A company is considered small by BNDES (Brazilian Development Bank) standards with an annual gross revenue of up to R$ 16 million. A medium-sized company is one with an annual gross revenue of up to R$ 90 million, and from that point, those with a gross revenue of up to R$ 300 million will be considered medium-large. Above this, BNDES considers the company as large. A potential fine for non-compliance with the personal data protection law in this case would be as follows:
| Company Classificationsa | Maximum Fine |
| Small | R$ 212.000,00 |
| Medium | R$ 1.800.000,00 |
| Medium-Large | R$ 6.000.000,00 |
| Large | R$ 50.000.000,00 |
Now let’s turn our attention to the deep web, where the underworld of organized crime reigns. A growing trend in internet crimes is extortion using stolen data from a company.
The system of a particular institution is hacked, where customer data is copied and after some time, the criminal contacts the security officials as well as the company’s partners to inform them about their systems and the vulnerabilities in their structure that allowed certain sensitive information to be copied.
As proof, the malicious hacker (yes, originally all hackers were supposed to be good) sends some stolen data to the partners to prove their skills and even suggests some ways to correct the vulnerability so that new attacks do not occur.
As a reward for the “service provided,” the criminal requests that the institution remunerate the hacker with a transfer of bitcoins (a traceable virtual currency, but not identifiable) to a specific wallet.
Generally, this type of extortion tends to cost between 3 to 10 bitcoins, depending on the size of the company. With each new interaction with the institution, the criminal increases their cost and begins to threaten to auction the copied data on the deep web, if the transfer to their wallet is not made within the stipulated deadline.
Similar practices occurred with large companies, as reported by the press, some financial institutions, marketplaces, and other major market players, in addition to several others that ended up yielding to the pressure of cybercriminals by paying the ransom in bitcoin and thus having their name preserved.
Given that 1 bitcoin today (April 30, 2019) is quoted at R$ 20,787.17, we are talking about these extortion crimes requesting in exchange for not disclosing the data on the internet something between R$ 60,000.00 to R$ 210,000.00.
With the approval of the general law for the protection of personal data, we can conclude that the value of the ransom in bitcoins is infinitely smaller than the fine of 2% that the institution should pay in case of a data leak. And of course, in addition to the fine and headaches with the government, the entrepreneur will have a huge cost in relation to their image, because much more than fines, the cost of a company with a tarnished image is greater than any other existing, leading to a possible bankruptcy depending on the size of the incident.
The Brazilian GDPR is practically a free pass to cybercriminals. Meanwhile, entrepreneurs, from small to large, will need to adapt to not have their image exposed or live in the hands of virtual blackmailers. This is where the demand for security professionals will explode.
Firstly, structures and applications will need to be evaluated in a possible intrusion test. If they present any vulnerabilities (and believe me, they will), they will need to be corrected through risk mitigation in equipment, operating systems, renewal of security policies, and why not in the correction and modernization of applications, mobilizing programmers and system analysts of various languages from Cobol to the most modern ones.
For cases of leaked data, many companies will need computer forensic experts to document how the leak actually occurred, whether there was a security failure due to human error, equipment, or even the involvement of employees or service providers facilitating the work of criminals. Technical reports will be of utmost importance to explain the details and mitigate the applied fines.
Not to mention that the regulatory body of Law 13.709/18 – the ANPD – will eventually need experts to assess the severity of each case of leakage investigated, not to mention the support for DPOs (Data Protection Officer), a professional responsible for advising and verifying if such companies are obeying the LGPD when processing and treating personal data of third parties. In Europe, small and medium-sized companies are already showing difficulties in technically adapting to ensure data privacy, leading the government to create a fund to help these companies. I highly doubt that this will happen in Brazil, given that the bill is always presented to the entrepreneur in this country, therefore, both large security companies and autonomous professionals will be sought after to help in this true avalanche of demand for pentesters and experts, in addition to security managers, auditors, and blue team personnel.
