The “Cybersecurity Incident Notification and Management Guide” for public agencies was approved
By Mariano Peruzzotti, Andrea Sanchez Vicentini and Josefina Piñeiro.
On July 4th, 2023, the Chief of Cabinet of Ministers (Undersecretary of Information Technology) issued the Provision 3/2023 (the “Provision”) by which the “Guide to notification and management of security incidents” was approved (the “Guide”) for public agencies.
The Guide is based on international documents related to cybersecurity established by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the International Telecommunication Union (ITU) and the Best Practices Guide for Incident Management of the European Union Agency for Cybersecurity (ENISA). It provides clear guidelines for reporting and managing cybersecurity incidents, as well as recommendations based on international good practices.
The Guide regulates the following aspects of cyberattacks:
- Taxonomy and classification of a cybersecurity incident.
- Notification of cybersecurity incidents. This will be from 48 hours of knowledge of their occurrence or their potential occurrence.
- Content of the reports.
- States of an incident.
- Managing a cybersecurity incident.
- Good practices for reporting cybersecurity incidents.
- Digital evidence.
Argentina has stressed that it is of the utmost importance to strengthen the tools, protocols and regulatory frameworks linked to security incidents. In this way, there could be agile and efficient responses to cyberattacks. The aim is to ensure that the essential information assets of public bodies maintain acceptable levels of risk and operate on a regular basis.
At present, there is no legal obligation to report the security incident. However, in case of an incident, it will have to be notified based on Resolution 47/2018 and the general principles of good faith and prevention of damage of the Civil and Commercial Code of the Nation.
In fact, the Personal Data Bill developed by the Argentine Agency for Access to Public Information (“AAPI”) imposes an obligation to report data breaches to the AAIP without undue delay and within 72 hours of learning that the breach is likely to pose a risk to rights of data subjects. Data subjects should also be informed of the violation if it is likely to result in a high risk to their rights.
For further information please contact: mperuzzotti@ojambf.com, asanchezvicentini@ojambf.com and/or jpineiro@ojambf.com.
