Megavazamento reinforces the urgency in the dissemination of the culture of data protection
In Brazil, it is about the press release about a security incident
In the scenario of personal data protection, the recent news that most called attention in Brazil is the press release about a security incident that may have published data on more than 220 million people, together with those associated with companies (CNPJ , corporate name, trade name, date of foundation) and vehicles (chassis, plate, model, year of manufacture, municipality of registration, fuel used).
Personal data includes, as announced, CPF, RG, full name, marital status, address, e-mail, date of birth, education, income and sensitive personal data, which together with information about companies and vehicles would be being marketed at deep web. The risks of cyber crimes are high, since such data would allow fraudulent procurement of products and services, as well as the practice of legal business with the identity of third parties, in addition to other inappropriate uses of the exposed data.
The security incident, which has the largest known proportions in Brazil, received more prominence after the news was published that personal data from national authorities would be for sale on the Internet, including the President of the Republic and the STF Ministers. This fact gave rise, request for measures, made by Minister Luiz Fux, president of the STF, to the Minister of Justice and to Minister Alexandre de Moraes, rapporteur of Inquiry 4781, whose object is the investigation of infractions that affect the safety of the STF and its members.
It is worth remembering, in this context, that the communication of security incidents, provided for in article 48 of the LGPD, is expected to begin regulation, as made available by the ANPD in its regulatory agenda, in the first half of 2021. deadlines, criteria and procedures ”and“ implement a flow to the incident system ”.
It should be noted that the Federal Council of the OAB sent an official letter to the ANPD requesting the immediate adoption of measures for the investigation of data leaks, considering the competences of the ANPD to carry out audits on the processing of personal data by treatment agents and to conclude with them commitments to eliminate irregularity and legal uncertainty.
In a public note, the ANPD stated that “it is technically investigating information on the case and will act in a cooperative manner with the competent investigative bodies to investigate the origin; the form in which the possible leak occurred; the containment and mitigation measures adopted in a contingency plan; possible consequences and damage caused by the violation ”.
It is an urgent measure to organize a contingency plan aimed at reducing the risks to which people whose personal data have been leaked are exposed. Equally, the possibility of judicialization resulting from possible frauds resulting from the improper use of the leaked data must be considered, even though it is difficult to demonstrate the causal relationship between the security incident and possible damages.
The “mega-leak”, therefore, underlines the urgency for a data protection culture to be adopted and disseminated in organizations, not only as a requirement for compliance with LGPD and similar legal standards, but also as an essential governance guideline and important competitive differential, including risk management and security incident response plan.
Wilson Sales Belchior