Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
May 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Argentina: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

General Legislation

Currently, Argentina does not have a general or omnibus legislation on cybersecurity. However, in the past few years, several regulations have been enacted on sectoral matters (i.e. personal data protection, financial entities, internet service providers, and public sector) which reflect the increasing importance of this matter.

The Argentine Criminal Code (only available in Spanish here), whilst it does not expressly refer to cybersecurity, provides sanctions for 'informatic crimes,' that is crimes committed through computerised means. These crimes are the following:

  • to gain access to a system or data base without due authorisation or exceeding the terms of the authorisation granted, whether it is a private, financial, telecommunication service provider, or public system or data base (Section 153 bis of the Criminal Code); 
  • to gain access to any data base by violating confidentiality and security systems, to reveal confidential information from a data base which the Act grants its confidentiality, to illegitimately insert any kind of data within a personal data file (Section 157 bis of the Criminal Code); 
  • to defraud by means of any manipulating informatic technique (Section 173(16) of the Criminal Code);
  • to destroy, alter, or render data, documents, programmes, or computer services, or sell, distribute, or introduce into a computer system any program intended to cause harm (Section 183 of the Criminal Code); and
  • to damage any file, document or any public informatic system; to damage any informatic system used for (Section 184 of the Criminal Code):
    • the provision of health services;
    • communication services;
    • production or transportation of energy;
    • means of transportation; and
    • any public utility.  

In addition, the Contravention Code of the Autonomous City of Buenos Aires ('CABA') (only available in Spanish here) also provides for offences committed by computer means such as: 

  • digital harassment (Section 75 of the Contravention Code);
  • unauthorised dissemination of intimate images or recordings (Section 71 bis of the Contravention Code); and 
  • digital impersonation (Section 71 quinquies of the Contravention Code).

Also, the Federal Procedural Criminal Code approved by Act No. 27.482 (only available in Spanish here) incorporates new systems of administration of justice by electronic means, such as the possibility to celebrate the hearing of control of the accusation, and for challenging a judicial order by a legal person, by audio-visual means, according to Sections 246 and 313 of the Federal Procedural Criminal Code respectively, as well as conducting interrogations via the same means. Furthermore, pursuant to Section 144 of the Federal Procedural Criminal Code, judges on a grounded basis, may order the registration of informatic systems, or means of storing computer or electronic data, to seize the components of the system, obtain a copy, or preserve data or elements, of interest for the investigation. Informatic crimes may be reported to the Cybercrime Prosecutor of the Public Prosecutor and the Cybercrime Specialised Prosecution Unit ('UFECI'), which was created by Order PGN No. 3743/15 (only available in Spanish here) which aims at dealing with crimes where the means for committing the crimes include the use of computer systems, with special emphasis on crimes where it is necessary to conduct investigations within digital environments. Furthermore, the Public Prosecutor’s Office of the CABA, by Order FG No. 20/2020 (only available in Spanish here), regulated the Specialised Prosecution Unit for National and Local Cybercrimes ('UFEDyCI'), with exclusive jurisdiction for those cybercrimes that fall within the scope of the criminal justice of CABA.

Additionally, in June 2017, Argentina adhered - with certain reserves - to the Budapest Convention of the Council of Europe of 2000 on Cybercrime (ETS No. 185) ('the Budapest Convention') through Act No. 27.411 (only available in Spanish here). The Budapest Convention is currently the only international treaty on cybercrime and digital evidence, whose main aim is international cooperation against cybercrime, by establishing a common criminal policy amongst Member States for the protection of society against it; unifying procedural and criminal regulations. It promotes international cooperation. In this regard, the Budapest Convention, sets forth provisions related criminal substantive law and also specifies several crimes. Currently, the enforcement authority of the Budapest Convention in Argentina is the Directorate of International Legal Assistance of the General Directorate of Legal Counselling.

In December 2019, in alignment with Section 35 of the Budapest Convention, the Ministry of Human Rights and Justice created the Cybercrimes and Digital Evidence Unit ('the Unit'), through Order No. 1291/2019 (only available in Spanish here), serving as a main contact point regarding the Cybercrime Convention adopted in Budapest. The Unit provides Member States of the Budapest Convention, and officials of the local criminal system at a federal and provincial level, with an immediate 24/7 contact point and immediate assistance in the investigation of criminal offenses carried out through computer systems; and crimes for which obtaining electronic evidence is required. Such assistance comprises: providing technical advice, conservation of data, recollection of evidence the provision of legal information, and localisation of suspects. The Unit works within the National Directorate for International Affairs under the General Coordination Unit of the Ministry of Justice and Human Rights, acting in coordination with the Ministry of Foreign Affairs, International Trade and Worship, as the central body for international cooperation in criminal matters and requests for mutual assistance. In 2022, the Unit is currently on duty and it is integrated with two advisors of the Directorate for International Affairs.

Additional Legislation

As for additional legislation, the following laws and/or regulation are applicable to the subject matter:

  • the Personal Data Protection Act No. 25.326 of 2000 ('the PDPA'), its Executive Order No. 1558/2001 (only available in Spanish here), and complementary regulations from the Argentinian data protection authority ('AAIP');
  • the AAIP Order No. 47/2018 providing for Recommended Security Measures for the Processing and Conservation of Personal Data (only available in Spanish here) ('the Order 47/2018'); and
  • the Digital Signature Act No. 25.506 of 2001 (only available in Spanish here), as amended by Executive Order No. 182/2019 on Digital Signatures (only available in Spanish here), and Executive Order No. 774/2019 (only available in Spanish here) ('the Digital Signature Act');

Each of the above seek to reflect the importance of cybersecurity, to establish standards or obligations to protect and safeguard sensitive data and institutional systems, and to prevent cybersecurity incidents.

1.2. Regulatory authority 

In Argentina, there are several administrative authorities dedicated to enforcing cybersecurity laws and regulations. To date, these authorities have mainly issued regulations directed to the public sector, and currently only approach the private sector for mutual collaboration. Nonetheless, these authorities may eventually develop a regulatory framework on cybersecurity and could issue specific regulation directed to the private sector. These authorities are located within the Secretariat of Public Innovation (ex-Modernisation Ministry) and, so far, none of them have corrective powers, but mainly collaboration tasks. These authorities include:

  • the Undersecretariat of Technology and Cybersecurity ('the Undersecretariat'), which is the main cybersecurity authority. The Undersecretariat aims to, among other things, assist the Secretariat of Public Innovation in the development of a specific regulatory framework that would allow for the identification and the protection of the critical infrastructure of the national public sector, and of the civil organisations and private sector that require it, as outlined in Executive Order No. 898/2016 (only available in Spanish here);
  • the Cybersecurity Committee, created by Executive Order No. 577/2017 (available in Spanish here) ('the Cybersecurity Committee Executive Order') and later modified in its composition by Executive Order No. 480/2019 (only available in Spanish here) which has been assigned to, among other things, promote the enactment of a regulatory framework on cybersecurity and the drafting of an action plan in the implementation of the National Cybersecurity Strategy, provided by Cybersecurity Committee Executive Order No. 577/2017 (only available in Spanish here);
  • the National Administration of Critical Information Infrastructure and Cybersecurity ('ICIC'), which aims to:
    • assist the public sector in all cybersecurity matters;
    • protect the critical infrastructure;
    • develop the public sector's abilities to detect, uphold, reply to, and recover incidents; and 
    • draft, in collaboration with the private sector, digital security policies, as outlined in Administrative Order No. 232/2016 (only available in Spanish here). The ICIC depends on the Undersecretariat for Information and Cybersecurity's Critical Infrastructure Protection.
  • the National Office of Information Technology ('ONTI'), which has as its main responsibility to intervene in the drafting of policies and enactment of the development and technological innovation for the State's transformation and modernisation promoting the integration of new technologies, its compatibility and interoperability in accordance with the objectives and strategies defined in the State's Modernisation Plan, as established in Administrative Decision No. 232/2016 (only available in Spanish here);
  • the Cybercrimes and Digital Evidence Unit (already referred to in section 1.1 above), created by the Ministry of Human Rights and Justice, by Order No. 1291/2019 (only available in Spanish here);
  • the National Cybersecurity Directorate created under the orbit of the Ministry of Security also provides for cybersecurity; and
  • the Advisory Commission on the fight against Cybercrime, created by the Undersecretariat of Criminal Investigation and Judicial Cooperation within the National Directorate on Cybercrime Investigations under the power of the Ministry of Security by Order No. 655/2020 (available in Spanish here), has the purpose of monitoring the implementation of initiatives incorporated into the 'Federal Plan for the Prevention of Technological and Cyber Crimes (2019 - 2023).'

Other administrative authorities that have issued regulations on cybersecurity which directly affect the private sector include:

  • the AAIP, authority in control of the PDPA, which issued Order 47/2018 with Recommended Security Measures (only available in Spanish here) which looks after the fulfilment of obligations of integrity and data security from data controllers and data processors (i.e. records, registers, or data banks), requests information relating to backgrounds, documents, programmes, or other elements related to personal data processing, and imposes administrative sanctions; and
  • the Argentine Central Bank ('BCRA') which, among other things, regulates the financial system, contributes to the proper functioning of the capital market, and imposes sanctions as established in Act No. 21.526 on Financial Entities (only available in Spanish here) ('the Financial Entities Act'). 

1.3. Regulatory authority guidance

There is no guidance from the regulatory authorities.

Notwithstanding this, in November 2018, the Argentinean Government, through the issuance of Executive Order No. 996/2018 (only available in Spanish here), set forth the basis for an Argentine Digital Agenda, a new framework for the digital development in Argentina which included, amongst its various aims, to 'develop capacities in cybersecurity for generating confidence on digital surroundings.' Given the broad terms of Executive Order 996/2018, further specific regulations to it are expected. Later, the Secretariat of the Chief of Cabinet Ministers under Order No. 5/2019 (only available in Spanish here) created Argentina's Digital Agenda Unit, with the aim of accelerating the countries' digital transformation but with no further specific advancements on cybersecurity matters.

On 28 May 2019, the Secretariat of Modernisation issued Order No. 829/2019 (only available in Spanish here), which provided the framework for the National Cybersecurity Strategy (only available in Spanish here). Order No. 829/2019 states that the National Cybersecurity Strategy shall direct the development of concrete actions, plans, and politics for the benefit of Argentina.

In particular, the National Cybersecurity Strategy is structured along the following objectives:

  • awareness in the safe use of cyberspace;
  • training and education on the safe use of cyberspace;
  • development of a regulatory framework;
  • strengthening of prevention, detection, and answering abilities;
  • protection and recovery of the public sector's information system;
  • promotion of the cybersecurity industry;
  • international cooperation; and
  • protection of the infrastructure of national critical information.

The National Cybersecurity Strategy is carried out by the Cybersecurity Committee, which must ensure the safe use of cyberspace among the Public Administration: national, provincial, or municipal authorities, private sector, non-governmental organisations, and academic entities. It should be noted that Order No. 829/2019 also created an executive unit within the Cybersecurity Committee to coordinate the functioning of the National Cybersecurity Strategy and provide administrative assistance to the Cybersecurity Committee.

In September 2019, Chief of Cabinet Ministers of the Secretariat of Modernisation, in collaboration with the Cybersecurity Committee, approved Order No. 1523/2019 ('Order No. 1523/2019') (only available in Spanish here), that defines the concept of critical infrastructure and information critical infrastructure and approved the Glossary of the Terms on Cybersecurity providing the definition of certain concepts such as 'cybersecurity', 'cyberspace', 'cyber attack', 'cyber threat', 'risk analysis,' amongst others. Whilst it seems to be directed to the public sector, it is also useful for the private sector when contracting and executing bids with the government. According to the recitals of Order No. 1523/2019, the Cybersecurity Committee has previously analysed definitions adopted by different jurisdictions and international organisations to profit from international experience and know-how, on cybersecurity.

Additionally, and in alignment with the aforementioned National Cybersecurity Strategy, on 4 November 2019, the Ministry of Security approved, by Order No. 977/2019, the 'Federal Plan of Prevention of Technological Crimes 2019-2023' (only available in Spanish here) with the aim of acquiring, by 2023, qualified personnel, technology, and necessary regulations at a national scale, to fight against the execution of crimes through means of Information and Communications Technology within Argentina, and to become aware of the national metrics (i.e. the quantity and conditions of technological crimes at a national scale). This Order has been abolished and updated by Order No. 75/2022, and is now called 'Federal Plan of Prevention of Technological Crimes 2019-2024' (only available in Spanish here). 

Moreover, Order No. 144/2020 of the Ministry of Security (available in Spanish here) approved a new protocol for the use of open sources in crime prevention. The protocol establishes guidelines for police use of digital open sources and shall be in force during the term of the COVID-19 public health emergency.

Furthermore, in June 2021, the Administrative Order No. 641/2021 (only available in Spanish here) came into effect. The Administrative Order No. 641/2021's aim is to strengthen the security of the information that entities, under the Section 8, Subsection A of the 24,156 Act on Financial Administration and Control Systems of the National Public Sector (only available in Spanish here) receive, process, and administrate. These entities are Argentina's central administration and decentralised organisations (e.g. Argentine social security institutions). 

Section 2 of Administrative Order No. 641/2021 states that not only the entities under Section 8 subsection A of the 24,156 Act on Financial Administration and Control Systems of the National Public Sector must comply with it, but also every company (either from the public or private sector) that partner with the abovementioned entities.

The Administrative Order No. 641/21 sets the mandatory steps the entities under the Section 8 subsection A of the 24,156 Act on Financial Administration and Control Systems of the National Public Sector must follow to strengthen the cybersecurity measures they usually take. Some of these steps are the following: create and approve up to 90 days an integral Security Plan to prevent Cybersecurity issues to occur (Article 3 of the Administrative Order No. 641/21), and send this plan to the enforcement agency for Governmental approval (Article 4 of the Administrative Order No. 641/21). The National Cybersecurity Directorate is the enforcement agency of this Order (Article 7 and 11 of the Administrative Order No. 641/21). Further details are included in the Administrative Order No. 641/21, Annex I.

The National Cybersecurity Directorate also passed a Cybersecurity Recommendations Document (only available in Spanish here) which establishes minimum recommendations that should be followed to backup information complying with cybersecurity. These recommendations are non-mandatory.

On 24 January 2022, pursuant Order No. 641/2021, the Argentine Ministry of Science, Technology and Innovation enacted through the Order No. 02/22 its Cybersecurity Plan (only available in Spanish here).

On 15 February 2022, the Ministry of Security updated by Order No. 75/2022 (only available in Spanish here) the 'Federal Plan of Prevention of Technological Crimes and Cybercrimes 2021-2023' and approved the 'Federal Plan of Prevention of Technological Crimes and Cybercrimes 2021-2024' with the aim of acquiring, by 2024, qualified personnel, technology, and necessary regulations at a national scale to fight against the execution of crimes through means of information and communications technology within Argentina, to become aware of the national metrics, among others. The enforcement agency of this Plan will be the Ministry of Security's Cabinet Advisor Unit. 

Moreover, through Order No. 86/2022 (only available in Spanish here), the Ministry of Security approved the Cybersecurity and Cybercrime Research and Strengthening Programme with the goal of coordinate and give advice on both security techniques for digital infrastructure and research techniques to prevent cybercrime. 

2. SCOPE OF APPLICATION

As explained on previous sections, regulations are directed and applicable to the public sector, approaching the private sector for mutual collaboration.

National laws such as Argentina Digital Act, the PDPA, are of public order, and fully applicable to public and private entities.  

Regarding the territorial scope of the rules, all regardless of the entity or body from which they emanate, are of national scope.

In Argentina, individuals and/or entities processing personal data from data subjects must fulfil provisions of PDPA; and subject to several exceptions, can only process data based on data subject's prior, express, informed, and free consent (Section 5 of the PDPA) and only for the purposes for which the personal data is collected and not any other purpose (Section 6 of the PDPA).

3. DEFINITIONS

As provided on Order No. 1523/2019 (only available in Spanish here) of the Government ex-Secretary of Modernisation:

  • Cybersecurity: Is defined as the preservation of confidentiality, integrity, and availability of information in cyberspace.
  • Database: Is defined as a large amount of information that has been systematised for proper storage, so that the data contained therein can be used when deemed necessary and can subsequently be reordered or organised. This term is also defined by the PDPA (please see below).
  • Cybersecurity incident: Is defined as an action produced in cyberspace that compromises availability, integrity, and confidentiality of information through unauthorised access, modification, degradation, or destruction of information systems and telecommunications or infrastructures supporting them.
  • Information Security Management System: Is defined as a set of policies, processes, standards, guidelines, and security tools that enable the organisation or body to achieve its objectives.
  • Risk assessment: Is defined as a process of comparing the results of the risk analysis with the risk criteria to determine whether the risk and/or magnitude are acceptable or tolerable.           

Pursuant to Section 2 of PDPA:

  • Data base: Is defined as the organised set of personal data subject to the treatment or processing, either electronically or not, whatever the modality of its formation, storage, organisation, or access.
  • Data processing: Is defined as systematic operations and procedures, electronic or not, that allow the collection, retention, management, storage, modification, linking, evaluation, blocking, destruction, and in general the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections, or transfers.
  • Computerised data: Is defined as the personal data subject to electronic or automated processing.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

Sections 6 and 7 of the BCRA's Ordinated Text of the Rules on Minimum Operational Requirements of the Area of Information Systems – Information Technology ('the Operational Requirements on Information Systems') (only available in Spanish here) establishes the minimum requirements that any information system should comply with, for instance in relation to its functional structure, methodological standards, and a specific informatic security policy.

4.1.Cybersecurity training and awareness

Whilst in Argentina there is no law that establishes an obligation to train staff regarding cybersecurity issued and/or risks, the National Strategy on Cybersecurity generally provides as one of the objectives a program, to train and educate individuals on the safe use of cyberspace through:

  • promoting the training of professionals, technicians, and researchers;
  • developing workshops and exercises, both governmental and with the private sectors and the civil sector;
  • strengthening training in incident prevention, detection, response, and resilience techniques; and
  • increasing transversal training activities in the academic sector.

4.2. Cybersecurity risk assessments

The BCRA through the aforementioned Operational Requirements on Information Systems , which applies only to financial entities, require that entities have an annual computer security awareness and training program, whose contents shall cover all internal and external needs in the use, knowledge, prevention, and reporting of incidents. This standard provides guidelines for the implementation of controls to avoid informational risks within such entities. 

The Public Prosecutor's Office issued Order No. 756/16 (only available in Spanish here) by means of which sets forth several recommendations that should be taken into consideration to collect, use, and preserve digital evidence avoiding informational risks. These recommendations are non-mandatory.

4.3. Vendor management

There are no current regulations in force, ruling upon the management of vendors in relation to obligations on an entity with respect to a vendor's cybersecurity.

4.4. Accountability/record keeping

Although there is no regulations requiring companies to implement audits of cybersecurity programs or codes of conduct, the BCRA Operational Requirements on Information Systems require that if financial entities carry out an internal or external audit; and having detected an error, they must correct it within a period not exceeding 180 calendar days, issuing a report and filing it before the Superintendency of Financial and Exchange Entities.

5. DATA SECURITY

The Order No. 47/2018 provides non-binding and therefore non-mandatory recommendations on security measures for the treatment, processing, and conservation of personal data in computerised means. These recommendations focus on tasks and specialties that data controllers and data processors may follow under a cybersecurity incident scenario, including:

  • implementing a complaint process to allow users to notify security events;
  • having a capable incident management system to show registration date, relevant documentation, people involved, and assets affected;
  • establishing responsibilities and procedures, such as developing a procedure for management in case of cybersecurity incidents and appointing a person responsible for communication; and
  • preparing a report of the incident, which should be sent along with an incident notification.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

There is no general legal obligation to notify cybersecurity incidents to regulatory authorities.

The incident report mentioned in section 4.2 above, shall be addressed to [email protected], with the following required minimum information:

  • the nature of the breach;
  • the categories of personal data affected;
  • identification of affected users;
  • the measures taken by the responsible person to mitigate the incident; and
  • the measures applied to avoid future incidents. 

In addition, on 22 February 2022, the National Computer Emergency Response Team published the 2021 Cybersecurity Report (only available in Spanish here) where it is shown that cybersecurity incidents in Argentina increased by 261% when compared to 2020. Both phishing and ransomware were the most common cybersecurity incidents reported whilst both the public and financial sectors were the most affected by the abovementioned incidents. 

7. REGISTRATION WITH AUTHORITY

Registration with a regulatory authority is not required. However, the National Programme of Critical Information and Cybersecurity Infrastructures, created by Order No. 580/2011 (only available in Spanish here), and under the direction of ICIC, seeks, among other things, to collaborate with the private sector in drafting policies on safeguarding digital security, drafting annual briefs on the status of cybersecurity, and promoting awareness of the risks in digital media. It should be noted that this program is not mandatory. Adherence to the program is optional for the private sector through the submission of the adherence form, as approved by Provision 3/2011 (only available in Spanish here).

Likewise, after the enactment of this program, a registry of security incident response teams was created by Provision 5/2015 (only available in Spanish here) in order to coordinate the actions of the informatic emergency response teams and to act as a repository for information on security incidents, tools, protection and defence techniques, standards, and good practices. Even though registration is optional for the private sector, the program establishes certain requirements that a corporation must fulfil to register, such as:

  • delivering a certified copy of the corporate bylaws and of the act of appointment of the responsible person; and
  • delivering a 'constitution letter,' based on the Internet Engineering Task Force's Request for Comments No. 2350, that provides information on the computer security incident response team, the channels of communication, mission, and responsibilities.

8. APPOINTMENT OF A SECURITY OFFICER

According to Section 3.1.1 of Communication 6375 (only available in Spanish here), financial entities must consider within their organisational structure, a specific area in charge of protecting its information assets, establishing the mechanisms for the administration and the security control over the logistical and physical access to their technological and information's resources. The person in charge of protecting information assets will manage the enactment and maintenance of the security policy established by the director or the equivalent authority of the entity.

Likewise, though it is only a recommendation, the Order, applicable to data controllers of databases and data processors, states the need to define a responsible person in charge of the fulfilment of the security measures.

Finally, it should be noted that several draft data protection bills have been submitted to the National Congress of Argentina, intending to fully replace the Act and to mirror the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), reflecting international standards and principles. Notable changes included in such bills concern notifications of security incidents, the obligation to appoint a data protection officer in certain circumstances, protection by design and by default, data portability, and opposition rights. If any of the bills are enacted, they would be enforced several years after their date of publication in the Official Gazette.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services 

In the financial sector, several regulations issued by the BCRA (applicable only to financial entities) set minimum security standards and encryption requirements for management, implementation, and risk control regarding the provision of IT services to financial entities. These regulations include Communication 6354 (only available in Spanish here), as amended by Communication 6375 (only available in Spanish here), Communication 6271 (only available in Spanish here), Communication A6684 (only available in Spanish here), and Communication A7325 (only available In Spanish here).

According to Section 1.3 of Communication 6375, critical or sensitive information must be protected to prevent its unauthorised use. Section 6.2.4 of Communication 6375 also indicates that all electronic devices that were functional for the storage of critical information and that are no longer used, must be physically destroyed before being shattered.

According to Communication 6375, financial entities may hire cloud services. For that purpose, such suppliers must comply with general and specific security requirements listed under Section 7 of Communication 6375, such as implementing a 'unified access point' located in Argentina under each entity's administration, which would allow them to constantly control the activities undertaken by information technology services. It should be noted that all requirements are described within seven categories (each of them with a specific requirement chart), namely, information security government, training, and awareness, access control, follow-up and integrity, control and monitoring, incident management, and operational continuity.

Communication 6354 establishes specific requirements for the performance of data processing, IT services and data outsourcing services. It establishes the need to frequently review and update the security policy and complementing documents in accordance with, among other things:

  • risk assessment and complexity of the financial entity;
  • classification of information assets according to their criticality and sensitivity;
  • security strategy;
  • access, identification, authentication, and security standards;
  • control and monitoring; and
  • security records.

Also, according to Section 3.1.5.1 of Communication 6375, the 'area of information asset protection' must register financial entities' incidents and weaknesses in security matters and be immediately informed through the proper information channels, of the purpose of analysing its causes and enforcing improvements on the information controls to prevent their future occurrence.

Communication A6684 amends Communication A6354 more specifically Section 6.3.3.6 and Section 6.7.2. whilst Communication A7235 amends Section 6 of the Communication A6684. 

Additionally, the BCRA, with Communication B 11847  (only available in Spanish here) orders financial entities to report to the Bank's External Systems Audit Management of any security incident on systems and technology, when such incident:

  • produces the inability to provide services to clients, or produces a significant interruption to the provision of services;
  • produces a failure of the financial entity to fulfil obligations with regards to the functioning of the markets where it operates; and
  • comprises the financial information of clients.

The BCRA has also published, in May 2019, an informal guide of Supervision for the Cybersecurity and Cyber-resilience for the implementation of controls for the adequate management of cybersecurity incidents (only available in Spanish here) with general, non-binding guidance for supervising proceedings, also a guideline on cybersecurity, with a glossary on cybersecurity (only available in Spanish here).

As for corporate documents, several rules have been issued to allow for the digitalisation of corporate and account books (i.e. Act No. 27.349 on Support for Entrepreneurship Capital (only available in Spanish here). In June 2018, Act No.  27.444 (only available in Spanish here) amended Section 61 of the Act No. 19.550  (only available in Spanish here) to allow companies to keep their corporate and accounting books by digital means, as in the case of simplified corporations. However, progress on digitalisation is withheld because of operating difficulties. Specifically, Section 53 of the General Inspection of Justice ('IGJ') General Decision 6/2017 updated by Regulation  43/20 (only available in Spanish here) demands that:

  • the server in which the corporate files are stored is located in the corporate headquarters in Argentina;
  • the corporation save two copies of every digital file in two locations other than the corporate headquarters (at least one of them must be digital);
  • the corporation inform the IGJ of the location of the two copies and to keep this information updated. Evidently, the aforementioned criteria obstruct the possibility of hiring cloud services to store corporate documentation and to replace the traditional records; and
  • every document must be digitally signed only by authorised personnel. 

 

It is hoped that this legal obstacle will be overcome soon. Furthermore, in October 2019, the National Securities Commission ('the Commission') issued Order No. 813/2019 (only available in Spanish here) which extends the permission of digital bookkeeping to companies authorised for public offering, under the surveillance of the Commission.

The IGJ, via Regulation No. 11/2020 (available in Spanish here), and the Commission, through Order No. 830/2020 (available in Spanish here), issued on March and April 2020 respectively, temporarily allowed management and governance meetings (i.e. shareholders' meetings and board members' meetings) to be carried out by informatic or digital means or platforms. This is 'through platforms allowing the transmission of sound, images, and words simultaneously, during the whole transmission of the meeting,' always saving a digital copy of such meetings for a period of five years.

Furthermore, in the context of the COVID-19 pandemic, on 27 November 2020, Order IGJ No. 46/2020 (only available in Spanish here), extended the allowance of management and governance meetings to be carried out by informatic or digital means or platforms, providing sanctions to companies holding meeting in person, against emergency regulations (Executive Order No. 875/2020 (only available in Spanish here).

In April 2021, the BCRA through its Communication A7266 (only available in Spanish here)  enacted a Cyber Incident Response Manual, where the must-be-used methods to both limit the risks that threaten the financial stability and encourage the financial ecosystem's resilience are depicted. Financial entities and payment service’s providers must comply with it. 

On 4 February  2022, the Commission enacted Criteria No. 80 (only available in Spanish here) which established that Order No. 830/2020 is still binding as Executive Order No. 867/21 (only available in Spanish here) and extended until 31 December 2022 the COVID-19 national health emergency status. Despite this fact, the Criteria specifies that directors should determine, according to special circumstances of the company, whether the shareholders' and board members' (among others) meetings should be carried out virtually or in the company's premises. 

Health 

The Argentine Medical Records and Patient's Right Act No. 26.529 (only available in Spanish here) specifies that medical records may be drafted in magnetic support if certain measures are taken to ensure the preservation of their integrity, authenticity, unchangeability, durability, and the timely recoverability of storage data. Furthermore, access should be restricted with identification keys or any other technique to ensure the integrity of the medical record.

In addition, the Cybersecurity National Directorate published a Guideline for Hospitals and Health Institutions (only available in Spanish here) which contains several recommendations that both hospitals and health institutions should follow to prevent cybersecurity issues to occur. This guideline is non-mandatory.

Telecommunications 

The Argentina Digital Act No. 27.078 (only available in Spanish here) provides that users of ICT services have the right to the protection of their personal data that they have provided to authorised licensees (whether by physical or electronic means), which are not allowed to be used for purposes other than those authorised in accordance with the rules that complement this law. Likewise, it provides for the inviolability of the communications made by means of any technological means, including emails, or any other mechanism that induces the user to presume the privacy of the same and the traffic data associated with them.

Its request, interception, or analysis only proceeds through a request issued of a competent judge. 

Internet Service Providers

Pursuant Act No. 25.690 on Internet Service Providers (only available in Spanish here) ('25.690 Act'), internet service providers have the obligation to offer protection software to prevent access to specific sites at the time of supplying internet services, regardless of whether the contract was concluded by telephonic or written means. In addition, the Digital Signature Act No. 25,690 provides the framework for electronic and digital signatures, digital documents, and their juridical efficiency. 

Moreover, through Order No. 399/16-E946/2021 (only available in Spanish here), the former Argentine Modernisation MinistrySecretariat of Public Innovation enacted a new set of requirements for applicants of digital certifications related to the content of digital certifications and both operational and technological standards of the digital signature infrastructure. 

In 2019, through the Administrative OrderDecision No. 627/19 (only available in Spanish here), the Administrative Decision No. 927/2014 was left without effect, therefore the requirements enacted through the abovementioned Order No. 399/16-E946/2021 are the only valid and binding requirements as of the day hereof.

The Digital Signature Act No. 25,690 defines the term 'technically reliable' as the quality of the set of computing equipment, software, communication, and security protocols and the administrative proceedings related that fulfil the following requirements:

  • safeguard against the possibility of intrusion and/or unauthorised use;
  • ensure the availability, reliability, confidentiality, and correct functioning;
  • be fit for the performance of its specific functions;
  • fulfil the appropriate rules of security, according to international standards in the matter; and
  • fulfil the technical and auditing standard set by the application authority.

Employment 

In general terms, Argentine labour law provides generic restrictions for monitoring and limiting usage by employees of company computer resources.

Recently, with the issuance of Teleworking Act No. 27.555 (only available in Spanish here), employers are obliged to take all the necessary precautions, especially regarding software, to guarantee the protection of the data used and processed. It also provides that the use of the software cannot include surveillance in violation of the employees’ privacy.

With regards to cybersecurity, there are currently no mandatory security practices nor policies. However, the AAIP Order 47/2018 on recommended and non-binding security measures for the processing and conservation of personal data, provides a security minimum standard for the implementation of security measures.

In addition, the Cybersecurity National Directorate published a guidelines for both employers and employees (only available in Spanish here) which contains several recommendations they should follow to prevent cybersecurity issues to occur while teleworking. 

The Cybersecurity National Directorate also published guidelines (only available in Spanish here) with several recommendations to follow when using emails. These guidelines are non-mandatory. 

Education 

The Cybersecurity Committee Executive Order, which approved the National Strategy on Cybersecurity, makes general references to cybersecurity in the educational sector. It states the need to 'increase activities of awareness in the educational field and increase transversal activities of training in the academic field' for the purposes of creating awareness of the safe use of the Cyberspace, at a national scale, and for the 'formation of discernment on the risks associated with the use of technologies.' The National Strategy on Cybersecurity also makes references to the academic sector as a necessary agent, along with the federal government, the provinces, the private sector are required to guarantee the safe use of the cyberspace by their mutual coordination, cooperation, and exchange of information, and with an adequate articulation of their competences and resources.

Insurance 

In Argentina, there is no regulation that forces companies to contract an insurance against cybercrime. Nevertheless, there are several insurance companies that have policies available that cover these types of contingencies, which are approved by the competent authority, that is, the Superintendency of Insurance of the Nation.

10. PENALTIES

Currently, regulatory authorities that may apply administrative penalties for non-compliance with cybersecurity regulation are both the AAIP (Sections 31 and 32 of the PDPA) and the BCRA (Section 47 of Act No. 24.144 on Organic Charter of the BCRA (only available in Spanish here)), notwithstanding the criminal liability that could be applied in the specific case.

According to Section 31 of the PDPA , the AAIP may apply the following sanctions to data bank users and/or data processors:

  • warning;
  • suspension;
  • fines of up to a maximum amount of ARS 100,000 (approx. €826); or
  • closure of their file, register, or data bank. 

Pursuant to Section 32 of the PDPA, criminal penalties for non-compliance with cybersecurity regulations can be imposed, pursuant Section 117 bis of the Argentine Criminal Code.

As for the administrative penalties that BCRA can apply (pursuant Section 41 of the Financial Entities Law), these include:

  • warnings;
  • fines;
  • temporary or permanent prohibition to use bank current accounts;
  • temporary or permanent disqualification to act as a promotor, founder, director, manager, member of the supervisory board, syndicate, liquidator, auditor, partner, or shareholder; and
  • revocation of authorisation to operate.

11. OTHER AREAS OF INTEREST

To the reader's interest, there are provinces within Argentina that have issued cybersecurity regulations of different scope:

  • Province of Buenos Aires: The Computer Security Incident Response Team was established to protect the critical infrastructure and computer systems of the provincial public administration. In addition, the Government of the Province of Buenos Aires has enacted Executive Order No. 08/21(only available in Spanish here), by means of which the Cybersecurity Integral Plan has been created.
  • Autonomous City of Buenos Aires: The General Directorate of Computer Security was created to develop and implement computer security policies that can be applied to the computer systems of its units.
  • Province of Chaco: The Provincial Executive Branch approved the Information Security Policy Model, they are very specific protocols and provisions, applicable to the Central, Decentralised Administration, and State companies and societies.
  • Province of Mendoza: The Information Security Policies were approved, with the aim of providing guidelines on the implementation of an appropriate, safe, and controlled system for the protection of the information of organisations operating in the Public Sector.           
  • Province of Neuquén: The Government of the Province of Neuquén has enacted Executive Order No. 2223/08 (only available in Spanish here) by means of which it encourages the local public sector organisations to create a special Information Security Committee to approach cybersecurity. 

To conclude, on 22 February 2021, Order No. 1/2021 (available in Spanish here) was published on the Official Gazette, from the Cybersecurity National Directorate through which the National Centre of Response to Informatic Entities was created, with the aim of coordinating the management of security incidents at a national level for entities within the public sector. Further regulations on these regards are expected to be issued soon.

Gustavo Bethular Partner
[email protected]

Sofia Grassi Senior Associate
[email protected]

Juan Aberg Senior Associate
[email protected]
RCTZZ, Buenos Aires

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback