The Brazilian General Personal Data Protection Law (LGPD) establishes that security incidents that may compromise the protection of personal data must be communicated to the National Data Protection Authority (ANPD) and to the affected data holders, as it’s described on arts. 46 to 49 of Law nº 13.709/2018 (LGPD).
According to the LGPD, an information security incident is a security breach that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data and depending on the incident, it can be interpreted that a "cyber-attack" is also included in this list.
Therefore, the company must notify the ANPD whenever a security incident occurs that could compromise the protection of personal data, which must be done within 24 hours of the incident being discovered and must contain information such as:
- description of the nature of the affected personal data;
- technical and security measures used to protect affected data;
- risks related to the incident;
- measures adopted or that will be adopted to reverse or mitigate the effects of the incident.
According to the law, in addition to the ANPD, the company must also notify affected data holders, informing them about the incident and the measures being taken to minimize its impacts.
On the other hand, notification is not mandatory when there is a security incident, but this incident does not present risk or harm to the affected data subjects.
The LGPD establishes that not all security incidents need to be notified to the ANPD, but only those that may create risk or harm to holders of personal data.
This means that if the incident does not affect personal data, or if it does, but does not represent risk or harm to data subjects, notification to the ANPD is not mandatory.
However, it is important to highlight that the company must carefully evaluate the incident and determine whether notification to the ANPD is necessary or not, considering that the risk assessment may not be immediate and, therefore, notification must be made if there are doubts. regarding the severity of the incident.
Furthermore, the LGPD also establishes that the company must keep a record of all security incidents, even those that did not need to be notified to the ANPD, as a way of proving its compliance with the law.