Standard for triggering the obligation to communicate upon significant cyber incidents in public institutions

Public institutions are constantly affected by cyber incidents capable of affecting critical infrastructure and the exercise of citizens’ rights. Informing the citizens of every cyber incident would be unfeasible, therefore a standard is proposed to decide in which cases a cyber incident in a public institution must be communicated to society, and how they should be made aware in order to comply with the right to information. For this reason, the Mexican legal framework regarding cybersecurity and the right to information is presented, and thus sustaining the argument against considering public attribution of cyberattacks as a substitute to the obligation to inform society. Finally, emblematic cyber incidents in Mexican public institutions are analyzed according to the proposed standard.