Security incidents are not new in Brazil or in the world. However, the topic has been occupying an increasingly significant space in the daily lives of companies - either due to their concern to prevent these events, or because of the need to face them when they occur.
The numbers confirm this trend. According to the interactive panel on security incident reports from the Brazilian Data Protection Agency (ANPD in Portuguese), throughout the first quarter of 2026, the Agency received 108 security incident reports. Among the types of incidents, the following stand out: (i) exploitation of vulnerabilities in information systems, (ii) improper disclosure of personal data, and (iii) theft of credentials/social engineering. In 2025, the total number of reports received was 395, with vulnerability exploitation and credential theft leading the records.
In this scenario, it is worth remembering that, in April 2024, ANPD published Resolution CD/ANPD No. 15, approving its Security Incident Reporting Regulation (Regulation), which brought a series of criteria for measuring risks arising from security incidents and the duty to report them to ANPD and to personal data subjects. Despite this advance, there are still pending questions. One of the priority topics of ANPD"s Regulatory Agenda for the 2025-2026 biennium is the definition of clearer parameters on security, technical, and administrative measures (including minimum technical security standards), to preserve data security.
Seeking to make progress in this topic, ANPD and the United Nations Development Program (UNDP) have recently opened a selection process to hire specialized consultants to conduct research on sectoral legislation and good practices with a focus on supporting decisions related to security incidents (Project BRA/21/004 – “Effectiveness of the National Policy for Personal Data Protection expanded”). The objective of this initiative is to build a structured database, bringing together legislation, sectoral regulations, certifications and good practices, at the federal, state, municipal and international levels - to support ANPD"s Coordination for the Treatment of Security Incidents in the analysis and decision-making on the reports received. The initiative indicates the agency is seeking to expand its capacity to act in an increasingly proactive and well-informed way.
ANPD, however, is not the only entity that has been advancing in this regard.
In the context of notary offices, the National Justice Internal Affairs Office published, in February this year, Provision No. 213, which now requires minimum standards of information technology and security for notary and registration services, with requirements proportional to the size of each notary office. In the financial sector, in turn, in December 2025, the Central Bank of Brazil (BCB) and the National Monetary Council (CMN) approved BCB Resolutions No. 538/2025 and CMN No. 5,274/2025, which reinforce the cybersecurity policy of institutions authorized by the BCB to operate.
Thus, there is a growing movement, from different sectors and jurisdictions, aiming for regulation and greater control of the issue.
This regulatory advance reflects a concerning reality. This year alone, large financial institutions have been the targets of cyberattacks that have resulted in millionaire embezzlements and the interruption of essential services. The risks, however, are not limited to the private sector: public agencies are also exposed to security incidents.
In this scenario, have you identified any actual or potential security incident in your operations? Check out some initial advice below!
In the event of a security incident involving personal data, we recommend the following steps, based on the Regulation and ANPD guidelines:
- Internally evaluate the incident. Identify the nature, category and volume of personal data affected, the number of data subjects involved and the concrete and probable consequences of the event.
- Classify the degree of risk. Verify whether the incident may entail relevant risk or damage to data subjects and whether it involves at least one of the criteria provided for in the Regulation.
- If there is a relevant risk or damage: report it. Notify ANPD and the affected data subjects within the deadlines established by the Regulation.
- If there is no relevant risk or damage: register. Document the internal analysis of the incident, the measures taken and the justification for non-communication.
- Adopt containment and mitigation measures. Implement immediate actions to stop the incident and reduce its effects, as well as corrective actions to prevent recurrence.
