Data leaks, phishing, ransomware, viruses, among other terms, have become recurrent and much talked about in recent years. With the entry into force of the recent Brazilian General Personal Data Protection Law (Law No. 13.709/2018), also called “LGPD”, on September 18 of 2020, attention is focused mainly on the data of individuals and the incidents that may occur involving these data.
There is no precise definition in Brazilian law on what would specifically be a personal data breach. Despite this, there is a great influence of international data protection law, mainly from the European Union. According to article 4 of the General Data Protection Regulation, such a breach can be understood as a “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
As an example, malware can be cited, which is a malicious program, ransomware being one of the best known. It can be understood as a malicious code to hijack data – after infecting a computer, access to a company’s files can be blocked, for example, in order to demand a ransom to release this access. The theme generates great concern because as exposed by “Jornal Hoje”, in the case of the city of São Paulo, cybercrimes recorded in six months of this year exceeded the total of last year. Furthermore, studies revealed that 54% of global organizations assessed admitted that their methods of assessing cyber risks are not sufficiently sophisticated, leaving them vulnerable to potential threats.
With an essentially preventive character, the LGPD determines that “the processing agents shall adopt security, technical and administrative measures that are capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, modification, communication or any other form of inappropriate or unlawful processing.” (Article 46, LGPD). It is therefore understood the importance of implementing security measures by those responsible for processing personal data. The consequences of underestimating the relevance of these measures can be extremely harmful to a company’s business and can result in financial and reputational losses. The security measures will, above all, help in business continuity, that is, not allow its unplanned interruption or, even, ensure its resumption in a timely manner, if necessary.
Finally, it should be noted that those responsible for the processing of personal data undertake to guarantee the information security provided for by the LGPD in relation to personal data, so that if the law is not complied with, such agents are liable to suffer administrative sanctions by the Brazilian National Data Protection Authority (“ANPD”), including a fine of up to 50 million reais.
For more information on how to keep your company in compliance with the LGPD, contact Peduti Advogados.
—
Author: Caroline Muniz, Junior Associate at Peduti Advogados.
Source: Mais da metade das empresas globais enfrentam exposição ao risco cibernético; Why global organisations are struggling to manage cyber risk; Artigo; GDPR.
—
“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”
“Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.”