In recent years, ransomware attacks have become one of the biggest cyber threats to companies in Brazil and worldwide. Facing this scenario, digital law expert Gabriel Araújo Souto from PG Advogados explains the essential legal steps that companies and professionals should take when victimized by this type of crime.
“The first mistake many companies make is acting without specialized legal advice,” warns the lawyer. According to him, the rush to recover data leads many organizations to make hasty decisions that can worsen the legal situation. “Paying ransom, for example, is not a crime in Brazil, but it needs to be analyzed carefully, as it can bring ethical and legal implications,” he explains.
The expert highlights three necessary legal measures after an attack:
1. Preservation of evidence– Turning off affected systems without technical guidance can destroy important evidence for investigations;
2. Notification to authorities– The LGPD (General Data Protection Law) requires communication to the ANPD (National Data Protection Authority) within 72 hours when there is a personal data breach;
3. Contractual review– It is essential to verify obligations with clients and suppliers regarding data protection.
For prevention, Souto recommends that companies include specific clauses about cybersecurity in contracts with IT suppliers; develop an incident response plan aligned with legal requirements; and conduct periodic audits to verify compliance with data protection regulations.
“The legal aspect of digital security is often neglected until it’s too late. Preventive advice can not only avoid the damages of the attack itself but also the legal consequences that can persist for years,” concludes the expert.
