Data Breaches in Finance in Honduras: Vulnerabilities Exposed

Honduras, a country in Central America, has seen a surge in data breaches in the finance sector, leaving millions of citizens vulnerable to identity theft and financial fraud. The country’s lax regulations and lack of enforcement have created an environment conducive to data breaches.

Laws and Regulations: A Framework for Data Protection

While Honduras has laws in place that regulate personal data protection, such as the Law for Transparency and Access to Public Information (Decree 170-2006), these laws are not effectively enforced. The law defines sensitive personal data as including:

Personal characteristics: ethnic or racial origin, physical or moral characteristics
Contact information: home address, telephone number
Health status

Definitions: What Constitutes Public Personal Data

The Honduran government has defined public personal data under the Law of the Civil Registry (Article 109, Decree 62-2004) as including:

Identification information: names, surnames, ID number
Personal details: date of birth and death, gender, domicile, job or occupation, nationality, and civil status

Registered Entities: Who Must Comply with Regulations

Only obligated entities, such as:

Government institutions
NGOs
Entities that receive public funds
Trade unions with tax exemptions

must inform the Institute for Access to Public Information of their databases. However, this registration process is not mandatory, leaving many entities without proper oversight.

Individuals, companies, and obligated entities can collect personal data without consent in certain cases, including:

Statistical or scientific purposes
Between obligated entities
Ordered by a court

However, sensitive personal data requires explicit consent from the individual to whom the information relates.

Transfer of Data: Protection Against Unauthorized Use

Transferring, commercializing, selling, distributing, or providing access to personal data without express and direct written consent of the person to whom that data refers is prohibited, except in specific cases established by law.

Security Measures: Ensuring Data Protection

The Institute for Access to Public Information has the authority to require obligated entities to take necessary security measures for the protection of personal data. However, the current legislation does not clarify or specifically identify the security policies or mechanisms that obligated entities must comply with.

Enforcement: Protecting Citizens’ Rights

The Institute for Access to Public Information may receive complaints about abuses regarding the collection of personal or confidential data and impose corrective measures on those who disclose personal data without authorization.

Electronic Marketing and Online Privacy: A Regulatory Gap

There are no laws or regulations in Honduras that specifically regulate electronic marketing or online privacy, leaving citizens vulnerable to cyber threats.

As Honduras continues to face a growing number of data breaches in the finance sector, it is essential for the government to strengthen its regulations and enforcement mechanisms to protect citizens’ personal data.