Skip to main content
Featured Topics
Featured Insights
View All Services
View All Industries
About Us Overview
      October 11, 2023

      Brazilian ANPD Issues Second Sanction

      Authors:
      Generate PDF
      Share

      On 6 October 2023, the Brazilian Data Protection Authority (ANPD) issued its second sanction against a public institution (see our previous alert on the first sanction). ANPD sanctioned the State Government Employee Medical Assistance Institute (Instituto de Assistência ao Servidor Público Estadual de São Paulo, IAMSPE), alleging that:

      (i) IAMSPE did not obey the ANPD’s order to report a cyber incident to all the affected data subjects (around 1,5 million) in a timely manner. Instead, the ANPD alleged that IAMSPE sent out the notification three months after becoming aware of the incident; and

      (ii) IAMSPE failed to implement security controls to protect the confidentiality of personal data (i.e., ensure that personal data is accessible only by authorized individuals) which resulted in the incident. According to the ANDP, four vulnerable points of access within IAMSPE’s website API allowed public unauthorized access to IAMSPE’s databases, however, no sensitive personal data was affected by the incident, and no unauthorized alterations were made to the databases.

      The investigation into IAMSPE was set on 15 March 2022 from a complaint filed by an individual who was able to access other individuals’ non-sensitive personal data through IAMSPE’s website, despite not having their credentials. It took more than a year for the ANPD to conclude the investigation and the subsequent administrative process and to issue a decision. This decision can still be challenged on administrative appeal grounds, and shall be handled by ANPD’s board of directors.

      No fine was issued against IAMPSE, as the General Data Protection Law (Art. 52, Section 3) does not allow fines against public entities. Therefore, IAMPSE was subject to:

      (i) a warranty ordering IAMPSE to alter, within 10 business days, its previous public cyber incident notification to affected individuals (available on IAMPSE’s website) pointing out that the following mandatory information was missing: categories of individuals and personal data affected, risks to the data subjects arising from the incident, and the reasons that led IAMPSE to only notify the incident to the ANPD weeks after becoming aware of the unauthorized access. The ANPD also set out certain precise language that they required be included in the notification; and

      (ii) another warranty compelling IAMPSE to keep the ANPD informed about the progress on implementing the data protection governance program proposed by IAMPSE which are required to be implemented within one year.

      Authors

      Related Content

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2024 Mayer Brown

       

       

      Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.