Newslestter Cybersecurity | February 21
ANPD publishes technical report to get public contribution that initiates the process of regulation of cyber incidents and opens a channel to receive notification
On February 22, 2021, a technical report was published by the Brazilian National Data Protection Authority (“ANPD”). The report initiates the consultation of the public for contributions for the future regulation of notification of cyber incidents.
The Brazilian General Protection Law (“LGPD”) requires that the controller notifies the national authority and the affected individuals in case there is an incident that presents relevant risk or damage to the individuals, stablishing criteria and minimum requirements that must be included in the notification.
However, the regulation of the notification was left to the ANPD. The regulation must specify the deadline for notification, offer a channel for submission of the form, and create a mechanism to evaluate the severity of the incidents to determine if the event must be reported or not and, in case affirmative, propose to the controller the adoption of complementary measures, such as giving the case wide publicity and mitigating the side effects.
It is with the intent to regulate the set forth in the LGPD that the ANPD is now requesting the contribution of society to build clear thresholds that allow the distinction between security incidents that may cause relevant risk or damage and that can call for additional measures from those that can be disregarded. Such distinction is only possible with a classification based on clear and objective criteria. The request for public contribution also has the intention to weigh which information must be included in the notification to both the ANPD (to assess the case) and the affected individuals (to guarantee the protection of their rights).
In the context of the technical report, the ANPD has also launched in its website (https://www.gov.br/anpd/pt-br/assuntos/incidente-de-seguranca) instructions on how to notify incidents while the regulation is still under construction, making available a form to be filled with details of the incident and opening a channel for the electronic protocol of the form.
As to the request for public contributions, after the analysis of the provided inputs, minutes of the proposal of regulation will be drafted and submitted to Public Consultation, sided with the Regulatory Impact Analysis Report.
The recent movements represent an important step in the regulation of cybersecurity in Brazil. Our Cybersecurity team and following up on the regulation and is at disposal to clarify any questions regarding ANPD’S recent initiative.
In case of any doubts about this subject, please do not hesitate to contact us.
T: +55 11 3077 3591
T: +55 11 3077 5633