Companies may have to indemnify those who had their data leaked in cyberattacks

By Bruna Leite Mattos*

According to the X-Force Threat Intelligence Index 2021, produced by IBM Security, in 2020, the main form of cyber attack practiced were Ransomware attacks, which accounted for 23% of cybersecurity threats, against 20% in the year of 2019. According to the study, the attack is so profitable that one group of criminals alone raised about US$ 123 million in 2020 alone.

In general terms, Ransomware is a system that aims to derail a user’s access to a device, system or database, coercing its victims to pay a ransom to restore access.

Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Canaltech News. Every day a summary of the main news from the tech world for you!

In general, this software hijacks and locks files or systems through encryption techniques, whose key to decrypt access is, in theory, made available after payment of the ransom.

To deal with the situation, companies have been investing in the recovery of their backups, which would allow them to have access to a copy of the hijacked data, without having to pay the ransom.

But it seems that such measures are no longer enough. Attackers are changing their tactics and are no longer just encrypting data to make data access impossible. They also extract them and threaten to leak confidential data if the ransom is not paid.

Brazil has dealt with the issue in an ambiguous way. If, on the one hand, it tightens penalties for crimes, on the other, it ends up exposing companies that are victims of such attacks to a regulatory risk that is still uncertain.

Today, the country has a vast collection of computer criminal types, most of which are provided for in the Cyber ​​Crimes Law. The importance of the subject is such that the crimes of computer device violation, theft and embezzlement committed electronically or over the internet had their sentences increased at the end of May 2021.

The legislative change only confirms the seriousness of the impacts caused by cyber crimes, as well as recognizing the virtual environment as the most likely environment for the practice of such crimes. And the hardening of virtual criminal types, however, has a facet little commented upon.

From a criminal standpoint, it doesn’t seem that difficult to figure out who is the victim and who is the criminal in a cyber attack. But when the object of the leak includes personal data, the situation takes on another dimension, and, at that point, the General Data Protection Law (LGPD) comes into play.

The LGPD provides that the processing agents will not be held liable if they can prove: (i) that they did not carry out the processing of personal data assigned to them; (ii) that, although they carried out the processing in question, there was no violation of data protection legislation; or (iii) that the damage is due to the sole fault of the data subject or third parties.

At first, it seems quite clear that, in a cyber attack, we would be facing damage caused exclusively by a third party, which, in itself, would be enough to exempt any civil liability for repairing the damage suffered by the data subjects object of the incident.

Before it was so simple! The problem comes next.

This is because the law, further on, provides that personal data processing agents are obliged to guarantee the security of information in relation to the personal data processed, even after the end of the processing in question.

In addition, it establishes the responsibility of personal data processing agents in situations of breach of security, if such agents have not adopted the security measures provided for in the legislation.

Leakage of information from Facebook: LGPD arrives to inspect how companies process user data (Reprodução/Alon Gal)

According to these legal provisions, in addition to the investment in information security, the operational damages suffered with the blocking of data and the payment of any ransom charged, the victim institution of this type of attack can still be held liable to the holders of the data leaked in the incident, if it has not adopted sufficient security measures.

But what security measures are these anyway?

This is another provision of the LGPD not yet regulated by the National Data Protection Authority (ANPD).

To further aggravate the scenario, there is no provision for regulation of the device in question, as the matter is not even included in the Regulatory Agenda of the National Data Protection Authority for the 2021/2022 biennium.

In other words, there is still no minimum technical parameter to protect the institution from possible civil liability towards the holders of leaked personal data in case of cyber crimes, nor the prospect of being defined in the short/medium term.

Currently existing privacy parameters are limited to programmatic actions to be taken by companies. It is up to the controller or operator to take into account the proportionality of the measures adopted in relation to the probability and severity of the risks and benefits arising from the processing of data.

In practice, the burden of proof of the cases of exclusion of civil liability for data leakage is completely borne by the leaked institution, until there is an effective regulation of the matter.

In the current context, without a doubt, companies will be at the mercy of the understanding of the judiciary and/or ANPD, as the case may be, when investigating any incidents of privacy. And speaking of jurisprudential understanding, a judge from São Paulo inaugurated a new branch.

As stated in the sentence handed down in April 2021, it is necessary to prove that there was actually damage suffered by the owner of the leaked data so that the institution is obliged to indemnify him.

For the first-degree judge, it would be necessary to prove that the data were, in fact, used fraudulently, and completely: “alleged fear of future and uncertain use of your data in any fraud before the trade, in addition to being fanciful, would put in risk and responsibility the supplier or receiver of such data, without due verification.”

According to the judge’s understanding, “There is no way to indemnify an expectation of damage”. And he continues: “indemnity cannot be founded on assumptions, fears or afflictions.”

The decision in question will still be considered by the Court of Justice of the State of São Paulo on appeal and may be amended. In short, it’s not worth celebrating the penalty kick. It is necessary to wait for the goal – in this case, the confirmation of the understanding by the Superior Court of Justice (STJ).

But what to do to prevent cyber attacks and possible repercussions arising from them?

First: there is no magic formula. It is necessary to accept that the solution is not so simple and requires investment of time and money, as well as dedication and commitment on the part of the institution. The situation is delicate and presents several possible answers and alternatives.

But in the midst of so many doubts and uncertainties, one thing is certain: Without the implementation of a privacy governance program, it will be difficult for an institution to avoid possible civil liability in the event of data leakage.

This is because it will be necessary to prove that: (i) the institution has adopted structured measures to prevent leakage; (ii) that such measures were sufficient to respond to the risks associated with the treatment; and (iii) that there was no violation of the LGPD.

The scenario is critical and can always get worse. The “pay to see” moment has passed, after all, the cheap is getting (very) expensive. Now, it’s time to take the topic off the stand by and put it on the (priority) agenda for the day.

If advice was good…

Bruna Leite Mattos is a lawyer at the Business Law unit of Martorelli Advogados

Did you like this article?

Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.

Related Articles

Back to top button