Absence of Tailored Legislation for Bank Data Leaks Leaves Compensation Uncertain
According to data from the Central Bank (BC), more than 800 thousand Pix keys were leaked and information such as email, telephone number and CPF were made available on the internet. The data comes from the creation of the instant payments tool, in November 2020. Among the financial institutions that had the most leaks, the main ones were Banco do Sergipe, with more than 410 thousand leaked data, and Acesso Soluções de Payment, a bank digital that had 160 thousand customer data leaked.
The leaked information, guarantees the Central Bank, is of low risk to customers, that is, it does not allow malicious people to have access to the bank account of those who had the data leaked. With this, the BC states that the risks of bank transfers and other types of transactions are eliminated. According to the authority, the data was leaked due to “specific failures in the payment institution’s systems”.
For Rubens Beçak, professor at the Faculty of Law of Ribeirão Preto (FDRP) at USP, bank data leaks are not just a reality in Brazil. “We have a problem, which is not exclusive to Brazil, in relation to data leaks: there is a lack of robust, complete legislation that protects individuals against these leaks.”
Data leaks around the world
According to data from SurfShark, a Dutch company specialized in privacy and digital security, Brazil occupies sixth place in the world ranking of countries that suffer most from data leaks. According to the company, in 2021, more than 24 million Brazilians had their data leaked and posted on the internet, that is, more than 10% of the Brazilian population were victims of this type of crime.
According to SurfShark, on the “podium” of countries that suffer most from data leaks is the United States, with 212.4 million accounts affected, followed by Iran, with 156 million accounts, and India, with 86 million. According to research, more than 40 billion pieces of data were leaked worldwide in 2021.
The most affected sectors were public administration, with more than half of the leaks, led by health (24.7%), education (12.9%) and government (10.8%). Next, the financial sector appears as the most affected, being responsible for 29.8% of leaks worldwide.
Lack of legislation
For Beçak, one of the biggest problems that a person can face if their financial data is leaked is the lack of accountability from financial institutions. “Today there is no liability directly established by law if an individual has leaked financial data. Today, a lot depends on the person’s relationship with the financial institution.”
Currently, there is no specific law for the leakage of bank data, as the General Data Protection Law (LGPD) does not make this distinction. According to legislation, it guarantees that, in the event of a data leak, the company responsible can be fined. The fine varies from 2% to 10% of the company’s global annual revenue, but is limited to a maximum of R$50 million. However, even if there is a data leak, according to the STJ, for the person to be compensated, there must be proof of actual damage, just the leak itself does not have the capacity to generate compensating moral damage.