Lessons from WannaCry cyberattack

Lessons from WannaCry cyberattack

  • By Camila Taliberti and Paulo Brancher

On May 12, 2017, what has been considered the largest cyberattack in history occurred, reaching thousands of citizens, companies and public entities in more than 150 countries, including Brazil. The attack was conducted through a ransomware so-called WannaCry, a malicious code that, by using encryption, makes data stored on a device inaccessible, requiring the ransom payment via bitcoins to restore access to the user (*1).

A hacker group named Shadow Brokers revealed that WannaCry used the EternalBlue tool, created by NSA to exploit a vulnerability in the Windows system, which was “stolen” by hackers from various locations around the world. Although Microsoft had already fixed the vulnerability and posted, on March 14, the Microsoft Security Bulletin MS17-010 to guide users on the need for Windows system security updates, the large-scale attack was made possible by the fact that many systems have not received these updates.

It is worth remembering that Brazil is among the nine countries that suffer the most violations of security systems in the world. But these violations are not caused solely by cyberattacks. According to a research published by Grant Thornton (*2), most of them are due to human error. And, of course, they cause serious damages to companies and public entities, many of them irreversible – such as the elimination of files containing business secrets and confidential and sensitive information – which can result in financial losses and affect the reputation of the organization. For the ordinary citizen, it is not different: the personal data leakage can bring financial losses and psychological distress.

It is a fact that Brazil is not prepared to deal with a cyberwar. The culture of information security is not yet instilled in Brazilian organizations, whether public or private. A paradigm change is urgent, but it requires investment in professionals’ training and in technologies, as well as a robust legislation on information security, privacy and personal data protection.

Firstly, IT departments need to promote basic security measures: keep the operating system and programs installed with all updates applied, preferably automatically; have antivirus installed and anti-spyware and anti-malware systems for protection against malicious codes that intercept communications; warn all staff about paying attention when clicking on links or opening files; and make backups regularly.

At the same time, compliance policies for information security should be implemented, engaging all professionals – starting by their leaders –, suppliers, subcontractors and customers to identify, evaluate, protect, monitor and provide responses to vulnerabilities and incidents (*3). It is recommended to adopt ISO 27001, which is the standard and the international benchmark for information security management.

But it is also mandatory for law to enter the cybernetic field and to create mechanisms that aim to push organizations to raise the flag of cyber security and privacy.

Currently, our legal system allows the liability of the agent that damages the computer system. In the civil sphere, any natural or legal person who is injured by a security breach of the internet service provider may resort to court to claim compensation for pecuniary and moral damages, provided that it is evidenced that the damage occurred due to the absence of required measures by the service provider (*4). If, on the other hand, these security measures were not taken by the user, which, for example, did not install all the program updates, no need compensation is due.

In the criminal field, accountability is more complex. In 2012, Law 12,737, better known as the Carolina Dieckman (*5) Act, amended the Criminal Code to add the criminal offense of computer device invasion. Article 154-A of the Criminal Code states that it is a crime:

“To invade another computer device, whether or not connected to the computer network, through an improper breach of security mechanism and for the purpose of obtaining, tampering or destroying data or information without the express or tacit authorization of the device owner or installing security vulnerabilities to obtain illicit advantage.”

As inferred from the text of the law, it is necessary an improper breach of the security system for the crime to occur. In other words, if the invasion of the computer device occurs without the security violation, we will not be in face of a criminal offense. Therefore, it becomes increasingly important to use security mechanisms such as antivirus, firewall, strong passwords etc.

For the crimes set forth in the main section of article 154-A, the penalties are detention, from three months to one year, and fine. If, however, the crime results in economic harm to the victim, the penalty increases from one sixth to one third.

The law also provides for imprisonment from six months to two years and fine if the invasion is for the purpose of obtaining content of private electronic communications, trade or industrial secrets and confidential information. If there is commercialization, the penalty is increased from one to two thirds. The purpose, therefore, is to protect business secrets and confidential information inherent to business activity.

From the perspective of the right to privacy, it is important to emphasize that in Brazil there is no obligation of private and public organizations to communicate authorities and citizens about breach of security or leakage of personal data. So far, there is not a single general law on personal data protection that imposes such an obligation and sets parameters for the proper processing of personal data. There are, however, several sparse laws aimed at guaranteeing inviolability of the privacy of Brazilian citizens, in accordance with article 5, XII, and article 5, X and XIV, of the Federal Constitution: Code of Consumer Protection Civil Law Code, Banking Secrecy Law (Complementary Law 105/2001), Law of Interception of Communications (Law 9,296 / 1996), Law of Positive Registration (Law 12,414/2011), among others.

More recently, the Law 12,965/2014, known as the Brazilian Civil Rights Framework for the Internet or Marco Civil da Internet, came to protect privacy under three perspectives: (i) rights of Internet users, (ii) mandatory retention of connection and access records to Internet applications, (iii) access to personal data upon judicial protection.

Decree 8,771/2016, which regulates the Law 12,965/2014, has provided guidelines on security standards to be adopted in the custody, storage and processing of personal data and private communications, such as: (i) establishing strict control over the access to data; (ii) the provision of authentication mechanisms for access to records; (iii) the creation of a detailed inventory of access to the access records for applications, containing the moment, duration and identity of the official or the person responsible for the access; and (iv) the use of records management solutions through techniques that ensure the inviolability of data, such as cryptography or equivalent protection measures.

The importance of the Law 12,965/2014 for security and enforcement of rights in the network environment is indisputable. However, the Law applies only to the online environment – despite much of the abuse takes place offline – and it is not enough to ensure legal certainty about privacy in the current social context, where personal data are being collected massively through systems based on Big Data and Internet of Things. That is so particularly because the Law 12,965/2014 requires free, explicit and informed consent as the only way to legitimize the processing of your personal data. This, in practice, creates effects contrary to the one intended by the Law, since the consent is based merely on the acceptance of the terms of use and privacy policy, without the user having knowledge of the content written therein (*6).

Bill 5,276/2016 aims to establish a general law on personal data protection in line with European regulations. Differently from Law 12,965/2014, said Bill has nine authorizing hypotheses for the processing of personal data, with consent being only one of them. This does not mean, however, that the holder will have no control over its personal data. On the contrary, the Bill provides mechanisms that guarantee transparency and self-determination of the holder of personal data.

Another important matter of the Bill are the security measures that the controller must establish about the personal data that it controls. The Bill establishes security as one of the principles governing the processing of personal data. According to the wording, “constantly updated technical and administrative measures, proportionate to the nature of the information processed and capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination, should be used”.

For the implementation and enforcement of the law, the Bill provides for the creation of a regulatory body and a national council for the protection of personal data, which will be made up of representatives of the government, civil society and private initiative.

Among the powers of the regulatory body are included the creation of standards on technical security and the determination that the person responsible for processing personal data adopt measures in case of incidents. Some examples are notification to the owners and to the regulatory body, widespread disclosure in the press, and adoption of measures to reverse or mitigate the effects of eventual incidents.

There is no doubt, therefore, that the approval of Bill 5,276/2016 is extremely urgent, including as a mechanism for guaranteeing rights against invasions that involve the leakage or theft of personal data. In an increasingly online economy, where personal data are already considered “the new oil” (*7), a general law on personal data protection comes to ensure greater legal certainty in face of technological innovation and to serve the interests of all parties involved, civil society, companies and the government.

  • Respectively associate lawyer and partner of the Azevedo Sette Advogados