ANPD regulates incident response and data leak reporting
On Friday, Resolution CD/ANPD No. 15/2024 was published, defining the Regulation for Reporting Security Incidents, which has some differences from what the ANPD itself had been practicing. The main differences are:
Establishment of a deadline of 3 (three) working days from knowledge of the incident for communication.
Clearer definition of the type of incident that should be reported.
Specification of the form and content of the communication to the owners.
Incidents must be evaluated and recorded, even unreported incidents.
Creation of procedures to deal with reported incidents and investigate unreported ones.
Since the publication of this Resolution, incidents must be reported that simultaneously have the potential to harm fundamental interests or rights and affect either a large amount of data or a specific group of data described in Article 5, such as personal health data, data on minors or the elderly, financial data, sensitive data, passwords, among others.
More information and the full text of the Regulation can be found on the ANPD website. Link: https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-aprova-o-regulamento-de-comunicacao-de-incidente-de-seguranca.
Our specialized lawyers are on hand to help you apply the new rules, or to help you adjust your internal processes.