This Friday afternoon (22), the Tecnoblog revealed exclusively details about the real dimensions of the data leak that exposed sensitive information of more than 220 million Brazilians – a number that also includes people who have died. The case generated great repercussion for its breadth, and we received many doubts about what procedures should be taken from now on.
To answer these questions, we spoke with two experts in digital law, lawyers Luiz Augusto D’Urso and Adriano Mendes, who provided guidance on how to deal with the situation and avoid losses as a result of data exposure.
Brazilians should monitor their data
As a first step, lawyers warn of the need to monitor platforms that may be targeted by criminals, such as bank applications, for example.
We do not know since when these data are leaking – we have discovered this now, but this leak may be from last month, last year or even a compilation of several previous issues. It is important that people check the transactions on their credit cards or pay attention to any different movements, and mainly, that they change their passwords.
Adriano Mendes, lawyer specializing in digital law and data protection
Even if bank details have not been leaked directly, data such as name, CPF, telephone and e-mail are the information used by malicious people to gain access to various systems, which, once opened, can be used to change a password or account recovery email.
In addition, it is important to be extra careful when providing sensitive information or clicking on third party links in messengers, e-mail or social networks, even if the content is sent by supposedly known people.
Leading national authority still cannot punish responsible
Mendes says the case is the responsibility of bodies such as the National Data Protection Authority (ANPD), Procon, Senacon (National Consumer Secretariat) and the Public Ministry. These institutions have the necessary autonomy to investigate and find the company that originated the leak.
D’Urso, who is President of the National Cybercrime Commission of ABRACRIM (Brazilian Association of Criminal Lawyers), however, points out that ANDP is not working at full throttle.
The General Data Protection Law came into force last year, but the penalties, which are the responsibility of the ANPD, have been postponed to August 2021. In this case and in other very serious cases, it is expected that the ANPD, even without being able to punish suspected companies for the leak, at least notify them and request information for the investigation to begin, generating inputs for the Public Ministry and Procon.
As an individual, can I file a claim?
Regarding individuals, Mendes explains that there are still no specific procedures to be performed in cases like this, unless some concrete damage is proven.
If someone is a victim, and has some kind of problem because of this – for example: someone who has their CPF used to open a current account, a credit line or an improper financial transaction -, with proof of this loss, it is possible to enter with an action asking for compensation for moral damages.
According to the expert, even if a company is identified as the culprit for the leak, the fine should be imposed by one of the authorities mentioned above.
It is not up to everyone who has their name involved to file an individual lawsuit, because, in theory, the LGPD does not provide for the fine to be reversed for the people involved. This fine goes to a Procon collective fund to – then, yes – be reversed in favor of society.
It is worth mentioning that although some indications point to Serasa Experian as being responsible for the data exposure, there is still no official information to prove the company’s fault in this case.
To Tecnoblog, Serasa stated that it is aware of third party claims about data exposure on the dark web: “we conducted an investigation and, at this moment, we see nothing that indicates that Serasa is the source”, he concluded.