On 6 October 2023, the Brazilian Data Protection Authority (ANPD) issued its second sanction against a public institution (see our previous alert on the first sanction). ANPD sanctioned the State Government Employee Medical Assistance Institute (Instituto de Assistência ao Servidor Público Estadual de São Paulo, IAMSPE), alleging that:
(i) IAMSPE did not obey the ANPD’s order to report a cyber incident to all the affected data subjects (around 1,5 million) in a timely manner. Instead, the ANPD alleged that IAMSPE sent out the notification three months after becoming aware of the incident; and
(ii) IAMSPE failed to implement security controls to protect the confidentiality of personal data (i.e., ensure that personal data is accessible only by authorized individuals) which resulted in the incident. According to the ANDP, four vulnerable points of access within IAMSPE’s website API allowed public unauthorized access to IAMSPE’s databases, however, no sensitive personal data was affected by the incident, and no unauthorized alterations were made to the databases.
The investigation into IAMSPE was set on 15 March 2022 from a complaint filed by an individual who was able to access other individuals’ non-sensitive personal data through IAMSPE’s website, despite not having their credentials. It took more than a year for the ANPD to conclude the investigation and the subsequent administrative process and to issue a decision. This decision can still be challenged on administrative appeal grounds, and shall be handled by ANPD’s board of directors.
No fine was issued against IAMPSE, as the General Data Protection Law (Art. 52, Section 3) does not allow fines against public entities. Therefore, IAMPSE was subject to:
(i) a warranty ordering IAMPSE to alter, within 10 business days, its previous public cyber incident notification to affected individuals (available on IAMPSE’s website) pointing out that the following mandatory information was missing: categories of individuals and personal data affected, risks to the data subjects arising from the incident, and the reasons that led IAMPSE to only notify the incident to the ANPD weeks after becoming aware of the unauthorized access. The ANPD also set out certain precise language that they required be included in the notification; and
(ii) another warranty compelling IAMPSE to keep the ANPD informed about the progress on implementing the data protection governance program proposed by IAMPSE which are required to be implemented within one year.