In early September, Mexico’s data protection authority, the National Transparency, Information Access and Data Protection Institute (INAI), issued a fine of 32 million pesos (U.S. $1.95 million) to Mexican bank Grupo Financiero Banorte after the bank neglected to notify its customers that it had suffered a data breach.
The breach came about during an update to Banorte’s IT systems in late 2014 and early 2015 but was not detected until sometime later. Around 20,000 accounts are thought to have been compromised, including information of past customers which should have been deleted under Mexico’s privacy laws, but contradicting reports made by the bank make it unclear what was lost.
In Mexico, organisations that suffer a data breach must immediately notify their clients of the event. Banorte did notify the National Banking and Securities Commission (CNBV), as required under Mexican privacy laws, but then chose to inform only a number of premium customers rather than all individuals whose accounts were involved. The subsequent investigation by the CNBV found the bank in breach of data protection and privacy laws on two counts and a fine was applied.
The bank is expected to appeal the fine, the highest issued in Mexico so far this year, but whatever the final outcome, this breach is likely to have severe financial consequences for Banorte. Not only is it currently facing the 32 million pesos fine, but the bank has also come under substantial criticism for failing to have an effective privacy policy and adequate security breach procedures. The bank is expected to invest heavily to improve its data protection and privacy systems.
With further enforcement action expected this year and the INAI demonstrating a willingness to fine heavily, organisations processing data in Mexico should ensure they adopt sophisticated security methods or risk becoming the next organisation forced to deal with Mexico’s data protection enforcement authority.