Reports to ANPD
Proper preparation of incident reports for the ANPD demonstrates accountability, facilitates collaboration with the regulator, and may mitigate sanctions during post-breach investigations.
Obligation and Deadlines
The LGPD (General Personal Data Protection Law) establishes the obligation to notify security incidents that may pose a relevant risk or harm to data subjects.
The deadline for notifying the ANPD is up to 72 hours from becoming aware of the incident. In cases of imminent risk, notification must be immediate.
Essential Information
The report to the ANPD must contain, at a minimum:
- Incident description: nature, date and time, estimated duration.
- Affected data: type of personal data compromised (e.g., name, CPF, financial data), estimated number of affected data subjects.
- Incident causes: exploited vulnerability, human error, cyberattack.
- Potential impact: risks to data subjects (e.g., fraud, discrimination, reputational harm).
- Measures adopted: containment, remediation, and damage mitigation actions.
- Contact information: of the company's data protection officer (DPO).
Level of Detail
The report must be detailed enough for the ANPD to understand the nature and severity of the incident, as well as the measures being taken to mitigate its effects.
It is important to present accurate, evidence-based information, avoiding speculation or unconfirmed information.
Notification Channels
The ANPD provides a specific channel for notifying security incidents on its official website. It is important to follow the guidance and forms provided by the ANPD to ensure that all necessary information is submitted appropriately.
Updates and Supplements
The initial notification to the ANPD may be supplemented with additional information as the incident investigation progresses. It is important to keep the ANPD informed about the progress of response actions and any relevant new findings.
Internal Coordination
The preparation of the report to the ANPD must be coordinated among the company's legal, information security, and communications teams. It is essential to ensure that the information presented is consistent and aligned with the company's communication strategy.
Transparency and Accountability
The preparation of transparent and complete reports for the ANPD demonstrates the company's commitment to data protection and its responsibility in the event of security incidents.
Transparency and accountability are fundamental to building and maintaining the trust of data subjects and other stakeholders.
Examples of Reportable Incidents
Ransomware: An attack that encrypts data and demands a ransom for its release, with the potential leak of confidential information.
Data Breach: Unauthorized exposure of personal data, such as customer information, financial data, or health information.
DDoS Attack: Disruption of online services that affects the availability of personal data.
Phishing: A campaign of fraudulent emails aimed at obtaining credentials for access to systems that store personal data.
Consequences of Non-Notification
Failure to notify security incidents to the ANPD may result in administrative sanctions, such as fines of up to 2% of the company's revenue, limited to R$ 50 million, in addition to other penalties, such as the suspension or prohibition of personal data processing.
Best Practices
- Keep a detailed record of all security incidents: including date, time, description, causes, impact, and measures adopted.
- Create an incident response plan: with clear procedures for identifying, containing, remediating, and notifying incidents.
- Train your employees: to identify and respond to security incidents.
- Conduct incident simulation tests: to assess the effectiveness of your response plan and identify areas for improvement.
- Stay up to date with ANPD's rules and guidance: regarding the notification of security incidents.
Final Recommendations
Well-prepared reports for the ANPD demonstrate maturity in incident management and commitment to data protection. Transparency, accuracy, and completeness are essential to maintaining credibility with the regulator and potentially mitigating sanctions.
