Gabriela de Ávila Machado
Lawyer at Marcos Martins Advogados
More than 300,000 customers of the energy distribution company Enel (São Paulo) have been notified of a security incident involving their personal data.
According to the energy distributor, the incident would have affected personal data such as full name, CPF, bank account number, address and telephone number of 4% of the company’s customer base, all from Osasco, in Greater São Paulo. However, the company has notified all the affected data subjects directly and individually and, although it has not concluded that there are any significant risks, customers should be wary of “telephone or electronic communications from third parties requesting their personal and sensitive data (e.g. passwords)”.
This incident is yet another in a wave that has already included companies like Netshoes and the STJ itself.
Law No. 13.709/2018, known as the General Personal Data Protection Law (or LGPD), although published in 2018, came into force in September. It came about precisely to protect data subjects from the misuse of their personal data, further establishing the responsibility of the controller and operator when processing this data. Although the articles referring to administrative sanctions are not in force, the data controller or operator runs other civil, labor and even criminal risks. Therefore, compliance with the LGPD, with a robust data protection program, can significantly reduce the risk of this type of incident and can also help the company respond quickly to any incident.
Download our e-book “Lei Geral Proteção de Dados – O Impacto no cotidiano dos cidadãos e empresas” (General Data Protection Law – The impact on the daily lives of citizens and companies) and get information on how to avoid incidents in your company. Download it here.
