If there is a consensual opinion on a given subject, when a more careful analysis of the details is made, the conclusion is reached that the facts finally contradict what we took for granted, so it is a case to exclaim: “The devil was in the details!”
The Garden of Earthly Laws - Hieronymus Bosch (1450-1516)
* By Francisco Camargo
The validity and the need to protect personal data is undeniable. The principle is that the citizen owns his data and, as is normal, to use someone's property, we need to obtain his permission. We are tired of hearing that companies and organizations from the most diverse segments obtained sensitive information from leaked Brazilian customers / users.
The issue was already well regulated by several laws, such as Law 12,965 - Marco Civil da Internet, Law 13,188 - Press Law, Law 8,078 - Consumer Code, Law 9,279 - Intellectual Property, Civil Code, Penal Code and others, and now the new General Data Protection Law has emerged, which aims to make the Brazilian legal framework compatible with the European GDPR.
However, the impacts that LGPD can bring to Brazilian companies, especially startups, micro, small and medium companies, which are very vulnerable in terms of penalties and losses to the brand image can be very large. It is worth mentioning that the LGPD directly affects companies in the Information Technology sector, but it spreads to all business sectors and also to the third sector (professional associations, NGOs, associations, foundations).
Through experience and observation, we can outline two groups of economic entities: one that has already had its data leaked and another that will still have its data leaked.
Playing the role of the devil's advocate here, obviously evidencing the legitimacy and relevance of the Law, we have a dangerous scenario for national technology developers, due to the joint and several liability, legally applicable to the LGPD.
Making an exercise of imagination, a large national e-commerce retailer suffers an invasion of cybercriminals and personal data of ten thousand of its customers is leaked. As mandated by the Law, the company immediately communicates to ANPD - National Data Protection Agency, as well as notifies everyone involved, advising them to change their passwords and eventually cancel their credit cards.
Despite taking the measures as the LGPD says, confirm that none of its customers have been harmed, ANPD nevertheless fines the e-commerce company 50 million reais. To defend itself, e-commerce hires one of the most important consultancies in the country, which identifies that the incident happened because there was a problem with the update of the ERP software, provided by a medium, Brazilian technology company.
This company, in turn, is obliged to hire another high-level consultancy to defend itself, which confirms that the leak occurred, due to a vulnerability in the ERP software, but it was not properly updated with the latest version, which had resolved this vulnerability. The person responsible for maintaining the software in the e-commerce company is a small consulting company, duly certified by the manufacturer, which would be responsible for the lack of updating.
In the frying of eggs, all those involved are singed, in addition to severe damage to the brands' image, the retailer is fined R $ 50 million for violating the LGPD. It demands compensation from the IT company because the leak occurred due to a vulnerability in its software, which in turn, blames the consultancy, cancels the authorization to provide services in its software and which evidently ends up not having the resources to pay the fine and ends up filing for bankruptcy.
This is an exercise in futurology that will certainly come true, we just don't know when. I have no doubts about this and, for the sake of our growing and important software industry, these impacts would need to be addressed, so as not to make life of technology MPMEs impossible in Brazil.
Looking at what happens in Europe, the volume of fines imposed there, with the General Data Protection Regulation (GDPR), is billionaire and can be followed by the Enforcement Tracker website. The greatest financial penalties took place in England and France. According to the Information Commissioner (ICO), in July 2019, British Airways was fined 204 million euros for its technical and organizational parameters being insufficient to guarantee information security (Art. 32 GDPR). In the same month, Marriott International, Inc. had to pay 110 million euros for the same reason.
The French Data Protection Authority (CNIL) fined Google, in early 2019, 50 million euros. The reason was the non-compliance with articles 13, 14 and 6 of the GDPR: it considered that its legal basis was insufficient for the processing of private data of its users.
This year, the biggest fines were imposed on Google, TIM, Austrian Post, Wind Ter and Deutsch Wohnen.
Source: https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/
And the data on vulnerabilities is far from favorable. A study by Barracuda Networks, identified that 46% of organizations recently suffered some type of security incident, and 51% identified an increase in the number of phishing, traps, sent by email, which aims to steal personal data.
Worst of all, many of these loopholes happen within the company itself. According to the Global Data Risk Report, made by Varonis, on average, all employees of the 785 organizations of different segments and sizes analyzed by the study, had access to 17 million files and 1.21 million folders. 53% of the companies found more than 1,000 confidential files accessible to all employees. On average, these companies found more than half a million (534,465) sensitive files, containing credit card information, health records or personal information subject to regulations such as GDPR, HIPAA and PCI. Exposed files and folders are accessible to all employees and possibly criminals.
Outdated registration is another problem: 53% of the employees' data from these companies were out of date and 58% of them found more than a thousand outdated employee accounts. These accounts, which could access important files, are also known as “ghost users” because they are enabled accounts, which appear to be inactive and generally belonged to ex-employees, who are no longer in the organization.
With so many vulnerabilities and so many penalties, the question we ask is, after all, who will pay the duck?
* Francisco Camargo is president of the Deliberative Council of ABES - Brazilian Association of Software Companies, businessman, founder of the Latin American distributor CLM.