After a phase where the Brazilian Data Protection Authority (ANPD) focused on regulating important provisions outlined in the General Data Protection Act (LGPD), in addition to editing several manuals and guidelines to assist the public in complying with the law, the ANPD has imposed its first penalty on July 6, 2023, targeting the company Telekall Infoservice.
Since then, the ANPD has investigated several allegations of violations to the LGPD, involving both private sector organizations and public sector entities.
Finally, on October 6 of the same year, the ANPD published in the Federal Register a second penalty to be applied. This time, targeting the State Government Employee Medical Assistance Institute of São Paulo (IAMSPE), a public institution. This makes it clear that the ANPD monitors compliance with the LGPD not only in the private sector, but also in the public sector.
In the specific case of IAMSPE, the ANPD understood that there was a violation of two provisions of the LGPD, as shown in the table below. Consequently, a warning penalty was imposed for both violations:
In fact, according to the ANPD, IAMSPE experienced a security incident and failed to promptly and effectively notify data subjects on which of their personal information could potentially have been compromised.
Therefore, the ANPD considered that the lack of clear, effective, and timely notification to data subjects was a violation of Article 48 of the LGPD. Moreover, the failure to uphold secure systems for the storage and processing of personal data for millions of public servants in the state of São Paulo and their dependents, who are beneficiaries of the agency's healthcare services, was deemed a violation of Article 49 of the LGPD.
It is worth noting that the General Coordination of the ANPD also determined corrective measures to be complied with by IAMSPE. This is intended to mitigate the impacts of violations to the LGPD and prevent recurrences. Such measures include: (i) developing a schedule for implementing measures to enhance the security of their personal data storage and processing systems and (ii) updating and keeping communication accessible to data subjects on the IAMSPE website for at least ninety days.
IAMSPE has the right to appeal the aforementioned decision to the ANPD Board of Directors within ten working days of receiving the notice issued by the ANPD.
Some observations are still in order, mainly taking into account the practices currently existing in Europe, including the application of the legal bases provided for in the European General Data Protection Regulation (GDPR), which are also covered by the Brazilian LGPD.
In Europe, several public institutions such as city halls, police stations, and the like, are penalized for violating the GDPR, and there is no special treatment based on their public nature. Authorities responsible for protecting personal data show growing concern about the security measures adopted to protect personal data. This means that security practices, such as login and password, which would be considered adequate security measures by Brazilian standards, are no longer considered sufficient for the European community. Additional security measures need to be implemented, such as multi-factor authentication, for example.
In fact, the war between information security professionals and hackers is constant and tends to only increase with technological development. So, things like firewalls or VPNs to secure remote access are under review.
When it comes to firewalls, we are already in the fourth generation, known as NGFW (Next-Generation Firewalls). These systems are capable of not only securing ports and protocols, but also performing deep packet inspections, intrusion detection and prediction, defense against denial-of-service attacks, allowing customization and internal policy implementation, and enabling unified threat management.
As far as VPNs are concerned, they are gradually giving way to ZTNA technology (Zero Trust Network Access). In this model, an agent checks whether attributes are allowed for a user and what the scope of that permission is, regardless of whether the user is internal or external to the organization.