Data breaches: New regulation in Brazil and the importance of implementing robust protocols.
It is crucial for companies to consider all regulations concerning security breaches approved in different jurisdictions. On April 26, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution CD/ANPD No. 15 (“Resolution”), which sets forth new guidelines for reporting security incidents.
Key aspects of the Resolution
- Definition of a data breach: Any confirmed adverse event related to the breach of confidentiality, integrity, availability, and authenticity of personal data security.
- Criteria for reporting an incident: An incident must be reported if:
- The breach may cause or poses a significant risk of harm to the fundamental interests and rights of data subjects; and
- The incident involves specific types of personal data such as sensitive personal data, data concerning minors or elderly individuals, financial information, data used for authentication in specific systems, legally protected data, or data processed on a large scale.
- Notification deadlines:
- Organizations are required to notify affected individuals and the regulatory authority within 3 business days after becoming aware of the incident.
- Smaller companies benefit from an extended deadline, which is double that of larger enterprises.
- A supplementary notification with additional information can be submitted within twenty business days.
- Notification methods: Notifications must be carried out through the ANPDs’s online form.
- Closure of the file: The process related to the reported incident may conclude based on specific criteria outlined in the resolution.
- Records of security incidents: The controller must keep a record of every security incident, even those that haven’t been notified, for a minimum of 5 years.
Important remarks
This new regulation underscores the necessity for organizations to implement not only robust technical security measures but also comprehensive action protocols that could be activated once a data breach occurs. Ensuring compliance with the Resolution will require a proactive approach to data security.
Organizations should consider conducting regular security audits, updating their incident response strategies, implementing relevant security incident policies and training staff to handle potential data breaches effectively.
Failure to properly handle an incident can result in significant legal, financial, and reputational damage not only in Brazil but also in many jurisdictions. In that sense, EU General Data Protection Regulation also imposes strict obligations on the implementation of security measures as well as the notification of data breaches to the Data Protection Authority and the affected individuals where required.
Even considering that the current Argentine Data Protection Law does not require local entities to report a data breach, organizations are compelled to implement robust security measures. In that sense, comprehensive action protocols for security breaches are considered a best practice to mitigate undesired consequences.
For more information or to ensure that your compliance strategies align with international regulations and standards, do not hesitate to contact our team. In addition to assisting you in reviewing your protocols and procedures to meet existing rules and protect your business, we recognize the importance of adapting to the ever-evolving digital threats. In collaboration with expert partners, we facilitate analyses and evaluations that can be crucial in strengthening your security systems, aligned with regulatory demands.
For further information please contact mperuzzotti@ojambf.com