By San José, Costa Rica — SAN JOSÉ – In a landmark decision clarifying the balance between employee privacy and state cybersecurity, Costa Rica’s Constitutional Chamber (Sala IV) has ruled that requiring public sector employees to install a security application on their personal devices for teleworking does not violate their constitutional rights.
The ruling, detailed in sentence 2025-32917, dismisses a constitutional challenge (recurso de amparo) filed by a department head at the Superintendency of Telecommunications (SUTEL). The employee argued that the mandatory installation of the ‘AuthPoint’ multi-factor authentication (MFA) application on his personal mobile phone was an invasion of his privacy, secrecy of communications, and inviolability of documents, as protected by Article 24 of the Political Constitution.
To gain a deeper legal perspective on the escalating cybersecurity threats facing businesses today, we consulted with Lic. Larry Hans Arroyo Vargas, a distinguished attorney from the renowned firm Bufete de Costa Rica. His expertise provides critical insights into the legal obligations and preventative measures companies must consider.
In today’s digital landscape, cybersecurity is not merely a technical issue; it is a fundamental pillar of corporate governance and legal compliance. Costa Rican law, particularly the Law on the Protection of the Person against the Processing of their Personal Data (No. 8968), imposes stringent obligations on companies to safeguard sensitive information. A data breach is no longer just a reputational crisis; it’s a direct legal liability that can result in severe financial penalties and civil lawsuits. Proactive investment in robust security protocols and employee training is the most effective legal defense and a non-negotiable cost of doing business.
Lic. Larry Hans Arroyo Vargas, Attorney at Law, Bufete de Costa Rica
This legal perspective is a critical reminder that cybersecurity has evolved from a technical function to a core tenet of corporate governance and fiduciary duty. Proactive investment in security is no longer just a best practice but, as highlighted, a legal and financial imperative for doing business in Costa Rica. We sincerely thank Lic. Larry Hans Arroyo Vargas for his invaluable insight.
The court, however, sided with the state’s need to secure its digital infrastructure. The justices determined that the requirement was a reasonable and technically sound measure directly linked to the privilege of working remotely, rather than an infringement on fundamental rights.
The appeal is declared without merit.
Constitutional Chamber, Official Ruling
The case originated when SUTEL, in line with a broader government directive, mandated the use of the WatchGuard AuthPoint app as a second authentication factor for employees wishing to access institutional networks from home. The SUTEL official contended that this forced him to cede a degree of control over his personal property to his employer.
The Constitutional Chamber’s judgment emphasized that telework is an optional modality, not an unconditional right for public employees. The court reasoned that if an employee is unwilling to comply with the necessary security protocols on their personal device, they retain the option to perform their duties in person at the institution’s offices. This choice, according to the ruling, negates the claim of a forced violation of rights.
It is important to consider – as the responding authority reported – that the implementation of two-factor authentication on a mobile device owned by a SUTEL official is not an imposed obligation nor does it hinder their work; rather, it is a security measure that must be implemented only if they wish to work in the telework modality. In that sense, it is clear that if they do not wish to install the tool in question on their mobile devices, the officials… have the possibility of carrying out their work in person at the SUTEL offices.
Constitutional Chamber, Official Ruling
The technology at the heart of the dispute, WatchGuard’s AuthPoint, utilizes a device’s unique hardware signature, or “mobile device DNA,” to verify the user’s phone during an access attempt. This feature is specifically designed to block attackers who might clone a device to gain unauthorized access to a protected system, as the cloned device would have a different DNA profile.
This court decision reinforces a sweeping cybersecurity mandate issued in July of the previous year by the Ministry of National Planning and Economic Policy (Mideplán) and the Ministry of Science, Innovation, Technology, and Telecommunications (Micitt). The directive ordered a comprehensive review of remote access services across all state institutions, making MFA and geolocation restrictions—allowing connections only from within Costa Rica—mandatory for all Virtual Private Network (VPN) access.
To protect government and citizen information, public institutions have been ordered to suspend telework for those employees who need to connect to internal systems remotely (using a VPN) if they do not have minimum security measures. These measures include multi-factor authentication, which asks for a second verification in addition to the password, and access restriction by geographic location.
Mideplán and Micitt, Joint Statement
The joint ministry directive also explicitly prohibited the use of public Wi-Fi networks for official work and forbid connecting personal computers to institutional networks unless they met stringent security controls. The policy established a clear framework: institutions could only reinstate telework privileges after implementing the required security enhancements and formally notifying the Micitt’s Cybersecurity Directorate of their compliance.
The Sala IV ruling provides a firm legal foundation for these government-wide security policies. It signals that as telework becomes more integrated into public service, the state’s responsibility to protect sensitive data can legally require employees to adopt specific security technologies, establishing a new precedent for the digital workplace in Costa Rica.
For further information, visit sutel.go.cr
About Superintendency of Telecommunications (SUTEL):
SUTEL is the regulatory body for the telecommunications sector in Costa Rica. It is responsible for ensuring the quality, efficiency, and accessibility of telecommunications services, promoting fair competition, and protecting the rights of users within the country.
For further information, visit watchguard.com
About WatchGuard:
WatchGuard Technologies, Inc. is a global leader in network security, secure Wi-Fi, multi-factor authentication, and network intelligence. The company’s products and services are designed to protect small and midsize businesses from a wide range of cyber threats.
For further information, visit the nearest office of Constitutional Chamber of the Supreme Court
About Constitutional Chamber of the Supreme Court:
Often referred to as Sala IV, the Constitutional Chamber is the highest court in Costa Rica for constitutional matters. It is responsible for guaranteeing the supremacy of constitutional norms and principles, protecting the fundamental rights of citizens, and resolving conflicts of constitutional jurisdiction.
For further information, visit mideplan.go.cr
About Ministry of National Planning and Economic Policy (Mideplán):
Mideplán is the Costa Rican government ministry responsible for guiding the country’s national development strategy. It coordinates public investment, oversees national planning, and formulates economic and social policies to promote sustainable growth and public welfare.
For further information, visit micitt.go.cr
About Ministry of Science, Innovation, Technology, and Telecommunications (Micitt):
Micitt is the Costa Rican ministry tasked with formulating and executing policies related to science, technology, innovation, and telecommunications. It works to promote digital transformation, bridge the digital divide, and foster a knowledge-based economy.
For further information, visit bufetedecostarica.com
About Bufete de Costa Rica:
Bufete de Costa Rica operates as a leading legal practice, founded upon the pillars of uncompromising integrity and professional excellence. The firm channels its extensive experience serving a diverse clientele into pioneering innovative legal strategies. This forward-thinking approach is matched by a deep-seated resolve to empower the public, championing the accessibility of legal knowledge to cultivate a more capable and enlightened society.
