Today (April 26th), the Resolution CD/ANPD n. 15, of April 24, 2024, was published, approving the Regulation on Security Incident Reporting by the Brazilian Data Protection Authority (ANPD).

The regulation aims to establish procedures and guidelines for reporting security incident that involves personal data, to ensure the protection of data subjects’ rights, the implementation of actions to reduce risks, the accountability of data processing agents, the promotion of security practices, the encouragement of a culture of personal data protection and appropriate data governance.

It is worth mentioning that the resolution was preceded by a public consultation in May 2023 and that its provisions apply to incident reporting processes already underway.

The document is structured as follows:

Definitions – presents the terms and concepts used for reporting security incidents involving personal data. We highlight the following concepts:

• authentication data in systems (personal data used as a credential to access a system or confirm user identification, such as login accounts, tokens and passwords);
• financial data (personal data related to the holder’s financial transactions, including for contracting services and purchasing products);
• data protected by professional secrecy (personal data whose secrecy arises from the exercise of a function, trade or profession, and if revealed, it could cause harm to others);
• security incident (confirmed adverse event related to a breach of confidentiality, integrity, availability and authenticity of personal data security);
• incident treatment report (the controller’s document containing copies of relevant data and information about the incident and the measures taken to reverse or mitigate its effects).

Security Incident Reporting – details the criteria for reporting incidents, including the types of data involved and the situations that characterize a relevant incident.

• According to the Regulation, the controller must notify both the ANPD and the data subject of the occurrence of an incident that may entail a significant risk or damage to data subjects, i.e. when it significantly affects the interests and fundamental rights of data subjects and, cumulatively, involves at least one of the following criteria: sensitive personal data; data of children, adolescents, or elderly; financial data; authentication data in systems; data protected by legal, judicial or professional secrecy; or large-scale data;
• The deadline for reporting a security incident to the ANPD is 3 (three) working days, with the possibility of supplementing the report within 20 working days of the first report. For small data processing agents, in accordance with Resolution CD/ANPD n. 2, these deadlines will be counted double;
• There is essential information that must be included in the communication to the ANPD, although the ANPD provides its own form for this, including the nature of the data involved, the incident seriousness, the possible consequences for data subjects, the existence of technical and organizational security measures, the risk assessment to the rights and freedoms of data subjects, and compliance with data protection regulations;
• The confidentiality of information protected by law must be requested to the ANPD in a reasoned manner;
• The deadline for communicating the security incident to the data subjects is 3 (three) working days, counting from the controller’s knowledge that the incident has affected personal data. For small data processing agents, in accordance with Resolution CD/ANPD n. 2, these deadlines will be doubled;
• There is essential information that must be included in the communication to data subjects, such as the nature and category of personal data involved, the number of data subjects affected, the extent of the potential damage, the possibility of a negative impact on data subjects, the existence of security measures adopted before and after the incident, the likelihood of damage occurring, the duration and geographical extent of the incident, and the ability to reverse or mitigate its effects. This communication must use simple, easy-to-understand language and be direct and individualized;
• It is considered good practice, i.e., an additional measure, to include in the communication recommendations for reversing or mitigating the effects of the incident.

Security Incident Register – all incidents involving personal data, whether communicated to the ANPD and the data subjects, in accordance with the Regulation, must have their register kept for at least 5 (five) years.

Security Incident Reporting Process – it can be initiated ex officio or with a report made by the data controller. Once the process has been initiated, the ANPD may adopt certain measures, such as carrying out audits or inspections to gather information about the incident and may even order the controller to immediately adopt preventive measures to ensure the rights of data subjects, with or without their prior consent, setting a daily fine for compliance with the order. In addition, the ANPD may order the controller to widely publicize the incident in the media, to guarantee the data subjects’ rights.

Finally, the security incident reporting process can be terminated if:

• there is no evidence that an incident has occurred;
• the incident does not involve personal data;
• the ANPD considers that there is no relevant risk or harm to data subjects; and
• all the necessary and determined measures have been adopted by the controller, including communication to the data subjects.

The Technology, Privacy and Data Protection team is available to answer questions and provide support on issues related to this topic.