In recent years, ransomware attacks have become one of the biggest cyber threats for companies in Brazil and in the world. Faced with this scenario, the lawyer specializing in digital law Gabriel Araújo Souto, from the PG Advogados office, explains the essential legal steps that companies and professionals should adopt when victims of this type of crime.
“The first mistake that many companies make is to act without specialized legal advice”, warns the lawyer. According to him, the rush to recover the data leads many organizations to make hasty decisions that can aggravate the legal situation. “Rescue payment, for example, is not a crime in Brazil, but it needs to be analyzed with caution, as it can bring ethical and legal implications”, he explains.
The expert highlights three necessary legal measures after an attack:
1. Preservation of Evidence – Turning off the affected systems without technical guidance can destroy important evidence for investigations;
2. notification to the authorities – The LGPD (General Law for the Protection of Personal Data) requires communication to the ANPD (National Data Protection Authority ) within 72 hours when there is a leak of personal data;
3. contractual analysis – It is essential to verify obligations with customers and suppliers on data protection.
For prevention, Souto recommends that companies include specific cybersecurity clauses in contracts with IT providers; that develops an incident response plan in line with legal requirements; and to carry out periodic audits to verify the adequacy to data protection standards.
“The legal aspect of digital security is often neglected until it is too late. Preventive advice can avoid not only the damage from the attack itself, but also the legal consequences that can persist for years”, concludes the expert.
