Sean MacEntee / CC BY 2.0

Q: U.S. retailer Target acknowledged in March that it missed early signs of the security breach that eventually compromised 40 million credit- and debit-card accounts and the personal information of as many as 70 million customers late last year. To what extent are banks, retailers and credit-card companies in Latin America exposed to liabilities relating to financial cybercrime? As the usage of payment cards and online shopping increases in Latin America, will regulators in the region impose tighter rules on financial services companies and retailers? How costly will compliance with anti-fraud measures become for banks and other credit-card issuers in the region?

A: Thomas Morante and Steven B. Roosa, partners at Holland & Knight: "Latin America is considered somewhat behind the curve on cyber-preparedness, although support is growing for regulation and cyber laws have been adopted in several countries, including Argentina, Brazil, Colombia, Mexico and Peru. In addition, the Organization of American States has developed a cyber security program to support the OAS Comprehensive InterAmerican Strategy to Combat Threats to Cyber Security. Because cybertheft is a global phenomenon where the attackers know no borders, the recent experience of U.S. retailers paints a useful picture of what the industry in Latin America faces. Retailers and other consumer-oriented businesses confront an enemy that: (1) conducts extensive reconnaissance, (2) takes advantage of multiple vulnerabilities in a system—such as in the Target case, where back-end servers and pointof-sale devices were compromised, and (3) is skilled at exfiltrating large amounts of data from organizations while bypassing monitoring systems. The cost of compromise is large, including lost customer goodwill, data-breach lawsuits by consumers, and the cost of indemnifying companies affected by the breach of one's systems. Latin American governments are aware of these threats—with incidents of malware, spam, malicious Web site hosting and online banking theft on the rise. Playing defense has its costs: paying for implementation and operation of defensive systems, patching vulnerabilities and hiring information security professionals. Given the advantage that cyber thieves have, the quality of the attackers and the difficulty of mounting defensive measures, cyber woes will continue even if additional steps are taken in Latin America to strengthen defenses including enhancing cyber liability insurance against privacy breach and cyber attacks. This first- and third-party coverage is becoming more widely available, affording protection for fraud and theft, forensic investigation, business interruption, extortion, computer data loss and restoration, costs of litigation/regulatory response, and notification to customers."

A: Wally Swain, senior vice president for emerging markets at The Yankee Group in Bogotá: "With an unfortunate tradition of fraud, money laundering and organized crime in many countries, Latin American banks and bank regulators are typically obsessed with security. This has, in fact, slowed the development of online and especially mobile banking and payments solutions. Sometimes they impose layers of physical security on top of online transactions. My leading Colombian bank requires that I physically go to a bank branch to validate a new payee. But sometimes security technology is available but not used. I have an EMV (chip) credit card, but I am not required to use the PIN. PIN codes are only used with EMV debit cards. Surveys show that Latin American consumers are surprisingly unaware of the need for data security. With consumers unaware and banks either applying inappropriate technologies or not applying available technologies, the region is ripe for a major scandal."

A: Marta Colomar-Garcia, associate attorney and Albert Xiques, senior paralegal at Diaz, Reus & Targ: "The level of Internet use in Latin America has grown over the past decade. As a result, Latin America is increasingly becoming a cybercrime target. Online banking theft and hacking attacks tend to be the most common cyber liability risk in Latin America. Cyber liability cases regularly dominate headlines across Latin America. When a network security or data breach occurs, repercussions include liability, fines and penalties, and damage to the company's reputation. Most cases of cyber liability end with embarrassment, apologies, job terminations and loss of clients. However, victims have gone further by demanding compensation for damages or for reputational damage. Due to the increasing cybercrime in Latin America, the legal environment regarding privacy is evolving rapidly. The majority of countries are enacting data protection laws. Some countries like Brazil approach cyber-risks as a national security issue; others like Colombia focus on the economic impact of those risks. However, the Latin American legal landscape can vary considerably from one country to another. Most countries in the region are fostering partnerships among governments and with private businesses to act together and coordinate their approach to cyber-risks. Unfortunately, there is still a lack of legal uniformity, and companies should be aware of how the laws differ from one country to another. Although many governments have passed information security laws related to cyber data, companies cannot rely on government guidance for cyber security risks. If a cyberattack causes damage to a third party, the company could face liability or at least a claim. Given the costs of investigations, potential for fines, penalties and reputational costs, finding ways to set the proper tone and be proactive in deterring cyberattacks should be a top priority for corporations."

This Q&A was published in a special technology edition of the Dialogue's Latin America Advisor. The complete edition is available for download below.