Start 50 Plan: From R$69 to R$59/month and Plus 50 Plan: From R$119 to R$99/month.

Security Incidents in the LGPD: What to Do and How to Minimize Your Costs

Publicado em:

2024

Security in the General Personal Data Protection Act

In the General Personal Data Protection Act (LGPD, Law No. 13,709/2018) security is both a principle (art. 6) and a rule (art. 46).

As a principle, the law requires that security be observed in all processing activities carried out by companies, civil society organizations or public bodies, through the adoption of technical and administrative measures to protect personal data from unauthorized access and reduce the risk that the data will be destroyed, lost, altered, or shared illegally or accidentally.

As a rule, security appears in the LGPD as a way to avoid “inappropriate or illegal treatment” of personal data. In short, in the LGPD, the definition of security encompasses both the classic view of the trio “confidentiality, integrity, and availability” of personal data, but more than that, security is an instrument to ensure compliance with legislation.

Security incidents involving personal data

Research conducted by IBM in the year 2024,”Data Breach Costs” revealed that the average cost¹ of a data breach for companies has been increasing over the years and, in 2024, reached Amount of $4.8 million. Being prepared to handle an incident involving personal data - such as, for example, with an incident response plan - is a factor identified in the research as reducing this average cost of the breach.

The first step in dealing with an incident is to detect and classify it appropriately. A mere problem in a system can generate an incident. Therefore, identifying, screening, and classifying what are problems and what are, in fact, incidents is the first step.

To assist treatment agents to carry out this classification, the National Authority for the Protection of Personal Data in its Resolution No. 15 regulated the concept of “security incident” as “any confirmed adverse event related to the violation of the confidentiality, integrity, availability and authenticity of personal data security”.

The Incident Response Plan

A well-structured incident response plan is the first preventive measure that any organization that deals with personal data must implement. It serves as a detailed guide, defining the actions to be taken in the event of security breaches, ensuring a quick and effective response by the organization to contain and mitigate the damages that may be caused. The plan describes, step by step, the measures to be taken by the organization from the detection of an incident to its complete resolution. It must be prepared based on a risk analysis and consider the specifics of the organization.

The plan, in addition to demonstrating the organization's commitment to data security and the privacy of the owners, can limit the financial impacts of an incident, mitigating the damage to the owners and treatment agents.

In cases where it is mandatory, timely reporting of the incident to the ANPD and to the owners is one of the most critical aspects of a response plan, since, if the deadlines established in the legislation are not met, the authority may sanction the controller. Maintaining a communication model pre-filled with the main information required by the ANPD is an efficient strategy. The ANPD provides a standard notification template, which can be customized according to the type of incident, accelerating the sending of the notification and ensuring that legal requirements are met.

Relevant risks or damages

Not all security incidents need to be reported to the ANPD and the affected data subjects. Article 48 of the LGPD establishes the obligation of the data controller to report incidents that may “entail relevant risks or damages”.

Considering the subjectivity of this definition, the ANPD created some objective criteria, related to the nature and volume of personal data affected by the incident, which require its communication. Thus, if the incident involves (i) sensitive personal data, (ii) data of children, adolescents, or the elderly, (iii) financial data, (iv) authentication data in systems, (v) data protected by legal, judicial or professional secrecy, or (vi) large scale data, the incident must be reported by the controller. It is worth saying that the concept of large scale has not yet been parameterized by the ANPD, which opened a subsidy process in April 2024 on the subject.

Incident reporting

Resolution No. 15 defines that the communication of the incident to the holders of personal data must be carried out primarily in an individualized and direct manner, such as by email, for example. If this is not possible, communication can be made through the available means, be it the organization's website, app, social media, or service channels for the owners. Communication to the ANPD, however, must be made through a specific channel, available on the Authority's website.

The ANPD, based on its prerogatives established by the LGPD, may, ex officio, investigate the occurrence of an incident, even if it has not been reported by the controller, in which case it may even sanction the treatment agent for violating the law.

Deadline for communication

Although the LGPD only determines that the communication of the incident to the ANPD and to the holders of the affected personal data be made within a “reasonable time”, Resolution No. 15 of 2024 of the ANPD established a period of three business days from the knowledge of the incident by the controller for the communication to be carried out, when there is no specific regulation dealing with the issue².

One of the points of attention regarding this deadline is the reporting of incidents between operators and data controllers, which remained unregulated. If there is an incident at a data operator company (such as a cloud server), the duty of notification falls on the controllers (who use the cloud to process personal data). IBM research shows that the occurrence of a data breach in the supply chain can increase your cost by more than US$ 200,000.00. For this reason, it is important that contracts concluded between treatment agents establish a deadline for this communication to be made.

Content of the communication

The communication to the ANPD and the Data Subjects must contain the following information, in accordance with current data protection legislation:

a description of the nature and category of the personal data affected and the groups of data subjects involved;
the number of affected owners, including categorizing them by the number of children, adolescents, or the elderly;
the total number of data subjects whose data are processed in the treatment activities affected by the incident;
the technical and security measures used to protect data before and after the incident, with the exception of those protected by commercial and industrial secrets;
the risks to the owners related to the incident;
the date of the incident, if known;
information from the personal data protection officer;
the identification of the controller and operator related to the incident, if applicable;
the reasons for the delay, if the communication was not made within three days;
the measures that were or will be taken to mitigate the effects of the incident;
the description of the incident, including the root cause, if it can be identified.

For this information to be collected promptly, it is important that the organization is prepared. In this sense, it is healthy that the record of processing operations with personal data is up to date and the technical and administrative security controls implemented are mapped.

Public disclosure of incidents

When reporting an incident to the ANPD, an administrative process is opened to follow up on the incident response. This process is, by default, public. To prevent the organization's confidential or sensitive information from becoming public, the controller must justify in a reasoned manner because its disclosure could represent a violation of commercial or industrial secrecy.

In addition, after determining the degree of risk or harm of the incident, the ANPD may require that the incident be widely publicized in media (such as newspapers with large circulation). Regulation No. 15, however, established this requirement only for cases in which prior communication to the owners is insufficient to reach the affected persons or when disclosure is necessary because of the scope of the controller's activities and the location of the owners.

Conclusion

In conclusion, preparation for reporting security incidents involving personal data is essential to ensure compliance with the obligations set out in the LGPD and the ANPD regulations. The adoption of a well-structured response plan, which encompasses clear and automated processes, appropriate innovative technologies, and the continuous empowerment of teams, is essential for organizations to be able to act quickly and effectively in the event of incidents.

In addition to meeting legal deadlines and requirements, this preparation allows for the mitigation of harm to data subjects and minimizes the operational and financial risks associated with data breaches. Therefore, investing in technological solutions, automations and the training of the professionals involved is an essential strategy for dealing with data protection challenges and ensuring an adequate response to possible security incidents.

—————————————————————

¹ The research assesses the cost on four fronts: detection, notification, post-breach response, and loss of business. The complete research methodology is described on page 42, available at: https://www.ibm.com/account/reg/br-pt/signup?formid=urx-52913

² The BACEN, for example, defined in Resolution No. 342/2023 and No. 412/2023 that incidents involving PIX data must be reported to the owners even if they do not entail a relevant risk or damage.