Last year, the CPFs of 223 million living and deceased people leaked, causing great concern about their use for scams and crimes. Now in 2021, another leak of gigantic proportions has surfaced. This time, the records of more than 100 million cell phone accounts also leaked, including exposing data from public officials. Every day more news comes up about data being traded, which indicates how vulnerable the privacy of Brazilians in general is. In this scenario, how is it possible to guarantee the efficiency of the General Data Protection Law (LGPG), which was sanctioned with the objective of increasing the privacy of personal data and the power of regulators to inspect organizations? To understand the law and how it relates to these mega-leaks, TI Safe News interviewed Ana Paula de Moraes, a lawyer specializing in Digital Law and a founding partner of Moraes Advocacia. Check out:
TI Safe News - What is the harmful potential of data leakage?
Ana Paula de Moraes - The occurrence of a data leak can cause a major economic crisis since it affects the reputation of the company leaked to the market; to customers who lose their trust, since the company has not guaranteed the legal security of the information and it can even file a claim for compensation in front of investors. When a data leak occurs, sensitive information is made public, causing damage to the data holder. Most of the time, the incident occurs because attackers find loopholes in digital security. Once in possession of this information, cyber criminals can use it to expose the flaws. In this sense, more than ever, companies need to have their technological environments very well prepared and adequate to the terms of the law.
TI Safe News - Didn't the recent leaks take LGPD's strength and credibility away?
Ana Paula de Moraes - In spite of the recent digital incidents that occurred, the magnitudes of which have the consequence of damaging the right of the individual, in view of the amount of personal data exposed, generating to citizens the risks of the most different modalities, ranging from identity fraud, to credit possibly leading to crimes of theft and kidnapping; I do not understand that the LGPG loses strength or has its credibility affected. In my opinion, even though data leaks are more and more frequent in Brazil, generating great repercussions on companies, we must understand that the country has evolved to the extent that it now has specific legislation, which deals with the protection of personal data, of Brazilian citizens. It also already has in its framework the existence of an institution such as the National Data Protection Authority (ANPD), which is already structured and has an obligation to ensure the application of the LGDP. ANPD has attributions related to the protection of personal data and privacy and, above all, it must inspect and audit entities that process data to investigate possible violations.
In addition, we must not forget that Brazil still has other bodies for the defense of consumer rights that can act in cases such as mega-leakage, such as the Public Ministry of the Federal District and Territories, which through the Special Data Protection Unit and Artificial Intelligence (ESPEC), can work together with the ANPD, supporting the investigation of any incident. In the case of mega-leaks, the ANPD has already taken the appropriate measures to investigate the respective incidents.
TI Safe News - How does LGPD act on data leakage?
Ana Paula de Moraes - Considering that the LGPD is a great regulatory umbrella, in which all the duties and rights of private organizations, public institutions and citizens are described when it comes to the protection of personal and sensitive data, the respective legislation determines in its article 46 that the treatment agents (Controller and Operator) must accept all the necessary security measures, not only technical but also administrative that aim to protect personal data from unauthorized access, that is, to protect against an attack hacker that will rise to the leakage of personal data and, also, of possible circumstances, whether accidental or illicit, which consequently cause the destruction, loss, alteration, communication or any form of improper or illicit treatment.
Thus, in the event of a data leak incident or accidental or unlawful circumstance, the Controller must immediately inform the national authority and the data holder of the occurrence of a security incident that may result in significant risk or damage to the holders.
In this sense, the data operator responds jointly to the controller (CNPJ) in the event of a leak. However, joint and several liability ceases to be applied in cases where he fails to comply with clear orders and determinations from the controller, who makes decisions about treatment.
Therefore, the LGPD determines that in addition to having to reimburse the data subject for the damage caused to it due to the leakage that occurred, they also respond in an administrative manner whose punishment will be applied by the National Data Protection Authority.
TI Safe News - According to the LGPD, if the company is the victim of a data leak, will it be responsible?
Ana Paula de Moraes - According to the rules of the LGPD, which came into force in 2020, to which all public and private companies in the world online or offline are subjected, with a data leak, regardless of the proportion of the leak, the responsibility is full of the company that stores the data. This is because, according to the legislation, it is up to each public or private company to carry out all risk mitigations that aim to protect their systems against cyber attacks. The LGPD also determines that any company that fails to comply with the legislation may suffer administrative penalties, including daily fines limited to R $ 50 million reais, which may reach up to 2% of its annual revenue. These fines, however, can only be applied as of August 2021. The company will not be liable for a data leak only if it is able to prove under the terms of the legislation itself that: it did not carry out or carry out the processing of personal data; that even though he processed personal data, on his part there was no violation of data protection legislation; that the existing damage is the sole fault of the data subject or third parties.
As the LGPD requires that all companies guarantee the security of citizens' data and personal information, it is necessary that they invest in cybersecurity systems.
To learn how to protect your company's data visit.