The Brazilian General Data Protection Law (“LGPD”), created in 2018, regulates personal data processing. LGPD establishes ways for data subjects to control their own personal data and how agents need to protect/secure personal data - LGPD requires enforcement agents to invest in information security to protect personal data.
The world is constantly changing, and the use of data follows this trend. During the pandemic, when people needed to stay home, there was an increase in data consumption, including personal data (especially with the increasing relevance of e-commerce). It is expected that in 2023 much more data will be consumed, considering the use of 5G technology and the expansion of artificial intelligence. With more data being consumed, the risk of cyber-attacks also increases.
According to security firm ESET[1], during the pandemic, there was a 700% increase in cyber-attacks compared to 2019. As for the health-related sector, according to a report by Check Point Software Technologies, "Cyber Security Report 2022"[2], it had a 71% increase in the weekly average of attacks in 2021, being the fifth largest in the weekly average of attacks with 830 events. From 2019 to 2020, this increase was 45%.
The main threat is the ransomware attack, in which data hijacking devices are employed and the “kidnapped” data is released only after paying a "ransom”. This kind of attack is particularly critical in the life sciences industry since it can potentially disrupt its systems, thus affecting the ability of institutions to provide adequate diagnostics, treatments and care, which may put patients’ lives at risk. Malicious groups have been targeting this industry, assuming that institutions are more willing to pay a ransom rather than suffer the impacts of a cyber incident of this scale.
Digital health (paper health data that is now completely digitized) is increasing its relevance by the day within the life sciences industry in general. In 2022, (1) the Brazilian Government enacted rules to regulate and operationalize the digitization of the Brazilian Health Unified System (“SUS”), and (2) the Federal Medicine Council approved and regulated telemedicine. On October 2022, the São Paulo State obtained BRL 847,4 million from the Inter-American Development Bank to regulate and operationalize telemedicine in the State’s programs under SUS. These are just some examples of the ongoing health digitization, evidencing that the paper files era is practically over.
However, Brazilian health-related companies and entities are showing some technological frailties: since personal data is available on the internet, it attracts more and more cyber-attacks. One can only imagine the resulting chaos if an attack on the public health service occurs and halts the registration system for the national immunization program. Or if there is an invasion in the hospital system that affects patients’ treatments? Or even a health data leak? To avoid these and other situations, LGPD sets forth general requirements of information security controls, which, in addition to protecting personal data, require companies to adopt data protection measures preemptively.
LGPD is also relevant for the Brazilian aspiration to be part of the Organization for Economic Cooperation and Development (OECD). OECD is a selected group of developed countries that promotes economic/social development initiatives with each other. Brazil long aspires to join this group and started its joining process years ago. However, to join OECD, a country must comply with several requirements, including having a fully-operational Personal Data Protection Law.
In February 2022, the Brazilian Federal Constitution was changed by its Amendment 115/2022 to include data protection as a fundamental right. This means that the LGPD is overseen solely by the federal government, which must prioritize data protection, regardless of the political party or ideology. Indirectly, this also means that information security has become a constitutional command.
For all of the above, 2023 has everything to be the data protection year for Brazil.
