On Friday afternoon (22), Tecnoblog Unique reveal details about the actual size of the data leak revealed sensitive information from more than 220 million CPF – a figure that includes the dead. The incident has had a huge impact on its breadth and we have a lot of doubts about what procedures should be followed from now on.
To answer these questions, we spoke with two digital law experts, lawyers Luiz Augusto D’Urso and Adriano Mendes, who provided guidance on how to deal with situations and avoid loss caused by data disclosure.
Brazilians should keep an eye on their data
As a first step, lawyers warned of the need to monitor platforms that could be targeted by criminals, such as banking apps.
We don’t know when this data was leaked – we’ve found this out now, but this leak could be from last month, last year or even sum up some questions. before. It’s important for people to check their credit card transactions or notice any different movements and mostly change their passwords.
Adriano Mendes, lawyer specializing in digital law and data protection
Even if bank details are not directly leaked, information such as names, social security numbers, phone numbers and e-mail are used by bad actors to gain access to other systems. Each other, when opened, can be used to change password or e-mail account recovery.
In addition, it is important to be very careful when providing sensitive information or clicking on third-party links in messages, e-mail or social networks, even if the content is submitted by people. is said to have known.
The top national authority still cannot punish liability
Mendes said that the incident is the responsibility of agencies such as the National Data Protection Authority (ANPD), Procon, Senacon (National Consumer Secretariat) and the Ministry of Public Affairs. These organizations have the necessary autonomy to investigate and find the company that caused the leak.
However, D’Urso, Chair of ABRACRIM’s National Cyber Crime Committee (Brazilian Association of Criminal Lawyers), points out that “ANPD is not working”.
The General Data Protection Act came into effect last year, but the penalties held by the ANPD have been postponed until August 2021. In this case and in other very serious cases, ANPD is expected. wait, even if it is not possible to punish the companies suspected of the leak, at least notify them and ask for information to initiate an investigation, generating input for the Ministry of Public Affairs and Procon .
Can I file a claim as an individual?
Personally, Mendes explained that no specific procedures have yet been performed in cases like these, unless some specific damage has been demonstrated.
If someone is a victim and has some problem because of this – for example someone used their CPF to open a current account, credit line or financial transaction mismatch -, with a evidence of this loss, may be joined with an ethical claim action.
According to this expert, even if a company is identified as the culprit for the leak, the fine should be imposed by one of the authorities mentioned above.
Filing a personal lawsuit is not up to all the people with their names, as in theory, the LGPD does not provide for the reversal of fines for those involved. This fine goes to a Procon joint fund so that – there, yes – is reversed in the favor of society.
It is worth mentioning that although there are some indications that Serasa Experian is responsible for the data disclosure, there is no official information that proves the company’s error in this case.
Come TecnoblogSerasa claims that they are aware of the third-party claims about the data exposure on the web: “We have conducted an investigation and at this time, we do not see anything showing that Serasa is the source, ”he concluded.