robust policies that provide reasonable safety for the reputation and operational stability of the organization.