The occurrence of a security incident that results in a hacker invasion is, without a doubt, one of the biggest nightmares for any company today. Besides the immediate impact on business, there are legal and reputational implications that can last for months or even years. In Brazil, the General Data Protection Law (LGPD) establishes a series of requirements that companies must follow after such incidents occur
According to a recent report from Federasul – Federation of Business Entities of Rio Grande do Sul -, more than 40% of Brazilian companies have already been targeted by some type of cyber attack. However, many of these companies still face difficulties in meeting the legal requirements established by the LGPD. Data from the National Data Protection Authority (ANPD) reveals that only about 30% of the companies that were hacked officially reported the occurrence of the incident. This discrepancy can be attributed to various factors, including the lack of awareness, the complexity of compliance processes and the fear of negative repercussions on the company's reputation
The day after the incident: first steps
After the confirmation of a hacker invasion, the first measure is to contain the incident to prevent its spread. This includes isolating the affected systems, interrupt unauthorized access and implement damage control measures
In parallel, it is important to assemble an incident response team, that should include information security specialists, IT professionals, lawyers and communication consultants. This team will be responsible for a series of decision-making processes – mainly those that involve the continuity of the business in the following days
In terms of compliance with the LGPD, it is necessary to document all actions taken during the incident response. This documentation will serve as evidence that the company acted in accordance with legal requirements and may be used in potential audits or investigations by the ANPD
In the first days, the response team must conduct a detailed forensic analysis to identify the source of the breach, the method used by hackers and the extent of the compromise. This process is vital not only for understanding the technical aspects of the attack, but also to collect evidence that will be necessary to report the incident to the competent authorities and also to the insurance company – if the company has taken out cyber insurance
There is a very important aspect here: forensic analysis also serves to determine if the attackers are still inside the company's network – a situation that, unfortunately, it is very common, even more so if after the incident the company is suffering some type of financial blackmail through the release of data that the criminals may have eventually stolen
Furthermore, the LGPD, in its article 48, requires that the data controller informs the National Data Protection Authority (ANPD) and the data subjects affected about the occurrence of a security incident that may pose a risk or significant harm to the data subjects. This communication must be made within a reasonable time, according to specific regulations of the ANPD, and must include information about the nature of the affected data, the involved parties, the technical and security measures used for data protection, the risks related to the incident and the measures that have been or will be taken to reverse or mitigate the effects of the damage
Based on this legal requirement, it is essential, shortly after the initial analysis, prepare a detailed report that includes all the information mentioned by the LGPD. In this, forensic analysis also helps to determine if there was data extraction and theft – to the extent that the criminals may eventually be claiming
This report must be reviewed by compliance professionals and the company's lawyers before being submitted to the ANPD. The legislation also requires the company to provide clear and transparent communication to the data subjects affected, explaining what happened, the measures taken and the next steps to ensure the protection of personal data
Transparency and effective communication, by the way, they are fundamental pillars during the management of a security incident. Management must maintain constant communication with internal and external teams, ensuring that all parties involved are informed about the progress of actions and the next steps
Evaluation of security policies is a necessary action
In parallel with communication with stakeholders, the company should initiate a process of evaluation and review of its security policies and practices. This includes the reassessment of all security controls, accesses, credentials with high access level, as well as the implementation of additional measures to prevent future incidents
In parallel with the review and analysis of affected systems and processes, the company should focus, also, in the recovery of systems and in the restoration of their operations. This involves cleaning all affected systems, the application of security patches, the restoration of backups and the revalidation of access controls. It is essential to ensure that the systems are completely secure before being put back into operation
Once the systems are operational again, it is necessary to conduct a post-incident review to identify lessons learned and areas for improvement. This review should involve all relevant parties and result in a final report that highlights the causes of the incident, the measures taken, the impacts and recommendations to improve the company's security posture in the future
In addition to technical and organizational actions, the management of a security incident requires a proactive approach to governance and security culture. This includes the implementation of a continuous cybersecurity improvement program and the promotion of a corporate culture that values security and privacy
The response to a security incident requires a set of coordinated and well-planned actions, aligned with the requirements of the LGPD. From the initial containment and communication with stakeholders to system recovery and post-incident review, each step is essential to minimize negative impacts and ensure legal compliance. More than that, it is necessary to face the flaws and correct them – above all, an incident should elevate the company's cybersecurity strategy to a new level
