Brazil and EU Data Breach Notification Guidance

Written by: Brett Lawrence, Esq.

Brazil and the European Union recently issued further guidance on the procedures for handling and reporting a data breach. While Brazil finally published guidance before the law is to take effect, the European Union (“EU”) issued contextualized guidance for the types of data breaches that controllers usually experience.

Brazil

Brazil’s data privacy law, Lei Geral de Proteção de Dados (“LGPD”), is slated to be enforced starting August 1, 2021. On February 24, 2021, Brazil’s data protection authority (“ANPD”) issued its first guidance on the procedures for reporting security incidents, concerning obligations relating to data breaches and other incidents under the LGPD (the “Guidance”).
The Guidance defines a data breach as a “security incident,” which is “any adverse event, confirmed or suspected, related to the breach in the security of personal data, such as unauthorized, accidental or unlawful access.” In responding to a security incident, the Guidance encourages the controllers to assess the incident internally by looking at its nature, the number of data subjects affected, and the concrete and probable consequences. If a security incident “results in destruction, loss, alteration, leakage or in any way inadequate or unlawful data processing, which may cause risk to the rights and freedoms of the holder of personal data,” then the controllers must follow the Guidance’s notification procedures.

A. Notification to ANPD

The controllers must notify the ANPD with the contact details of the relevant entities and a description of the security incident, its effects, and the controller’s actions in response. The ANPD published a form to fill out during the notification. Critically, this notification must be provided in 2 working days from discovery of the incident. If the controller is late, it must provide justification for the delay. The controller must also internally prepare documentation assessing the incident, measures taken, and risk analysis, in order to comply with the principle of accountability.
Although the LGPD says that the controller must inform the ANPD of security incidents, if information is exceptionally presented by the operator (data processor), the operator will be duly analyzed by the ANPD.

B. Notification to Data Subjects

The Guidance failed to provide similarly specific procedures for controllers when notifying the data subjects of a security incident. Only that, in the event of a security incident, controllers should take into account (1) the sensitivity and volume of the personal data, (2) the ease of identification of the personal data, (3) the good faith intentions of the third parties, (4) the age of the data subjects, and (5) whether any discrimination, reputational harm, or rights violations may occur.
Before the Guidance, the LGPD required breach notifications within a “reasonable time period.” Because the Guidance only clarified that notifications to ANPD be within 2 working days, it appears notifications to the data subjects still require that they be made within that ambiguous timeline.

European Union

The EU Data Protection Board (“EDPB) recently published a second set of guidelines for responding to data breaches under the General Data Protection Regulation (“GDPR”). The EU Working Party produced general guidance in October 2017, analyzing the relevant sections of the GDPR. This time around, the EDPB recognized that the first guidance did not address practical issues, and has now issued a “practice-oriented, case-based” guidance on notifying and remediating obligations. The guidelines ensure that controllers understand notification may be required when the availability and integrity, not the just the confidentiality, of personal data is compromised.
The guidelines discuss 18 fictitious but reality-based case studies illustrating the six common types of personal data breaches. Through these six categories, the EDPB attempts to clarify how to handle these data breaches and what controllers should consider during risk assessment. We summarize each of the categories below:

1. Ransomware. Consider whether the organization can restore the data using any backups, which “will help to mitigate the consequences of a successful attack should it occur.” Even if personal data has not been exfiltrated, the fact that any data may remain unavailable for a certain period of time will most likely constitute “high risk” and require notification to the supervisory authority and data subjects.
2. Data Exfiltration Attacks. The EDPB defined these types of attacks as ones that “exploit vulnerabilities in services offered by the controller to parties over the internet.” These attacks raise the risks of not only stealing the data, but actually modifying the data while it’s in the system. Unless the personal data is sufficiently encrypted or hashed, the EDPB noted these types of breaches possess sufficient risk to notify the data subjects.
3. Internal Human Risk Source. Because these breaches can be intentional and unintentional, determining where controllers can identify vulnerabilities and adopt measures to avoid them is difficult. However, “well thought out access policies and constant control can help.” The EDPB first concluded that an employee that steals business data to contact clients requires notification to the supervisory authority but not the data subjects. The second hypothetical concluded that notification was not required at all where there was an accidental data transfer to a trusted third party, but noted that internal documentation of the event is required.
4. Lost or Stolen Devices and Paper Documents. The response to a lost or stolen device or material depends on the type of device, its level of security, and the type of personal data stored. For example, the ability to remotely remove or wipe the personal data from the device is important, as the risk of compromise is lower. In case study no. 10, the EDPB concluded that notification was not required when the stolen tablets stored encrypted personal data and the backup data was wiped remotely by the controller.
5. Mispostal. Like internal errors, mispostals are the result of inattentiveness without malicious action. Notifications for personal data inadvertently transferred to the wrong person depends on the type of personal data and how many individuals are affected.
6. Social Engineering. The EDPB discussed the actions controllers should take when a threat actor obtains access to personal data through identity theft and phishing attacks. Both of these events, the EDPB determined, constituted sufficient risk to notify affected data subjects.