Even though many Latin American and Caribbean countries constitutionally protect personal data and information, they are behind when it comes to actually putting cybersecurity plans into play, according to a new study.

Four out of five countries in Latin America and the Caribbean (LAC) lack a cybersecurity strategy and plan to protect critical infrastructure in the event of a cyberattack, according an Inter-American Development Bank (IDB) and Organization of American States (OAS) study released March 14.

The “2016 Cybersecurity Report: Are we Ready in Latin America and the Caribbean?” includes separate chapters for 32 countries in the region. It provides an overview of the interplay between cybersecurity and fundamental rights—specifically, the rights to privacy and personal data protection.

A right to privacy is established in Article 11 of the OAS treaty, of which all 32 countries studied are members.

Even though there has been a trend toward regulating online privacy and personal data, and 70 percent of LAC countries had data protection covered in their constitutions as of 2014, data retention laws have become more prevalent. Moreover, stored data can be obtained without a court order in such countries as Mexico and Paraguay.

The study warns against unrestricted personal data collection. It calls for a prohibition on bulk data collection, and says any personal data collection “for investigative purposes should be limited to what is necessary for the prevention of a real danger or the suppression of a specific criminal offense.”

Without proper limits, data retention laws could threaten the fundamental rights of Internet users, the study says. Such laws also constitute a costly regulatory burden for small- and medium-sized businesses.

In light of the trends spotted in the study, the OAS and IDB offer three recommendations to protect Internet users’ fundamental rights: (1) define and enforce privacy and data protection regulatory frameworks that appropriately balance the rights of Internet users with compliance burdens; (2) create national, sustainable multi-stakeholder platforms to review the implications of new regulations and offer technical advice; and (3) strengthen cooperation among national governments, and regional and global organizations.

On a the bright side, the study views multi-stakeholder cooperation as a positive trend throughout LAC, and points to the spread throughout the region of Computer Security Incident Response Teams (CSIRTs) as an example.  Hopefully, these national CSIRTs will exchange best practices to lay the groundwork for the digital economy and e-governance, despite current cybersecurity shortfalls. 

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.