Global Data and Cyber Handbook

Brazil

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 3 January 2025

Yes.

☒        general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒        obligation to take specific security measures e.g., encryption
☒       other

According to Article 46 of the LGPD, an organization is required to take steps to: (i) ensure that personal data in its possession and control are protected from unauthorized access and use; (ii) implement appropriate physical, technical and organization security safeguards to protect personal data; and (iii) ensure that the level of security is in line with the amount, nature, and sensitivity of the personal data involved. The Regulation on Notification of Security Incidents, published on 26 April 2024, established the mandatory procedures that data controllers must follow when notifying security incidents to the ANPD and data subjects. The regulation provides that the notification must contain, among other information, the technical and security measures used to protect personal data, adopted before and after the incident, and the measures that have been or will be adopted to reverse or mitigate the effects of the incident on the data subjects.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 3 January 2025

Yes.

☒       public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks)

Public companies in Brazil are required to maintain sufficient information security measures and ensure operational resilience to cyberattacks. The regulations include guidelines for the recording, collection and preservation of evidence of security incidents in Networks of offices and public entities, which are part of the Federal Public Administration.

☒       health regulatory requirements

Healthcare providers must implement security measures to protect patient data and ensure the integrity of health information systems.

☒       financial services requirements

Financial institutions are required to adopt cybersecurity policies and incident response plans to protect against cyber threats.

☒       telecommunication requirements

Providers must ensure the security and integrity of their networks, including measures to prevent unauthorized access and cyberattacks.

☒       providers of critical infrastructure

The regulations provide guidelines and instruments to safeguard critical infrastructure considered indispensable to national security. This includes integrating data on threats, security technologies and risk management.

☒       other

Insurance and Civil Aviation sectorial regulation

If yes, please provide brief details of the relevant law or regulation.

Please see responses above.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 3 January 2025

☒      Data privacy

The main regulatory guidance and public statements made by the ANPD are mentioned in the section: "What are each of the regulator's anticipated enforcement priorities for the next 12 months?"

In February 2024, the ANPD issued two penalties against Brazilian public bodies. In the first penalty, the ANPD imposed four warning sanctions on a federal public body for various breaches of the LGPD, including the failure to appoint a person in charge, the failure to send the data protection impact report requested by the authority and the failure to report a security incident that occurred in 2022. The second penalty was issued against another public body for failing to notify data subjects of a security incident involving personal data that occurred in 2022.

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 3 January 2025

Yes.

There is an obligation to notify the ANPD and data subjects of any breach that may result in relevant risk or damage to the data subject.

On 26 April 2024, the ANPD published the Regulation on Notification of Security Incidents.

The regulation provides requirements for the controller to report data breach incidents that may cause significant risk or damage to personal data subjects, pursuant to Article 48 of the LGPD.

The Regulation on Notification of Security Incidents sets forth parameters for when a security incident may give rise to relevant risk or damage to data subjects and, therefore, must be notified to the ANPD and the data subjects affected by that incident. It also sets forth the minimum information to be included in such a notification, and other relevant requirements regarding security incidents, such as the timeline for notification, the proceeding for notification before the ANPD, and the retention period for documentation related to the incident.

Controllers/Owners have to notify:

Last review date: 3 January 2025

☒       data protection authorities

☒       affected individuals

Same as above.

Processors/Agents have to notify:

Last review date: 3 January 2025

There are no legal requirements for processors to notify a personal data breach. The notification obligation lies with the controller.

☒       controller/ owner

This is usually a contractual requirement, as the processor processes data according to the controller's instructions, and an incident at the processor level that is notifiable according to the law needs to be notified by the data controller.

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 3 January 2025

Yes.

☒      health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒      financial services requirements

☒      telecommunication requirements

☒      providers of critical infrastructure

Some sector-specific regulations also provide notification obligations for companies subject to their regulatory framework.

For instance, BACEN's Regulation No. 4893 of 2021 imposes relevant requirements and specific obligations on financial institutions subject to BACEN's regulatory scope regarding the detection of incidents. In addition, the regulation requires the financial institution to report any security incidents that cause a "situation of crisis" to BACEN.

ANATEL's Regulation No. 740 of 2020, applicable to the telecommunications sector, establishes that the provider must notify ANATEL of relevant data security breaches that substantially affect the security of telecommunications networks and user data. There are further requirements on the required information that the notification must include.

ANEEL's Normative Instruction No. 964 of 2021, applicable to the energy industry, establishes that regulated agents must notify the designated sector coordination team of major data security breaches that substantially affect the security of facilities, operations or services. There are further requirements on the minimum information that the notification must include.

{{ $store.state.loadingScreen.message }} ...