The occurrence of a security incident resulting in a hacker invasion is, without a doubt, one of the biggest nightmares for any company today. In addition to the immediate impact on the business, there are legal and reputational implications that can last for months or even years. In Brazil, the General Data Protection Law (LGPD) establishes a series of requirements that companies must follow after such incidents occur.
According to a recent report by Federasul – Federation of Business Entities of Rio Grande do Sul – more than 40% of Brazilian companies have already been targeted by some type of cyber attack. However, many of these companies still face difficulties in complying with the legal requirements established by the LGPD. Data from the National Data Protection Authority (ANPD) reveal that only about 30% of hacked companies officially reported the incident. This discrepancy can be attributed to various factors, including lack of awareness, the complexity of compliance processes, and fear of negative repercussions on the company's reputation.
The day after the incident: first steps
After confirming a hacker invasion, the first measure is to contain the incident to prevent its spread. This includes isolating the affected systems, stopping unauthorized access, and implementing damage control measures.
In parallel, it is important to assemble an incident response team, which should include information security specialists, IT professionals, lawyers, and communication consultants. This team will be responsible for a series of decision-making processes – mainly those involving the continuity of the business in the following days.
In terms of LGPD compliance, it is necessary to document all actions taken during the incident response. This documentation will serve as evidence that the company acted in accordance with legal requirements and may be used in any audits or investigations by the ANPD.
In the first days, the response team should conduct a detailed forensic analysis to identify the origin of the breach, the method used by the hackers, and the extent of the compromise. This process is vital not only to understand the technical aspects of the attack but also to collect evidence that will be necessary to report the incident to the relevant authorities and also to the insurer – in case the company has taken out cyber insurance.
There is a very important aspect here: forensic analysis also serves to determine whether the attackers are still within the company's network – a situation that, unfortunately, is very common, even more so if after the incident the company is suffering some kind of financial blackmail through the release of data that the criminals may have stolen.
Furthermore, the LGPD, in its article 48, requires the data controller to notify the National Data Protection Authority (ANPD) and the affected data subjects about the occurrence of a security incident that may pose a risk or significant harm to the data subjects. This communication must be made within a reasonable timeframe, in accordance with the specific regulations of ANPD, and must include information about the nature of the affected data, the involved data subjects, the technical and security measures used to protect the data, the risks related to the incident, and the measures that have been or will be taken to reverse or mitigate the effects of the damage.
Based on this legal requirement, it is essential, immediately after the initial analysis, to prepare a detailed report that includes all the information mentioned by the LGPD. In this, forensic analysis also helps to determine if there was data extraction and theft – to the extent that the criminals may eventually be claiming.
This report must be reviewed by compliance professionals and the company's lawyers before being submitted to ANPD. The legislation also requires the company to provide clear and transparent communication to the data subjects affected, explaining what happened, the measures taken, and the next steps to ensure the protection of personal data.
Transparency and effective communication, by the way, are fundamental pillars during the management of a security incident. Management must maintain constant communication with internal and external teams, ensuring that all parties involved are informed about the progress of actions and the next steps.
Evaluation of security policies is a necessary action
Alongside communication with stakeholders, the company should initiate a process of assessment and review of its security policies and practices. This includes the reassessment of all security controls, access, high-level credentials, as well as the implementation of additional measures to prevent future incidents.
In parallel with the review and analysis of affected systems and processes, the company should also focus on system recovery and restoring its operations. This involves cleaning all affected systems, applying security patches, restoring backups, and revalidating access controls. It is essential to ensure that systems are fully secure before being put back into operation.
Once the systems are operational again, a post-incident review must be conducted to identify lessons learned and areas for improvement. This review should involve all relevant parties and result in a final report that highlights the causes of the incident, the measures taken, the impacts, and the recommendations to improve the company's security posture in the future.
In addition to technical and organizational actions, managing a security incident requires a proactive approach to governance and security culture. This includes implementing a continuous cybersecurity improvement program and promoting a corporate culture that values security and privacy.
The response to a security incident requires a set of coordinated and well-planned actions, aligned with the requirements of LGPD. From initial containment and stakeholder communication to system recovery and post-incident review, each step is essential to minimize negative impacts and ensure legal compliance. More than that, it is necessary to face the failures head-on and correct them – above all, an incident should elevate the company's cybersecurity strategy to a new level.
