By Francisco Camargo *
In Brazil, we do not have a culture of analyzing the impact of government regulations broadly and in detail. What is happening is that the different public agencies generate standards, without analyzing all aspects, and then we see that consumers pay the bill, as happened, for example, with the three-pin plugs, in which it has not been proved that the innovation would indeed improve the electrical safety of consumers, and many other examples.
Regulatory Impact Analysis should be a mandatory standard for any body that creates regulations, imposing restrictions and punishments that can affect the country's legal and tax security.
Even in the Legislative, which takes the making of regulatory laws very seriously, holding Public Hearings, passing the Draft Laws through various commissions, and finally approving them, in a transparent process, pass aspects that were not foreseen in advance.
This is what happened with the General Data Protection Law, based on the complex European model of the GDPR.
As this is a very recent issue, an extremely complex problem, which has an impact on most Brazilian companies and a large part of the population, it is important to bring to light details that end up being very important and, at times, go unnoticed.
Information security and data protection was and remains the Achilles heel of our society, increasingly supported by digital technologies and the use of data.
Virtually everything is stored virtually, from photos on social networks to confidential corporate documents, which instigates the voracity of criminals to circumvent these security technologies to obtain advantages, whether economic or otherwise.
Now, with new data protection and privacy regulations, such as the European GDPR and the new Brazilian LGPD, security has become much more complex, as attackers will have new and serious arguments to convince companies to pay the price of blackmail.
Before the regulations, companies, victims of pirates, who threatened to publish the stolen data, feared the damage to their image and the cost of the processes they would eventually have to face.
With the new regulation, heavy fines have appeared for companies that have been hit by successful attacks. The most incisive penalties, costs for damages to the image and indemnities tend to be higher, because if the fines are large, legally the punishments of process have to be equivalent, which can make the company choose to negotiate with pirates in order not to allow data to be released and the loss to be even greater. And that will be a great stimulus for new attacks.
Facebook recently admitted that 50 million accounts have been hacked. Imagine if they, who invest millions of dollars in data security, are victims of piracy, what would happen to smaller companies in Brazil? It is a sui generis case, in which the law condemns the victim, and his attacker can escape with impunity.
The claim by Mark Zuckerberg's social network was that attackers exploited a vulnerability in their code that allows them to steal password generators when users switch to viewing profiles from “private” to “public” using the "View" feature like".
In any case, the leakage of personal data has never been more challenging for organizations of all sizes, which requires advanced technology, specialized services and cultural change, inside and outside companies.
More than that, the regulations will change the way data is collected (RG, CPF, address, income etc.), with the inclusion of tools to prevent leaks and the inclusion of means that explain to customers why they need certain information, such as they will be used and when they will be discarded. Consent must be explicit. Thus, the indication for Brazilian companies to comply with the law with isolated security solutions is not enough. It is necessary to integrate systems with the most diverse purposes, which requires integrators and consultants with first-rate technical support and consolidated knowledge to deliver projects that meet the new demands.
The challenge is great. Solutions for data protection, encryption, log management, web application firewalls, intrusion prevention and detection, big data analysis systems, etc., may not be enough.
With the rise of methods and technologies that use artificial intelligence, one of the solutions may be to invest in techniques for analyzing the behavior of users of companies' digital platforms. Over time, the data collected will be able to predict actions and identify potential security risks, which can open loopholes for attacks liable to the dreaded punishment.
If the law were in force 20 years ago, there would be no phone books.
* Francisco Camargo is President of ABES and Chairman of CLM, a value-added distributor specialized in information security and advanced infrastructure.