Back to Blog
LegalTech & IA

To Tell or Not to Tell? The Legal Tightrope After a Security Incident

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
July 9, 2026
10 min read
To Tell or Not to Tell? The Legal Tightrope After a Security Incident

Should You Notify After a Security Incident in Brazil?

Brazil's new ANPD resolution makes breach notification a critical decision. Notify too early without full facts, and you risk misleading regulators. Notify too late, and face severe penalties. The key is a balanced approach: assess the incident thoroughly, consult legal counsel, and communicate transparently within the required timeframe to avoid turning a data disaster into a regulatory nightmare.

You've just discovered a security incident. Your heart sinks. Now comes the million-dollar question: do you tell the ANPD (Brazil's data protection authority) or keep quiet and hope no one notices? It's like deciding whether to tell your mom you broke her favorite vase—except the consequences involve fines up to 2% of your revenue.

The New Rulebook: Resolution CD/ANPD No. 15/2024

On the surface, the resolution seems straightforward: notify the ANPD within a reasonable timeframe if the incident poses a risk to data subjects. But 'reasonable' is about as clear as mud. The resolution lists criteria like the nature of the data, the number of affected individuals, and the likelihood of harm. Translation: you need a lawyer and a crystal ball.

Think of it like deciding whether to call 911 after a minor car accident. If you don't, and the other driver claims whiplash, you're in trouble. If you do, you might waste everyone's time. The ANPD wants you to err on the side of caution, but over-notifying can also backfire—like crying wolf.

When Silence Is Golden (and When It's Not)

Here's the kicker: the resolution doesn't just apply to breaches of personal data. It covers any security incident that could affect data subjects. That includes ransomware attacks, lost laptops, or even a misconfigured database that exposed customer emails. If you're unsure, the safest bet is to notify. But 'safe' doesn't mean easy.

Imagine you're a small e-commerce store. A hacker accessed your server but only got encrypted credit card numbers. Do you report it? Under the new rules, yes—because the incident could still cause harm (e.g., if the encryption is weak). But if you're a giant like Meta, you'd better have a dedicated team ready to file that report within 24 hours.

The Cost of Keeping Quiet

Failing to notify can be catastrophic. The ANPD can impose fines, ban data processing, or even order the suspension of your operations. And let's not forget the reputational damage. Customers trust you with their data; if they find out you hid a breach, they'll leave faster than you can say 'LGPD'.

On the flip side, over-notifying can also hurt. If you report every minor incident, the ANPD might start ignoring your alerts—or worse, investigate your compliance practices. It's a delicate balance, like seasoning a steak: too little salt, and it's bland; too much, and it's inedible.

Practical Steps for Your Incident Response Plan

  • Assess the risk: Use the ANPD's criteria to evaluate the severity. If in doubt, consult a DPO or legal counsel.
  • Document everything: Keep a log of the incident, your assessment, and the decision-making process. This will be your shield if the ANPD questions your choice.
  • Notify promptly: The resolution doesn't specify a hard deadline, but 'reasonable' likely means within 72 hours for serious incidents. Don't procrastinate.
  • Communicate with affected individuals: Even if you don't notify the ANPD, you may still need to inform data subjects if the risk is high.

For more details, check the official text of Resolution CD/ANPD No. 15/2024.

The Bottom Line (No, Really, Stop Reading Here)

Don't treat breach notification as an afterthought. Build it into your incident response plan now, before the next breach hits. Because when it comes to data security, silence isn't golden—it's expensive.

FAQ

What is the ANPD resolution on breach notification?

The ANPD resolution establishes mandatory breach notification requirements for data controllers in Brazil. It specifies timelines, content, and procedures for reporting personal data breaches to the authority and affected individuals.

What are the penalties for non-compliance?

Penalties can include fines up to 2% of the company's revenue in Brazil (capped at R$50 million per violation), public warnings, blocking of personal data, and suspension of data processing activities.

How should a company prepare for breach notification?

Companies should have an incident response plan, conduct regular risk assessments, train staff, and establish clear communication protocols. Legal counsel should be involved early to evaluate notification obligations and timing.

📋 Incident Notification Checklist

1. Identify the incident type (breach, ransomware, etc.)
2. Assess risk to data subjects (nature, volume, harm)
3. Consult DPO or legal counsel
4. Document decision and rationale
5. Notify ANPD if risk is high (within 72h)
6. Inform affected individuals if necessary

✅ Check off each step as you complete it

NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.