New BCB Resolution No. 342, of September 26, 2023, expanded the duty to report security incidents involving Pix, even if they do not represent a relevant risk for holders. This differs from the LGPD, which requires communication only in cases of significant risk. Financial institutions regulated by Bacen need to be prepared to respond to queries about such incidents.
By Cecilia Castro, Jean Luz e Luiz Doles, NP3 DPO Manager and lawyers from Peck Advogados respectively.
BCB Resolution No. 342, of September 26, 2023, amended the Regulation attached to BCB Resolution No. 1, of August 12, 2020, which established the operation of the Pix payment arrangement, as well as Annexes I and II of the BCB Resolution No. 177, of December 22, 2021 (Pix Penalties Manual), to provide for non-compliance with Pix's technical security requirements and the criteria for applying penalties.
The great highlight is the extending the duty to report data security incidents personal if this involves a database related to the Pix component or infrastructure.
When looking at the LGPD, the duty of communication – to holders and the National Data Protection Authority (ANPD) – only exists when the security incident, involving personal data, could result in significant risk or damage to the affected data subjects. Such measurement is the responsibility of the controller, who must keep a record of the measures adopted, including if he chooses not to communicate because he understands that there is no relevant risk or damage.
The new BCB Resolution, however, expands this duty if the incident involves a database related to a Pix component or infrastructure.
In fact, for the avoidance of doubt, the Resolution expresses this duty “even if the security incident cannot cause significant risk or damage to the holders”.
Therefore, agents regulated by Bacen must additionally assess whether the incident involves, in any way, Pix, which will require its communication to the holders.
If there is a relevant risk or damage, communication will also be extended to the ANPD, but pursuant to the provisions of the LGPD.
Operationally, based on this communication, the institution must be ready to receive and respond to the most diverse questions regarding the incident, as people are increasingly concerned about the use of their data and news about incidents has reached the press highlights of large circulation.
Furthermore, the sole paragraph of article 32 indicates that the Central Bank of Brazil will establish in a specific document the operational procedures related to communication, meaning that the policies of financial institutions will have to be updated to include this procedure when this type of incident occurs. security
On the other hand, it is worth noting that this update specifically mentions only natural persons, which does not eliminate the duty of information security also in relation to the data of legal entities within the scope of pix.
There is no limitation that specifies that only the data of natural persons are protected within the scope of pix and the concept of end user includes legal entities.