In the second half of December 2022, the National Data Protection Authority (ANPD) published an amendment to the Security Incident Reporting form, to be used by all those who need to report security incidents starting January 1, 2023.
The form, now with 8 pages, is divided into the following sections:
1. Controller information
2. DPO information
3. Notifier / Legal Representative information
4. Type of Communication
5. Incident Risk Assessment
6. Acknowledgment of Incident Event
7. Timing of Incident Communication
8. Reporting the Incident to the Data Subjects
9. Incident Description
10. Impacts of the Incident on Personal Data
11. Risks and Consequences for Data Subjects
12. Technical and Administrative Security Measures for the Protection of Personal Data
Below, we highlight some relevant comments on data contained in the form:
With regard to the type of communication, this can be complete, preliminary or complementary.
With respect to the risk of the incident, the ANPD seeks to know if there is relevant risk or damage to the subject data, or if the risk or damage is still under investigation.
With respect to acknowledgement of the incident event, the ANPD seeks to know the source of the incident information.
With respect to the timeliness of the communication of the incident, the ANPD seeks to know when the fact occurred, at which point did the incident reporter become aware of it, when he communicated it to the ANPD and when he communicated it to the data subjects.
With respect to the reporting the incident, the ANPD seeks to know if the data subjects were notified, how the communication took place, how many data subjects individually received the communication and if the communication to the data subjects met the 5 (five) listed requirements.
With regard to incident description, the ANPD seeks to know whether it was data hijacking (ransomware) with or without information transfer, exploitation of vulnerability in information systems, virus/malware, credential theft/social engineering, credential violation by force, unintentional publication of personal data, improper disclosure of personal data, sending of data to an incorrect recipient, unauthorized access to information systems, denial of service (DoS), unauthorized alteration/deletion of data, loss/theft of documents or electronic devices, incorrect disposal of documents or electronic devices, equipment failure (hardware), information system failure (software), or other type of cyber or non-cyber incident. Also, what measures were taken to correct the causes of the incident.
With respect to the impacts of the incident on personal data, the ANPD seeks to know whether the incident affected confidentiality, integrity and availability and what types of sensitive personal data were violated: racial or ethnic origin; related to health; referring to sexual life; religious conviction; biometric; membership of trade union, religious, philosophical or political organization; political opinion or genetic. In addition, it is asked which data was violated.
With respect to the risks and consequences for data subjects, the ANPD seeks to know whether a Personal Data Protection Impact Report has been prepared, the total number of affected data subjects, discriminating against adults and children, which categories of data subjects are affected, what are the likely consequences, the probable impact and the measures adopted to mitigate the problem.
With regard to security measures, the ANPD seeks to know if the data was protected in such a way as to make it impossible to identify the data subjects, what security measures were implemented and what security measures were adopted after the incident: information security and privacy policies, physical access control, encryption/anonymization, antivirus, access logs/logs, penetration tests, risk management process, logical access control, backups/backups, firewall, monitoring of network and systems usage, plan incident response, incident logging, network segregation, asset management, system upgrades, multiple authentication factors, and more. In addition, there is the question of whether the affected data processing activities are subject to sectoral security regulations.