In recent years, ransomware attacks have become one of the biggest cyber threats for companies in Brazil and worldwide. In light of this scenario, the digital law specialist lawyer Gabriel Araújo Souto, from the office PG Lawyers, explica os passos jurídicos essenciais que empresas e profissionais devem adotar quando vítimas desse tipo de crime
The first mistake many companies make is acting without specialized legal advice, alert the lawyer. According to him, the rush to recover data leads many organizations to make hasty decisions that can worsen the legal situation. Ransom payment, for example, it is not a crime in Brazil, but must be analyzed with caution, as it may bring ethical and legal implications, explain
The specialist highlights three legal measures necessary after an attack
1. Preservation of evidence – Turning off affected systems without technical guidance can destroy important evidence for investigations
2. Notification to authorities – A LGPD (Lei Geral de Proteção de Dados Pessoais) exige comunicação à ANPD (Autoridade Nacional de Proteção de Dados) em até 72 horas quando há vazamento de dados pessoais
3. Contract analysis – It is essential to verify obligations with clients and suppliers regarding data protection
For prevention, Souto recommends that companies include specific clauses on cybersecurity in contracts with IT suppliers; que desenvolva um plano de resposta a incidentes alinhado com as exigências legais; and carry out periodic audits to verify compliance with data protection regulations
The legal aspect of digital security is often overlooked until it is too late. La asesoría preventiva puede evitar no solo los daños del ataque en sí, but also the legal consequences that may persist for years, concluded the expert
