Passed by the National Congress of Brazil in 2019, the Brazilian General Data Protection Law(Lei Geral de Protecao de Dados or LGPD) is slated to take effect in August 2020. Similar to the General Data Protection Regulation (GDPR) this legislation created a legal framework for the utilization of personal data related to or processed on individuals in Brazil regardless of where a data processor is located.
Prior to the passing of LGPD, Brazils' data protection was enforced via frameworks which included the Consumer Protection Code and Civil Rights Framework for the Internet (Internet Act). Additionally, the country has more than 35 laws that relate to privacy protection at a federal level. It is worth noting that these laws are designed more for specific industries and are not applicable on a national level.
As enterprise software in the cloud has increased from 20 percent to 27 percent since 2017, many Brazilians have much to be concerned about with data protection and cloud security.
WHO IS AFFECTED?
Similarly to GDPR, the LDPG applies to organizations, public or private, or any individual collecting or processing personal data in Brazil, regardless of location base. Additionally, it is applicable to those organizations that intend to offer services to individuals in Brazil.
DATA SUBJECT RIGHTS
When reviewing LGPD Article 18, there are nine rights data subjects have over their personal data. These rights have been expanded and should be guaranteed in an effective and accessible manner.
Those include:
-
Confirmation of the existence of processing
-
Access to data
-
Correction of inaccurate, incomplete, or out-of-date data
-
Anonymization, blocking or deleting unnecessary of excessive data that has been processed in noncompliance of LGPD
-
Portability of data to another service or provider
-
Deletion of personal data
-
Information about public or private entities with the controller has shared data
-
Information about the possibility of denying consent and the consequences of denial
-
Revocation of consent
NOT APPLICABLE
-
Data used exclusively for artistic, journalistic, academic, or literary reasons
-
Data used for national security, public safety, criminal investigation or punishment activities, and national defense
-
Data processed by an individual for personal purposes
DATA REQUIREMENTS
With findings by IBM's global survey reporting that 96 percent of Brazilians believe that companies don't do enough to protect their personal information, these new requirements could be beneficial to all in Brazil. What many have deemed as the most pressing of the new requirements is the mandatory reporting of data breach notifications.
Notifying the data protection authority becomes mandatory and performed within a timeframe considered reasonable. For organizations, there are 10 principles listed by LGPD that need to be taken into account for the processing of personal data. Those include:
-
With the consent of the data subject;
-
To comply with a legal or regulatory obligation of the controller;
-
To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
-
To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
-
To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
-
To exercise rights in judicial, administrative, or arbitration procedures;
-
To protect the life or physical safety of the data subject or a third party;
-
To protect the health, in a procedure carried out by health professionals or by health entities;
-
To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
-
To protect credit (referring to a credit score).
DIFFERENCES BETWEEN LGPD AND GPDR
Though there are many similarities between the LGPD and GDPR, there are a few differences to be noted.
REPORTING OF DATA BREACHES
Both the LGPD and GPDR require the reporting of data breaches to the local data protection authority by organizations, however, the explicit statement from the GDPR is the difference. Under GPDR, organizations must report a data breach within 72 hours of discovery, and the LGPD does not provide a firm deadline, merely stating that the security incident must be reported within a reasonable time period.
DATA PROTECTION OFFICER (DPO)
The LGPD states within article 41 that an officer shall be appointed in charge of processing data, potentially suggesting that organizations that process data of Brazilians will need a DPO. The GDPR not only requires an organization to hire a DPO but also provides an outline for when this requirement needs to occur.
FINES
Established organizations within Brazil found violating the LGPD can be fined up to 2 percent of annual turnover. There is a per violation basis, and organizations can be fined up to 50 million Real which corresponds to approximately $9 million US dollars per infraction.
WHY REAL-TIME SECURITY DETECTION MATTERS
Regardless of regulatory requirements, real-time detection and remediation can be the defining moment between security incidents and losing protected information leading to devastating financial repercussions. As a best practice for keeping data secure, the software choice for securing an organization's infrastructure should not be taken lightly. Common compliance and security goals that are relevant to organizations across every industry include:
-
Maintaining a Safe Network
-
Maintaining Vulnerability Management
-
Preventing Unauthorized Access
-
Ensuring Security Flaws are Immediately reported
-
Maintaining Integrity of Data Assets
As noted by the 2020 DBIR, personal data was involved in 58 percent of data breaches, which was almost double the percentage from 2019. Additionally in alignment with CIS Critical Security Controls, the DBIR provided a list of top controls organizations can utilize for best practices.
CIS Control 3: Continuous Vulnerability Management
Can your software help find misconfigurations and remediate code-based vulnerabilities?
Implementing with CimTrak
The CimTrak Compliance Module is a SCAP-compliant vulnerability scanning tool that can be scheduled to identify potential vulnerabilities on a user-specified interval. CimTrak can also use specific benchmarks to ensure that the most recent patches have been applied to the target operating system. Additionally, CimTrak facilitates the comparison of vulnerability scans over time, allowing a user to access if the infrastructure is improving or not during a time frame.
CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, workstations, and Servers
Can your software help ensure and verify systems are configured with only the services/access needed to achieve function?
Implementing with CimTrak
CimTrak monitors systems to ensure operating systems are in a secure state, utilizing CIS Benchmarks and NIST Benchmarks to ensure systems are configured in a hardened state. With the ability to roll back and restore to a previous or correct state, the mean-time-to-restore (MTTR) can be measured in seconds. Additionally, CimTrak can be configured to monitor configurations for changes, and CimTrak can automatically remediate unauthorized configuration changes.
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
Does your software help to provide an understanding of what services and ports should be exposed on your network and limit access to those?
Implementing with CimTrak
CimTrak can be used to monitor active ports, services, and protocols and provide notification when changes to ports services and protocols occur. Additionally, CimTrak can be configured to run scans against a set of ports to endure that unauthorized ports have not been opened.
CIS Control 11: Secure Configuration for Network Devices such as firewalls, routers, and switches.
Are your configurations secure?
Implementing with CimTrak
CimTrak monitors network devices for unexpected or unauthorized changes to their configuration. Deviations are identified and documented with users being notified upon detection.
CIS Control 12: Boundary Defense
Is your software able to go beyond firewalls to include network monitoring?
Implementing with CimTrak
CimTrak can maintain an inventory of all network devices.
CIS Control 13: Data Protection
Can you control access to sensitive information by maintaining an inventory of sensitive information and limited access to authorized cloud providers?
Implementing with CimTrak
CimTrak can inventory, hash, and store critical information about all sensitive information, and custom actions can be utilized to shut down systems that experience unauthorized changes or other integrity-related anomalies.
CIS Control 16: Account Monitoring and Control
Can your software lock down user accounts across the organization to keep others from using stolen credentials?
Implementing with CimTrak
CimTrak can monitor all local, LDAD, and Active Directory accounts and users, along with their associated rights and privileges. Additionally, CimTrak's compliance module can help ensure accounts have an expiration date that is monitored and enforced, and all workstations are set to lock after a standard period of inactivity.
To learn more about how CimTrak can help with additional CIS controls for many regulatory requirements, download the solution brief for best practices.
