Upcoming panel discussion in Miami on September 12th: To what extent can technology reduce risks in construction projects in US and Latin America?

SCL flyer Sept 12 event

Image | Posted on by | Tagged , , , , , | Leave a comment

Upcoming Women in (Re)Insurance event in Miami on August 27th 2019

women in reins aug 2019

Image | Posted on by | Tagged , , | Leave a comment

An overview of cyber legislation in Latin America

Computer source code programmer script developer.

A year ago, the Governor of California signed the California Consumer Privacy Act of 2018 into law. Known as the first comprehensive privacy regime in the United States, the Act imposes on businesses significant privacy obligations, creates a number of privacy rights, and provides for enforcement both through private right of action and regulatory enforcement.

Just a few weeks earlier, on 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) became enforceable. Under the GDPR, which aims to give European citizens and residents control over their personal data and to simplify the regulatory environment, a processor of personal data, amongst other obligations, must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EU.

These landmark pieces of legislation are indicative of a growing concern, around the world, for one’s personal information, who has access to it, and how it is protected. The widespread outrage to recent data protection scandals such as Cambridge Analytica, which compromised the data of millions of Facebook users in the US, Europe, and the UK, further punctuate this concern.

This preoccupation with personal data security has extended to Latin America, where legislation is emerging to address these concerns. In 2016, the Inter-American Development Bank issued a report putting the cost of cybercrime in Latin America at approximately US$90 billion per year. The report also found that the region in general suffers from a low level of public awareness when it comes to cybercrime and data security; furthermore, many jurisdictions have no legislation in place to force private firms to disclose if they have been victim to cyber-attacks.

The purpose of this article is to provide an overview of the current legislative framework in the region, focusing on the region’s biggest jurisdictions. We will focus on the following key questions:
1 Who are the data protection authorities?
2 Is data breach a defined, legal term?
3 What are the data breach notification requirements, if any?


Per the Ley de Protección de Datos Personales (Ley 25.326/2000), the relevant data protection authority in Argentina is the Dirección Nacional de Protección de Datos Personales.

While Argentinian legislation does not define data breach per se, there are several examples of breaches detailed and regulated in the law. Data breaches are also further categorized as light breach, serious breach, and very serious breach.

In terms of notification requirements, there is no requirement to notify the data owner of a personal data breach. However, current legislation is being proposed to make it obligatory to notify both the Dirección Nacional de Protección de Datos Personales and the owner of the compromised data.


On 14 August 2018, the Brazilian Congress passed a bill related to personal data protection and its corresponding law, Law 13.709, was subsequently approved. This law is enforceable 18 months after its approval—February 2020.

Taking lessons from the GDPR, the law defines personal data, sensitive personal data, anonymous data, database, owner of the data; controller; operator (processor), etc. However, some provisions must be complemented by additional laws/regulations that are still in their early stages of growth. For example, the breach report communication and the methodology of the administrative sanctions require further regulations.

Regarding the relevant data protection authority, the original text of the bill established the creation of a specific authority, reporting to the Ministry of Justice. However, the Brazilian President removed this provision from the final wording of the law. Until it is determined whether a specific regulatory agency or administrative body will be created, the Brazilian Public Prosecutor, the Ministry of Justice and the Consumer Protection Authorities are the entities responsible for commencing/conducting any proceedings concerning the breach of Law 13.709.

While Law 13.709 does not define personal data breach specifically, it defines personal data as information related to a person’s identity and further defines sensitive personal data as information related to a person’s race or ethnicity, religious convictions, political opinions, health and sexual life, and genetic or biometric data.

Finally, in the case of a data breach, the data controller must report the incident to both the relevant authorities and the affected individual. The communication must be made within a reasonable time and must at least inform: i) the personal data affected by the breach; ii) a description of the technical and security processes used to protect the personal data; iii) the risks concerning the breach; and iv) the steps adopted to mitigate the breach.


Chile’s Law 19.628/2011 establishes some data privacy regulations; however, this law applies only to public entities. While the Council for Transparency handles compliance with Law 19.628, there is no regulatory authority that monitors compliance with data privacy laws by the private sector.

Law 19.628 does not define data breach; however, it defines personal data as information relating to a natural person’s identity. It further defines sensitive data as personal data that refers to a natural person’s physical or moral characteristics or facts or circumstances of their private or intimate life, such as data relating to a person’s habits, race, ideologies, political opinions, religious beliefs, physical and mental health, and sexual life.

In terms of notification requirements, there is no requirement to notify the data owner of a personal data breach.


Per Colombia’s Law 1581/2012, the Superintendencia de Industria y Comércio is the relevant data protection authority. However, with respect to financial data and financial entities, the relevant authority is the Superintendencia Financiera.

While Law 1581/2012 does not establish a legal definition of data breach itself, there are established principles and obligations that should be followed in order to avoid allegations of non-compliance with Law 1581/2012.

Notification of a data breach should be addressed to the Superintendencia de Industria y Comercio, but there is no obligation to notify the data owner.


Mexico’s Ley Federal de Protección de Datos Personales en Posesión de Particulares (LFPDPPP), passed in 2010, establishes the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales as Mexico’s data protection authority.

Mexico is one of the few countries in Latin America that has a specific legal definition for data breach: “any damage, theft, loss, alteration, modification, destruction or unauthorized use, copy, access or processing of personal data” (Article 63 of the LFPDPPP).

Mexico is also one of the few countries that requires owners of data that has been compromised to be notified of such. The LFPDPPP requires that “any breach that significantly damages pecuniary or non-pecuniary rights must be notified to the owners of the data immediately, once the data holder/controller confirms the breach and takes actions to begin an exhaustive investigation process to determine the breach’s magnitude, so that the data owners can take measures accordingly” (Article 20 of the LFPDPPP). The notification must inform: i) The nature of the breach; ii) the compromised personal data; iii) recommended measures to protect the data owner’s interests; iv) the corrective measures that immediately took place; and v) the means by which the owner of the data can get more information on the breach (Article 65 of the LFPDPPP).


We conclude our journey through the region’s legislative framework in Peru. Law 29733/2013 establishes the Autoridad Nacional de Proteccion de Datos Personales, a part of the Ministry of Justice, as the data protection regulator.

Law 29733 does not define data breach; however, non-performance of the principle and obligations established under Law 29733 is considered a breach per se.

In terms of notification requirements, there is no requirement to notify the data owner of a personal data breach.


As can be seen from our legislative overview, while cybersecurity and data privacy legislation is still nascent in Latin America, concern and interest is growing. As has usually been the case in the past, and as demonstrated by Brazil, we believe those jurisdictions whose current legislation is lacking will quickly take cues from the GDPR, cybersecurity legislation in the United States, and more sophisticated jurisdictions in Latin America. Development will be quick; and with development comes risk that will have to be properly addressed by (re)insurance carriers throughout the region.

Authors: Alex Guillamont, Head of Latin America and Caribbean at Kennedys and Javier Vijil, Associate at Kennedys’ regional hub in Miami.

Posted in cyber, Cyber Risks in Latin America, Other | Tagged , , | Leave a comment

Risky business: the increase in US securities class action originating from Latin America

Tightrope walker concept of risk taking and challenge

Over the past 10 years, there has been a record increase in the filing of securities litigation against foreign companies that issue securities in the United States, most commonly via American Depository Receipts (ADRs). Between 2014 and 2018, 202 cases against foreign companies were filed in the United States, representing a 41% increase in filings, with nearly every region experiencing a major jump in the number of suits. 26 of these cases have specifically been filed against Latin American companies.[1]

In a correlated manner, the average settlement value of these actions has also increased at an astonishing rate over the past five years. From 2014 to 2019, total settlements increased 581% from US$657 million (2008-2014) to US$4.5 billion (2014-2018). The average settlement value for actions brought in Latin America is US$16.8 million; however, it is worth noting that there is an outlier — the settlement value entered into by Petrobras in the action arising out of the Lava Jato scandal, valued at US$3.3 billion.[2]

Our experience corroborates these findings, having seen more and more US securities actions filed against our clients’ insureds in Latin America. As an example, in addition to the Petrobras class action mentioned above, over the past years, we have dealt with US securities actions filed against Argentina’s largest real estate company, Peru’s largest construction company, and a Brazilian mining giant.

Given the increased prevalence, and potential exposure, arising out of US class actions filed against Latin American companies, we believe it would be useful to provide a brief overview of the most common type of securities action filed against Latin American companies in the United States, Section 10b-5 actions brought under the 1934 Securities Exchange Act, and a common problem (re)insurers face in adjusting these claims in the context of D&O (re)insurance and these policies’ willful misconduct exclusion.

The United States Congress enacted the 1934 Securities Exchange Act in response to the stock market crash of 1929 and the resulting Great Depression. The key provision of the Securities Exchange Act is Section 10(b), which, along with Security Exchange Commission (SEC) Rule 10b-5(b) promulgated thereunder, broadly prohibits deception, misrepresentation, and fraud “in connection with the purchase or sale of any security” based on any public corporate statement. Specifically, Rule 10b-5 prohibits the use of any “device, scheme, or artifice to defraud,” and creates liability for any misstatement or omission of a material fact, or one that investors would think was important to their decision to buy or sell a security.

Claims brought under Section 10(b) of the Securities Exchange Act are subject to a heightened pleading standard. Specifically the Second Circuit, which is the judicial circuit encompassing New York City where the vast majority of these actions are filed, has found that in order to succeed under these provisions, a plaintiff bears the burden to prove that (1) the defendant made a material misrepresentation or omission; (2) with scienter; (3) a connection between the material misrepresentation or omission and the purchase or sale of a security; (4) reliance by the plaintiffs on the alleged material misrepresentation or omission; (5) economic loss suffered by the plaintiffs; and (6) loss causation.[3]

A particularly interesting discussion can be had on the scienter requirement in 10b-5 claims and its relation to the willful misconduct exclusions typically found in D&O policies. Black’s Law Dictionary defines scienter as “a mental state consisting in an intent to deceive, manipulate, or defraud. In this sense, the term is used most often in the context of securities fraud.” Thus, scienter is a term comparable to the concept of dolo in Latin American jurisdictions.

Furthermore, in the Second Circuit, “a strong inference of scienter can be established by alleging facts either ‘(1) showing that the defendants had both motive and opportunity to commit the [alleged] fraud or (2) constituting strong circumstantial evidence of conscious misbehavior or recklessness.’”[4] Further backing this jurisprudence, the US Supreme Court has found that “every Court of Appeals that has considered the issue has held that a plaintiff may meet the scienter requirement by showing that the defendant acted intentionally or recklessly.”[5]

At the same time, recklessness is defined as “conduct whereby the actor does not desire harmful consequence but nonetheless foresees the possibility and consciously takes the risk; gross negligence; recklessness involves a greater degree of fault than negligence but a lesser degree than intentional wrongdoing.” As such, recklessness is a term comparable to the concept of culpa grave in Latin American jurisdictions.

Therefore, a guilty verdict in a 10b-5 action necessarily has the effect of triggering the willful misconduct exclusions typically found in D&O (re)insurance policies, which have the effect of precluding coverage for claims arising out of an insured’s intentional misconduct or gross negligence.

This leads to a scenario where (re)insurers and their insureds have conflicting interests in the litigation, with the (re)insurers potentially wishing to see litigation through to the end to assure that any potential indemnities are properly paid and with the insured, understandably, wishing to settle the matter to save themselves time, money, and the threat of an adverse judgment. However, it must be noted that because willful misconduct exclusions may only be applied once a final judgment confirming the insured’s guilt is rendered, (re)insurers must continue advancing defense costs to the insured. These defense costs also play an important equation in the decision of whether to settle a case or not, as they are quite costly—running an average, in our experience, of approximately US$20 million through trial.

Given the above, it is not only necessary for (re)insurers to conduct an intricate cost-benefit analysis when presented with a US securities claim in order to determine the strategy they wish to pursue in terms of defending or settling the action, but it is also important for underwriters to reconsider their pricing models for D&O (re)insurance policies issued to Latin American entities with exposure to the US securities market, especially when considering the current trend of US securities litigation against foreign companies becoming not just more prevalent, but more expensive as well.

This topic made for a lively discussion at this year’s annual Miami Latin American Claims (Re)Insurance Forum, where industry leaders gathered to give their perspectives on this notable trend. A particularly interesting point was raised regarding expert discovery. Usually, experts’ reports on damages, which are key to engaging in settlement negotiations, occur after fact discovery is completed, which in turn is a costly and time-consuming part of litigation. However, this extra expense could be avoided, and settlements could potentially be entered into quicker, if expert’s damages reports were set to be produced after fact discovery.

Find out more about the other topics discussed at this year’s Miami Latin American Claims (Re)Insurance Forum.

1 Why D&O Costs Are Soaring for Foreign Filers
2 Ibid.
3 GAMCO Inv’rs, Inc. v. Vivendi Universal, S.A., 838 F.3d 214, 217 (2d Cir. 2016).
4 In re Bear Stearns, Inc. Securities, Derivative, and ERISA Litigation, 763 F.Supp.2d 423 (S.D.N.Y.2011).
5 Tellabs, Inc. v. Makor Issues & Rights Ltd., 551 U.S. 308, 319 (2007).

Authors: Alex Guillamont, Head of Latin America and Caribbean and Javier Vijil, Associate at Kennedys’ regional hub in Miami.

Posted in (re) Insurance articles Latin America, Other | Tagged , , , | Leave a comment

Are the recent deaths in the Dominican Republic a threat for future recovery actions?


The Dominican Republic is the second-largest Caribbean nation by area with approximately 10 million inhabitants, of whom approximately three million live in the metropolitan area of Santo Domingo, the capital city. The island is famous for its beaches, resorts, golf courses, hotels and for its friendly service.

However, during 2019, a series of deaths (at least twelve American tourists) have happened in different hotels and resorts, triggering alarms in an economy where last year, the tourism industry raised USD 7.6 billion, which represents over 17% of country’s GDP.

Although, online travel insurance companies have confirmed that these deaths have not affected travel interests in the Caribbean country, considering the impact that this kind of event can provoke in the insurance industry, we would like to give you a “sneak peek” on how the legal system works, as well as recovery actions against hotels, tour operators and third parties.

How the legal system works in the Dominican Republic?
The Dominican Judicial Branch is composed of three instances:

1. First Instance Courts sees all matters that are not attributed by law to another court and other matters expressly attributed to them by law;
2. The Second Instance Courts or Appeal Courts attends to the appeals against first instance judgements and other matters expressly attributed to them by law; and
3. The Supreme Court of Justice has the power to hear and rule on cassations filed for Civil, Commercial, Criminal, Labor and other matters.

The majority of actions in the Dominican Republic, which need to be filed within 2 years from the date of the loss or damage, go through the three instances, which usually take between 3 to 5 years in total.

The relationship between the hotels and their guests is considered contractual, commencing at the time the guest pays for their reservation directly to the hotel. When the reservation is made through a tour operator and/or third parties, although the contractual relationship is between the guest and the tour operator who would be sued if the guest files a complaint even when the hotel is responsible for the damages, the claimant may also file a claim directly against the hotel due to the hotel’s obligation to ensure the safety and well-being of its guests.

Most of the suits involving hotels are usually related to falls or accidents that occur in the facilities, such as drowning in the pools and some illnesses. In these claims, the plaintiff, on whom the burden of proof lies, must show that the accident or fall was caused by some damage in the area, such as a wet floor, a staircase whose steps have faults, etc. In cases that involve illnesses, the plaintiff also needs to exhibit a toxicological report showing that the disease is the consequence of the consumption of decomposed food or an adulterated drink. The lack of this evidence during trial can lead to a non-favorable judgement.

In regards to jurisprudence, despite the fact that Dominican law is governed by codes (Civil, Commercial, Criminal, etc.), case law exists in which the Supreme Court recognizes that the civil liability derived from defective products (i.e. rotten food, damaged equipment, use of non-approved pesticides) is not limited to the hotel but includes all of the people involved in the manufacturing process.

Is a recovery action possible in the Dominican Republic?
First of all, the plaintiff has to demonstrate the existence of the damage and/or the responsibility (or lack of it) of the defendant to present the case in court.

For any recovery action to be executed in the Dominican Republic, including those cases in which tour operators and/or third parties are involved, there must be:

– A final judgment recognizing the damage and ordering certain compensation;
– That the payment ordered by the court to the person who suffered the damage has been executed and;
– That the person responsible for the damage is solvent.

For those who may have interest in claims filed in the Dominican Republic, we can state that generally speaking, the chances of a successful recovery is 50/50. However, if all three requirements above mentioned are present, the chances of a successful recovery increase exponentially.

Authors: Alex Guillamont, Head of Latin America and Caribbean at Kennedys, Carlos Álvarez, lead partner of Kennedys’ associate office in the Dominican Republic, and Daniel Padrón, Associate of Kennedys in Miami.

Posted in (re) Insurance articles Latin America, Other, recovery action | Tagged , , , | Leave a comment

Day 3: 2019 Miami Latin American Claims (Re)Insurance Forum

This gallery contains 43 photos.

Gallery | Tagged , , , , , , | Leave a comment

Day 2: 2019 Miami Latin American Claims (Re)Insurance Forum

This gallery contains 45 photos.

Gallery | Tagged , , , , , , , , | Leave a comment