The cases of information leakage involving Pix, an instant payment system created by the Central Bank, worry the National Data Protection Authority (ANPD).
“The free service cannot serve as a justification for the lack of information security”, says Nairane Rabelo Leitão, director of the agency, responsible for ensuring the protection of personal data in the country.
The Central Bank has already confirmed three leaks in six months, totaling 576,785 Pix keys, considering incidents at Banco do Estado de Sergipe (Banese), at Acesso Soluções de Pagamento and at Logbank Soluções em Pagamento.
According to the director, the ANPD has opened processes to analyze the cases, and sanctions can be applied to the BC and financial institutions, based on the General Data Protection Law.
The BC, in all episodes, stated that the causes were punctual failures in the systems of financial institutions. The monetary authority still admits that new incidents may occur if Pix participants do not adopt the measures provided for in its regulation.
In addition, the BC argues that the leaks that have occurred have low impact as they only involve registration data, and not sensitive or confidential information, which would allow, for example, to move funds in the accounts.
Faced with the Central Bank, which minimizes the impact of the recent leaks on Pix, the director of the National Data Protection Authority (ANPD), Nairane Rabelo Leitão, adopts caution. She says that an investigation in progress evaluates the possible damages and risks and that only with her will the impact be known. The main excerpts from the interview given to the Estadão:
Has the ANPD been notified of the leaks? Is there an open process already?
Yes. The ANPD has been officially communicated. There are open processes to deal with these cases and they can lead to sanctions, for the Central Bank or the financial institutions involved.
Is there a deadline for the investigation? What would the sanctions be?
There is no deadline. The sanction can be any of those listed in article 52 of the LGPD (the General Personal Data Protection Law provides for punishments ranging from a warning to a fine of BRL 50 million per infraction), with the exception of a pecuniary fine if the penalty is applied to the Central Bank, since item II only applies to legal entities governed by private law.
The recurrence of incidents is worrying?
Yes, especially as Pix has been increasingly used by citizens, as it is an instant and free service. However, the free service cannot serve as a justification for the lack of information security. The LGPD ensures the rights of holders and establishes obligations that must be fulfilled by financial institutions and the Central Bank.
Our Enforcement and Technology and Research coordinations are evaluating the security measures adopted or to mitigate the impact of the incident on the holders, as well as the need for additional measures.
When disclosing the cases, the Central Bank has said that the impact is low on those affected, as they are not sensitive data. What does the GDPR say?
LGPD protects all the data, while giving greater protection for sensitive data. And in LGPD, there is no established relationship between low impact and non-sensitive data. This is not necessarily true.
At the moment, we cannot answer whether this case would be of high or low impact, as it is still being analyzed by our General Coordination of Inspection and by the General Coordination of Technology and Research.
The information is from the newspaper. The State of São Paulo.
Source: CNN Brasil