In recent years, ransomware attacks have become one of the biggest cyber threats to companies in Brazil and around the world. In this scenario, digital law specialist Gabriel Araújo Souto from PG Advogados explains the essential legal steps that companies and professionals should take when victims of this type of crime.
"The first mistake many companies make is acting without specialized legal advice," warns the lawyer. According to him, the rush to recover data leads many organizations to make hasty decisions that can worsen the legal situation. "Paying a ransom, for example, is not a crime in Brazil, but it must be approached with caution, as it can have ethical and legal implications," he explains.
The specialist highlights three legal measures necessary after an attack
1. Preservation of evidence- Turning off affected systems without technical guidance can destroy important evidence for investigations;
2. Notification to authoritiesThe LGPD (General Data Protection Law) requires communication to the ANPD (National Data Protection Authority) within 72 hours in the event of a personal data breach;
3. Contract analysis- It is essential to verify obligations with clients and suppliers regarding data protection.
For prevention, Souto recommends that companies include specific clauses on cybersecurity in contracts with IT suppliers; develop an incident response plan aligned with legal requirements; and conduct periodic audits to verify compliance with data protection standards.
"The legal aspect of digital security is often overlooked until it is too late. Preventive advisory can avoid not only the damages of the attack itself but also the legal consequences that can persist for years," concludes the specialist.
