¡Escucha el podcast STWCast →
Contáctanos

What Is a Company’s Civil Liability for Data Leaks Caused by Ransomware Attacks?

Ransomware attacks are increasingly frequent and represent one of the greatest threats to companies. In addition to paralyzing operations, these attacks can cause leaks of sensitive data, resulting in financial losses and reputational damage. When client information is compromised, an important question arises: What is the company’s responsibility for this data? This article explores the legal implications of leaks caused by ransomware, providing real-life examples and detailed explanations.

What Is a Ransomware Attack?

A ransomware attack occurs when criminals invade a company’s systems, block access to data, and demand payment (usually in cryptocurrencies) to release the information. In most cases, the data is also stolen before being encrypted, allowing criminals to threaten to disclose it if the ransom is not paid.

Real Cases in Brazil:

  1. Angra dos Reis City Hall (2021):
    • The city’s IT system was paralyzed by a ransomware attack that encrypted essential data, such as taxpayer records and payroll information. Confidential information was stolen, and some of it was reportedly leaked online.
  2. Medical Clinics in São Paulo (2023):
    • Patient data, including medical records and diagnoses, was leaked after a ransomware attack. Some clinics faced lawsuits for failing to adequately protect their clients’ data.

Civil Liability of Companies for Data Leaks:

According to the General Data Protection Law (LGPD), companies are responsible for protecting the personal information of clients and employees. This means that even in cases of cyberattacks, the company may be held accountable if it cannot prove that reasonable measures were taken to ensure data security.

What Does the LGPD Say?

  • Article 42: States that the data controller (company) may be held liable for damages caused to data subjects, even in external attacks, if negligence in implementing protection measures is proven.
  • Fines and Sanctions: The LGPD provides for fines of up to 2% of the company’s revenue, limited to BRL 50 million per infraction, in addition to other penalties, such as the suspension of data processing activities.

What Must a Company Demonstrate to Avoid Liability?

To avoid being deemed responsible in cases of data leaks caused by ransomware, the company must demonstrate that:

  • Adequate Security Measures Were Adopted: This includes firewalls, backups, multi-factor authentication, and constant monitoring.
  • Employees Were Trained: Trained staff are less likely to fall for traps such as phishing (fraudulent emails designed to steal credentials).
  • Clients and Authorities Were Notified: According to the LGPD, the company must notify the National Data Protection Authority (ANPD) and data subjects about the incident within 72 hours of identification.

💡 STWBRASIL Tip: Solutions like Box Security, DLP (Data Loss Prevention), Vulnerability Analysis (constant monitoring), and Annual Pentest (digital resistance testing) are essential to prevent leaks and ensure LGPD compliance. Additionally, STWBRASIL offers Digital Forensics to identify flaws and preserve evidence after attacks. Contact our team.

Examples of Liability in Ransomware Attacks:

  • When the Company Is Responsible:
    • Negligence in Data Protection: Outdated systems or lack of backups may be considered recklessness.
    • Failure to Notify: Failing to communicate leaks to clients promptly can worsen penalties.
  • When the Company May Be Exempt:
    • Robust Measures Adopted: If the company implemented effective security policies, such as regular audits and data protection solutions, it may argue that the attack was unpredictable and unavoidable.
    • Cooperation with Authorities: Prompt collaboration with the ANPD and affected clients demonstrates good faith and can reduce sanctions.

How to Protect Your Company Against Ransomware Attacks:

Prevention is the best strategy to minimize civil liability risks and protect your company and clients’ data. Here are some essential measures:

  1. Security Audits:
    • Conduct regular audits to identify vulnerabilities in the systems.
    • 💡 STWBRASIL Solution: We offer detailed audits and Pentest services (penetration testing) to assess your company’s system resilience.
  2. Backup and Data Recovery:
    • Maintain encrypted and updated backups in secure locations, ensuring data can be recovered without paying criminals.
  3. Continuous Training:
    • Train employees to recognize phishing and social engineering attempts.
    • 💡 STWBRASIL Training: We simulate real attacks to train teams and prepare companies to respond to threats.
  4. Implementation of Protection Tools:
    • Use robust technological solutions to protect your data:
      • Box Security: Protects your infrastructure against intrusions, offering access control, VPN, and content filtering.
      • DLP: Monitors data movement and prevents sensitive information from being shared inappropriately.

Conclusion: Responsibility Requires Prevention and Quick Response

Civil liability for data leaks in ransomware attacks is real and significant. Companies must adopt robust preventive measures and be prepared to respond quickly to incidents, protecting both data and their reputation.

Contact STWBRASIL to ensure your company is equipped with the best tools and practices to deal with ransomware attacks and protect your clients.

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Social media

Facebook Instagram Linkedin Youtube

MOST READ

Leading company in information security. The digital protection of your company is our priority. We rely on state-of-the-art technology used by highly specialized professionals.

SOCIAL MEDIA

CONTACT US
Watch the STWCast podcast →

(11) 2666-3787
R. São Bento, 365 – 8o Andar – Centro Histórico de São Paulo, São Paulo – SP,
CNPJ: 05.089.825/0001-48.

Copyright ©️ 2023 – All rights reserved. Check out our  Privacy Policy.

WATCH THE STWCAST PODCAST →
CONTACT US
¡Escucha el podcast STWCast →→
Contáctanos