Despite the use of information security mechanisms – which are a processing agents’ duty (art. 46, caput, Brazil’s General Data Protection Law/LGPD) –, security incidents involving data may occur. Data leakage may occur, for example, through ransomware attacks in which personal data is “hijacked” and encrypted – followed by subsequent conditions to resume access upon payment to the malicious agent. Moreover, in ransomware attacks, criminals have begun using a new modality, that is, the installed malware compiles data and transmits it to hackers; the equipment is then locally encrypted. In this way, as well as requesting payment for having access to encrypted equipment back, criminals also threaten to publish hijacked data, exposing data subjects.
Although there is no express concept concerning it in Brazil’s General Data Protection Law (LGPD), data leakage is a security incident that results in accidental or unauthorized exposure of data to third parties. According to the European Data Protection Board’s classification, data leakage is an incident involving confidentiality.
In such scenarios, the first step is to analyze whether there is any personal data in the leaked data – of the type that may cause significant risk or damage to the data subjects. If so, processing agents are then subject to a legal obligation: the duty of communication.
The duty of communication (art. 48, caput, LGPD) to Brazil’s National Data Protection Authority (Autoridade Nacional de Proteção de Dados/ANPD) harbors a series of requirements (art. 48, §1, LGPD) – such as a description of the nature of the personal data involved; the risks related to the incident; and the measures adopted to mitigate effects of the leakage. Communication must take place within a reasonable period of time that allows the ANPD to take action to protect the rights of holders.
Although there is still no regulatory provision on what is considered a “reasonable period” for notification, the period adopted by Brazil’s General Data Protection Regulation (GDPR) in its article 33(1) is 72 hours, subject to the possibility of later notification, provided it is accompanied by justification for the delay (art. 48, §1, V, LGPD).
On the other hand, the ANPD has already recommended notification within two working days after the incident; this is not a binding recommendation, however.
For more information, please contact our Privacy and Data Protection team. Our specialized team is also able to help your company in the implementation of security mechanisms for greater control of access to data, as well as assist in the eventual communication of incidents, as instructed by Brazil’s National Authority.
