The occurrence of a security incident resulting from a hacker attack is undoubtedly one of the biggest nightmares for any company today. Beyond the immediate business impact, there are legal and reputational implications that can last for months or even years. In Brazil, the General Data Protection Law (LGPD) establishes a series of requirements that companies must follow after such incidents occur.
According to a recent report by Federasul – the Federation of Business Entities of Rio Grande do Sul – over 40% of Brazilian companies have already been targeted by some type of cyberattack. However, many of these companies still face difficulties in complying with the legal requirements established by the LGPD. Data from the National Data Protection Authority (ANPD) reveals that only about 30% of hacked companies officially reported the incident. This discrepancy can be attributed to various factors, including lack of awareness, compliance process complexity, and fear of negative reputational consequences for the company.
The day after the incident: first steps
After confirming a hacker attack, the first step is to contain the incident to prevent its spread. This includes isolating affected systems, stopping unauthorized access, and implementing damage control measures.
In parallel, it is important to assemble an incident response team, which should include information security experts, IT professionals, lawyers, and communication consultants. This team will be responsible for a series of critical decisions—particularly those involving business continuity in the following days.
Regarding LGPD compliance, all actions taken during the incident response must be documented. This documentation will serve as evidence that the company acted in accordance with legal requirements and may be used in potential audits or investigations by the ANPD.
In the first few days, the response team must conduct a detailed forensic analysis to identify the origin of the attack, the method used by the hackers, and the extent of the compromise. This process is vital not only for understanding the technical aspects of the attack but also for gathering evidence that will be necessary to report the incident to the competent authorities and the insurance company—if the company has cyber insurance.
There is a very important aspect here: forensic analysis also helps determine whether the attackers are still inside the company’s network—a situation that, unfortunately, is very common, especially if the company is being subjected to financial extortion for the release of data the criminals may have stolen.
Additionally, the LGPD, under Article 48, requires data controllers to notify the National Data Protection Authority (ANPD) and affected data subjects about security incidents that may result in relevant risk or harm to them. This notification must be made within a reasonable timeframe, as per ANPD regulations, and must include information about the nature of the affected data, the data subjects involved, the technical and security measures used to protect the data, the risks related to the incident, and the measures taken or to be taken to reverse or mitigate the damage.
Based on this legal requirement, it is essential, shortly after the initial analysis, to prepare a detailed report that includes all information mentioned by the LGPD. Here, forensic analysis also helps determine whether data was extracted and stolen—to the extent that the criminals may be claiming.
This report should be reviewed by compliance professionals and the company’s lawyers before being submitted to the ANPD. The legislation also mandates that the company clearly and transparently communicate with affected data subjects, explaining what happened, the measures taken, and the next steps to ensure personal data protection.
Transparency and effective communication, in fact, are fundamental pillars during security incident management. Management must maintain constant communication with internal and external teams, ensuring that all stakeholders are informed about the progress of actions and next steps.
Reviewing security policies is a necessary action
In parallel with stakeholder communication, the company must begin evaluating and revising its security policies and practices. This includes reassessing all security controls, access permissions, high-privilege credentials, as well as implementing additional measures to prevent future incidents.
Alongside reviewing and analyzing affected systems and processes, the company must also focus on system recovery and restoring operations. This involves cleaning all affected systems, applying security patches, restoring backups, and revalidating access controls. It is essential to ensure systems are completely secure before bringing them back into operation.
Once systems are operational again, a post-incident review must be conducted to identify lessons learned and areas for improvement. This review should involve all relevant parties and result in a final report highlighting the causes of the incident, the measures taken, the impacts, and recommendations to improve the company’s security posture in the future.
Beyond technical and organizational actions, managing a security incident requires a proactive approach to governance and security culture. This includes implementing a continuous cybersecurity improvement program and fostering a corporate culture that values security and privacy.
Responding to a security incident requires a set of coordinated and well-planned actions aligned with LGPD requirements. From initial containment and stakeholder communication to system recovery and post-incident review, each step is essential to minimize negative impacts and ensure legal compliance. More than that, it is necessary to confront failures and correct them—above all, an incident should elevate the company’s cybersecurity strategy to a new level.
