1. GOVERNING TEXTS

Uruguay does not have a general comprehensive law on cybersecurity. It does, however, have a series of decrees that are all applicable to the public sector, including Decree No. 451/009 on the Organisation of the Uruguayan National Computer Security Incident Response Centre (only available in Spanish here) ('Decree No. 451'), Decree No. 452/009 on the Cybersecurity Policy for Public Administration (only available in Spanish here) ('Decree No. 452'), and Decree No. 92/014 on the Standardisation of Domain Names for Public Administration (only available in Spanish here) ('Decree No. 92').

With regards to the private sector, as there is no specific regulation on cybersecurity, Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 (only available in Spanish here) ('the Law'), Decree No. 414/009 Regulating Law 18.331 Relating to the Protection of Personal Data (only available in Spanish here) ('the Decree'), Articles 37-40 of Law No. 19.670 on Accountability and Budgetary Execution Balance Exercise 2017 (only available in Spanish here) ('Law No. 19.670'), and Decree No. 64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 (only available in Spanish here) ('the 2020 Decree') apply.

1.1. Legislation

There is no law that specifically addresses cybersecurity, but there are a series of decrees applicable to the public sector, one of them being Decree No. 451 which aims to organise the National Center for Computer Security Incident Response ('CERTuy'). In the private sector general rules on data protection apply.

General legislation - not cybersecurity-focused

• The Law
• The Decree
• Articles 37-40 of Law No. 19.670
• The 2020 Decree

Sectoral legislation

• Decree No. 451
• Decree No. 452
• Decree No. 92

1.2. Regulatory authority

The CERTuy is in charge of protecting the informatic systems that hold the state's information, and has the following tasks:

• assisting state bodies whenever an incident occurs;
• coordinating with the information security experts on the prevention, detection, and handling of the information about the incidents;
• collaborating and proposing regulation related to cybersecurity;
• alerting those required whenever a threat arises;
• preventing security incidents from occurring; and
• keeping a record of all the incidents that are reported.

The Uruguayan Data Protection Authority ('URCDP') is in charge of the supervision and control of data protection, both to the private and public sector, in particular by:

• passing regulation;
• monitoring data protection law compliance;
• issuing opinions on data protection matters; and
• carrying out inspections.

1.3. Regulatory authority guidance

The CERTuy has issued a Guidance on Cybersecurity Standards, which contains international standards on this matter, contemplating local regulation.

The URCDP has issued a Guidance on Impact Assessment Reports (only available in Spanish here) ('the Assessment Guidance'), as well as a Guidance on Data Breach Notifications (only available in Spanish here).

2. SCOPE OF APPLICATION

As mentioned, there is no specific regulation regarding cybersecurity. However, the aforementioned regulations apply, in general, to all data controllers or processors, whether private or public.

In addition, data protection regulation, by virtue of Article 37 of Law No. 19.670, has an extraterritorial scope, stating that even when the data controller or processor is not established in Uruguayan territory, the data protection regulation shall be applicable when:

• the data processing activities are related to the offer of goods or services aimed at Uruguayan residents, which will be appreciated through elements, such as the use of language, the reference to payment in national currency, or the provision of related services in Uruguayan territory;
• the data processing activities are related to the analysis of the behaviour of Uruguayan residents, including those destined to the elaboration of profiles (such as cookies);
• it is provided by rules of public international law or a contract - in no case may the contracting parties exclude the application of national law, when it should apply; or
• when, in the data treatment process, means located in the country are used, such as information and communication networks, data centres, and computer infrastructure in general.

3. DEFINITIONS

As Uruguay does not have a comprehensive cybersecurity regulation, there are no definitions in the applicable laws with regards to information security program sor cybersecurity/information security officers.

However, Article 4 of the 2020 Decree explains what is considered a 'data breach' or cybersecurity incident and when notification is required, which is further explained in section 6 below. A data breach is defined as any accidental or illegal security breach which could enable the disclosure, destruction, loss, or modification of personal data, or the communication or access to the personal data by any unauthorised person.

With regards to databases, Article 4 of the Law defines them as an organised set of personal data that are subject to treatment or processing, whether electronic or not, whatever the modality of their storage, organisation, or access.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

Following the enacting of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in Europe, Uruguay passed Law No. 19.670, which includes provisions relating to data protection, addressing, among others, the 'proactive responsibility' principle (which supposes the implementation of appropriate technical and organisational measures, such as Privacy by Design and Privacy by Default), the obligation to designate a data protection officer ('DPO'), and the rule of data breach notifications.

These provisions were further developed under the 2020 Decree, which regulates the implementation and enforcement of the aforementioned provisions.

Moreover, Privacy by Design implies the compliance and offering of all guarantees necessary to assure the data protection from the outset, at the initial phase of any planification. On the other hand, Privacy by Default implies that if there are various privacy configurations, those that offer more security and privacy should be the ones marked by default, prevailing over others.

Finally, while there is no legal obligation to have codes of conduct in the matter, the URCDP asks companies who have one to register them, for which they provided an easy online registry. In this sense, it is always recommended as a nice-to-have matter.

4.1. Cybersecurity training and awareness

Not applicable.

4.2. Cybersecurity risk assessments

As stated above, this principle entails the implementation of technical and organisational measures that include Privacy by Design, Privacy by Default, and Data Protection Impact Assessments ('DPIAs'). These measures shall be duly documented, periodically revised, and evaluated on its effectiveness.

With regards to DPIAs, the URCDP has issued the Assessment Guidance for the data controllers to follow. Moreover, all companies or people who manage databases are obliged to pursue these risk assessments, analysing the possible threats to privacy, and suggesting new measures to lower the risks associated to the data treatment. Those measures must then be put into practice.

The Law does not oblige companies to disclose their DPIAs to the URCDP, but the same may ask companies to provide a copy or proof of their performance, in the exercise of their controlling powers, while carrying out an investigation.

4.3. Vendor management

Not applicable.

4.4. Accountability/record keeping

Not applicable.

5. DATA SECURITY

The Law establishes that all entities must adopt technical and organisational measures. The measures that are recommended are the following, which were further developed in section 4 above:

• Privacy by Design;
• Privacy by Default; and
• DPIAs.

Moreover, regarding financial services, the Central Bank of Uruguay ('BCU') issued BCU Circular No. 2.395 (only available in Spanish here) ('Circular No. 2.395') regarding new security obligations for issuers of electronic instruments.

Under Circular No. 2.395, it is established that transfers or payments to third parties made from a bank account will require at least a double authentication factor. Likewise, monitoring and control measures must be established that allow detecting irregular events related to the use of the electronic instrument or the system in which it operates, including changes and attempts to change the password, personal identification number, address, telephone, email, and established means to receive communications, among others.

In addition to this, the system must protect:

• dates and times of operations;
• message contents;
• identification of operators, issuers, and receivers;
• accounts and amounts involved;
• user authentication mechanisms used in the operation;
• identification of the terminal from which it was operated (for example its IP address);
• if the operation was carried out in person or remotely; and
• whether the operation was carried out in a safe place or not.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

If the data processor detects a breach of its security measures, the data processor shall immediately report the breach and the security measures to be adopted, to both the affected data subjects and the URCDP. In this sense, the data controller must inform the URCDP of the occurrence of a security breach within 72 hours from the moment it becomes aware of its existence and whenever it affects personal data, and the URCDP shall act in coordination with the CERTuy. Notification to the authorities should include relevant information regarding the date of occurrence, nature of the breach, personal data affected, and possible impact.

Also, within a 24-hour period since the occurrence of the breach, the data processor or responsible of the database shall take all necessary measures to reduce its impact.

In addition, once the breach is addressed, the responsible of the database must submit a report to the URCDP explaining the status of the data breach and the measures taken to address it.

Moreover, in case the security breach is known first by the data processor and not the controller, the data processor must inform the data controller immediately.

7. REGISTRATION WITH AUTHORITY

Data controllers must register, with the URCDP, the existence of all databases they manage. This registry is made via an online registry (only available in Spanish here) provided by the URCDP.

8. APPOINTMENT OF A SECURITY OFFICER

Not applicable, but it is recommended.

In addition, Law No. 19.670 provides that certain entities, such as public entities, private entities owned by the Government, and private entities whose core activity is the processing of sensitive data or that manage large amounts of data (defined in the 2020 Decree as the managing of data of over 35,000 people), must appoint a data protection officer ('DPO’).

Following GDPR provisions, the DPO shall be responsible for:

• formulating, designing, and implementing data protection policies;
• monitoring the compliance with local legislation and regulation; and
• serving as a link with the URCDP.

For this purpose, the URCDP has created an online registry for the recording of DPOs.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

There are no specific regulations regarding cybersecurity in the financial sector. However, under BCU Circular No. 2.112 (only available to download in Spanish here) ('Circular No. 2.112'), with regards to the safeguarding of information financial institutions handle, technology must satisfy the requirements of availability, integrity, confidentiality, authenticity, and reliability. Circular No. 2.112 outlines the following:

• 'availability' means that the people authorised to access the information may do so in due form and time;
• 'integrity' means that all transactions are duly backed and with no possibility of alteration;
• 'confidentiality' refers to the fact that critical or sensitive information must be protected in order to prevent any unauthorised access;
• 'authenticity' implies that the data and information must be introduced to the registers by authenticated users; and
• 'reliability' is met whenever the information represents in an exact manner all the information that arises from the vouchers that have information about the transactions.

Health

Decree No. 242/017 Regulating Article 466 of Law 19.355 Relating to the Mechanisms of Exchange of Clinical Information for Care Purposes through the National Electronic Clinical History System (only available in Spanish here) refers to electronic medical records, and states that all access to the electronic medical records must be duly registered and available. The information therein shall not be altered nor erased without said modification being registered.

Telecommunications

Requirements for telecommunication operators and providers have a threefold dimension:

• to maintain adequate levels of security and confidentiality, by adopting appropriate technical and management measures that guarantee security in the operation of the network or the service;
• to inform subscribers about possible risks or measures to adopt, through contractual or warning clauses preventing about the risks of a possible breach of electronic communications, and informing the measures to adopt; and
• to comply with the provisions set forth in the data protection regulation.

Employment

There are no specific regulations regarding cybersecurity for employees.

Education

There are no specific regulations regarding cybersecurity in the educational sector.

Insurance

There are no specific regulations regarding cybersecurity in the insurance sector.

10. PENALTIES

There are no specific penalties for non-compliance with cybersecurity issues, as Uruguay does not have a comprehensive regulation on this matter. However, and in accordance with the data protection regulation, whenever there is non-compliance with the Law (for example, not notifying in due form any data breach incident as stated in section 3.2. above), the following penalties may be imposed, depending on the entity of the violation (Article 35 of the Law):

• warnings;
• fines; and/or
• suspension of a database and/or the closure of a database.

It must be noted that the aforementioned administrative penalties are applicable in case of non-compliance with any of the provisions stated in the Law.

11. OTHER AREAS OF INTEREST

Not applicable.

Maite Gaynicotche Associate
[email protected]
Dentons Jiménez de Aréchaga, Montevideo