Hacker attacks on public bodies and the LGPD: what to expect in the future?
Written by
Victor Vieira (See all posts from this author)
10 de December de 2020
It is already known to many that the Brazilian General Data Protection Act (LGPD) has been in force since September 2020. With the new legislation, an extensive regulatory framework on the protection of personal data came into existence in the country, also bringing various duties and obligations that must be followed by most organizations in the country – including public bodies.
In this context, something that did not go unnoticed were the various episodes of cyber attacks on the informational systems of different organs of the Judiciary. This, in turn, highlighted an endemic problem that is spread all throughout Brazil, and that puts at risk not only the integrity of our regulation on the protection of personal data, but also the data involved and their respective data subjects.
In today’s post, we will analyze the deficiencies of state bodies with regard to information security in the face of invasions and external threats, also presenting observations on the entire practical context of data protection in Brazil in this period when the LGPD has just come into force. Check it out below!
Cyber attacks on organs of the Judiciary
The first news that circulated recently about the attacks on the Judiciary’s databases concerned the information system of the Superior Court of Justice (STJ). The incident occurred in early November 2020, and quickly reached international repercussions due to the seriousness of the incident.
It was a hacker attack by which the attackers managed to encrypt the entire database of the court – and even part of the system’s “backups”, which were apparently stored in the same technological environment.
The event brought back memories of a few years ago, when a similar situation occurred, also in the Judiciary, due to a vulnerability identified in the Microsoft Windows OS. This episode became known as Wanna Cry, and consisted of systemic attacks on databases of various entities around the world. In both situations, the attackers asked for monetary compensation – to be paid in cryptocurrencies – to supposedly release the affected systems.
As if this first recent attack on the STJ was not enough, what followed was a real sequence of news pointing out attacks on several other bodies of the Public Power – mainly, of the Judiciary. The Court of Justice of the State of São Paulo (TJ-SP) and the Public Ministry of the State of São Paulo (MP-SP) are examples of state entities that were forced to totally paralyze their activities, but it was possible to observe attacks in varied scales throughout the country.
Protection of Personal Data: the endemic neglect
The situations presented, although somewhat shocking, are a mere portrait of a reality that many Brazilians are already fully aware of: it is the neglect of the legal determinations regarding the protection of personal data (i.e. the LGPD).
It is important to note that the Brazilian act on the protection of personal data is not new. It is a legal diploma that was officially approved in May 2018 – the interval of more than 2 years before the beginning of its effects was determined so that public and private companies and organizations would have enough time to adapt to the new statements and legal data protection parameters.
This, however, was not what happened: after all this time, what is observed is a scenario in which only a small portion of the organizations that should conform to the LGPD has even begun their compliance processes.
The Judiciary bodies that suffered the recent attacks are included in this group. The improper access to the technological environments of these entities, as well as the demonstrated inability to deal with data protection incidents, demonstrate a clear deficiency in the Information Security mechanisms used. This results in a direct breach of principles enunciated by the LGPD, such as safety and incident prevention in general.
This is a widespread concern in Brazil. The reality is that, although the LGPD is already in force, Brazil as a whole has not adapted to the international parameters for the protection of personal data, and the validity of the law does little to help insecurity that is observed in practice.
Urgent adaptation
In addition to the immediate concerns regarding attacks on the Judiciary and the damage caused to people who have had their data confidentiality violated or their rights temporarily impaired due to disruptions in the functioning of the affected bodies, there is something else that raises concerns: the fact that that the LGPD administrative sanctions – expected to be applied by the National Data Protection Authority (ANPD) – are not yet in force. In this scenario, it is worrying that the only Brazilian body with powers to apply sanctions, fines and other penalties related to the non-compliance with LGPD statements – that is, the Judiciary – is not properly adapted to the law statements themselves.
This results in a scenario of total disconnection between the judicial practice – in which cases of non-compliance with the LGPD are already being judged – and the factual reality of the Judiciary. Worse, this mismatch between actions and facts even implies a disincentive for private entities to continue with their adjustments.
And, in the end, the biggest victims are the personal data subjects, who are left defenseless in the face of non-compliance with data protection parameters, even in a scenario where there are legal mechanisms to protect them.
The adoption of truly robust and resilient security parameters by the government bodies, in this sense, is of utmost importance at this moment. Until that happens, legal security with regard to data protection in Brazil will remain in check.
Looking to the future
It is important to keep in mind that the LGPD legal mechanisms were the result of a global movement that sought to ensure greater security for data subjects – that is, all of us. However, for these protections to be in vogue, however, we are in need for more than the mere approval of “for show” laws and regulations.
Hence the importance of harmonizing theory and practice. In this scenario, the Judiciary and other public bodies fulfill the function of serving as an example for other Brazilian organizations that must comply with the provisions of the General Data Protection Law. The recently reported cyber attacks, after all, well illustrate the need to overcome this gap.
Are you interested in topics related to the protection of personal data and the LGPD? IRIS constantly publishes content related to the subjects of this matter. Check out our latest article on the topic by clicking on this link!
The views and opinions expressed in this article are those of the authors.
Illustration by Freepik Stories
Written by
Victor Vieira (See all posts from this author)
Victor Vieira holds a Bachelor’s Degree in Law from the Federal University of Minas Gerais (UFMG) and is a postgraduate student in Personal Data Protection at the Pontifical Catholic University of Minas Gerais (PUC Minas). He is a researcher and data protection officer at the Institute for Research on Internet and Society (IRIS), and a lawyer. Member and certified by the International Association of Privacy Professionals (IAPP) as Certified Information Privacy Professional – Europe (CIPP/E).