The Brazilian Internet Association (Abranet) has forwarded to the National Data Protection Authority (ANPD) its contributions regarding the taking of subsidies in the regulation of some topics of the General Personal Data Protection Law (LGPD). In the document, delivered last Wednesday, 24, the entity proposes that security incidents be divided into three levels, according to the risks and potential for damage. It also points out which cases should be exempted from mandatory notification, among other suggestions.
For Abranet, notification to the ANPD and data subjects would only be mandatory when there were incidents considered to be of high relevance. In this case, the incident would have to make it possible to identify the holders, such as name, CPF, RG and address; or involve sensitive data that is not masked and that can be associated with its holders (both regardless of the percentage of data affected in the controller base); or even involve information that corresponds to more than 50% of the database.
Low and medium relevance cases would be exempted from notification. As low relevance, it proposes: incidents whose data, separately, do not allow the identification of the holders; masked or encrypted data; and data corresponding to 30% or less of the controller database. Medium relevance: incidents that do not allow the identification of the holder and that the data correspond from 30% to 50% to the database.
In the document, Abranet also proposes that the security incident is not considered relevant when there are cases of phishing or sharing passwords, since care with access credentials is the responsibility of the holder and not the controller. The same would apply if the holder uses the same credential for several services / products and the leak occurs.
Another important point concerns the differentiation between risk and damage. “In order to be considered damage to the data subject, it is necessary that material or moral damage has in fact occurred to the data subject. As long as no damage actually occurs, it would be classified as a risk, ”says the proposal. As an example, she cites: “In case of leakage of the name, CPF and RG of the holder, the incident will fall into the risk category until the holder is affected, as, for example, with the attempt or realization of financial fraud and / or identity theft ”.
Abranet also suggests some established methodologies for measuring and assessing risks and damages: ISO 27001, CERTs, CSIRTs, FIRST, IRM, FAIR and OCTAVE. Regarding the deadline for notification, the proposal is that it be made in up to five days, both for the ANPD and for the data holders. Whenever possible, the incident should be reported directly to the holder, except for those involving data from millions of users. In that case, the communication could be public.
See the original post at: https://www.cisoadvisor.com.br/abranet-defende-que-incidente-so-seja-notificado-em-casos-de-alta-relevancia/?rand=59039