A data incident and cybercrime scenario is rarely “just an IT problem”. When databases are leaked, credentials are misused, systems are locked by ransomware or strategic information is diverted, a data breach quickly stops being a matter of information security and becomes a central issue in legal, regulatory and, very often, criminal strategy. The company must simultaneously contain the operational damage, notify data protection authorities and affected individuals, preserve digital evidence for future forensic analysis and ensure that its public and institutional narrative does not inadvertently turn into a confession. In this context, forensic preservation, chain of custody and communication without self-incrimination stop being technical details and become the core of the defense strategy under Brazilian Criminal Law.
Data incidents and cybercrime: when the problem leaves the IT department
The starting point is to understand that a data incident and cybercrime case is not limited to sophisticated external hacks. Many breaches originate from operational mistakes, misconfigured cloud environments, lost devices or the improper use of internal credentials. In all these situations, the boundary between administrative, civil and criminal liability is thin.
Brazil’s LGPD requires controllers to handle security incidents involving personal data in a structured and documented manner, especially when there is significant risk or damage to data subjects. The Brazilian Data Protection Authority (ANPD) has issued specific rules on incident notification, with tight deadlines and a minimum set of information on what happened, which data was affected and which mitigation measures are being implemented.
The very same episode, however, may also attract the attention of the police and the Public Prosecutor’s Office, especially when there are indications of cybercrime – such as unlawful access to systems, online fraud, payment card schemes or ransomware – or when the breach is used to facilitate other criminal offences. The company suddenly operates on three fronts at once: regulatory, reputational and criminal. In this intersection, rushed decisions – especially in the first hours – may compromise the chain of custody of digital evidence and, ultimately, the company’s position in any future Criminal procedure in Brazil.
Forensic preservation and chain of custody in data breaches
The instinctive reaction to a data breach is often to “fix the problem”: restore systems, reset passwords, delete suspicious files, reinstall servers. Operationally, the urgency is understandable. From a criminal-law standpoint, however, this impulse can destroy precisely what the company will need most: a minimally reliable forensic trail.
Preserving digital evidence is much more than taking screenshots or saving a few e-mails. It requires a conscious strategy for collecting, storing and documenting data so that, later on, independent experts and judges can reconstruct the chronology of events. As in any digital evidence scenario, if there is no care with the integrity and reliability of digital evidence, the discussion will quickly move away from the merits and focus on whether files are authentic, altered or taken out of context – exactly what a company in crisis must avoid.
Talking about chain of custody in this context means keeping an organized record of who accessed which systems, at what time, with which credentials, what was copied, mirrored or isolated, and how that material was preserved. Rather than “poking around” in servers to look for culprits, it is usually safer to freeze the most critical environment, create forensic images with specialized support, restrict access and establish a clear workflow among IT, in-house legal, the DPO and external criminal counsel. Even if no police investigation has been opened yet, experience shows that many significant incidents eventually end up in criminal files.
Data incidents, authorities and communication without self-incrimination
The next step is to recognize that data incidents and cybercrime follow different logics in regulatory and criminal spheres, even though they arise from the same facts. LGPD, ANPD regulations and supervisory practice establish parameters on the content, timing and form of notifications to data protection authorities and data subjects.
The challenge is to draft these notifications in a way that is transparent and sufficient to comply with Brazilian data protection rules and reduce regulatory risk, without turning the document into an indictment against the company or its executives. Describing technical and organizational measures, a basic timeline, types of data affected and remediation steps is very different from assigning subjective blame, admitting criminal offences or “anticipating” conclusions that have not yet been properly verified from a technical and legal standpoint.
In practice, this means that notifications and public statements should not be produced in isolation by IT or solely by the DPO. The ideal is a coordinated effort involving legal, data governance and criminal defense, so as to calibrate the level of detail, avoid internal contradictions and reduce the risk that the institutional narrative will later be read as an informal confession in police investigations and criminal cases.
Cybercrime, insider fraud and liability of executives
Not every data incident results from a sophisticated external attack. In many investigations, the trigger proves to be a combination of weak internal controls with intentional misconduct or gross negligence: a former employee leaving with a copy of the customer base, an insider monetizing confidential data, a contractor tapping into payment systems, or a manager ignoring repeated alerts about critical vulnerabilities.
In such cases, the discussion no longer revolves only around the liability of the legal entity. It opens the door to charges against officers, directors and board members, especially when criminal investigators are able to reconstruct ignored warnings, conscious decisions to postpone essential corrections or incentive schemes that, in practice, rewarded risky shortcuts. The logic is similar to that of outsourcing and supply-chain cases: the more governance structures look tolerant of obvious risks, the more plausible it becomes to allege unlawful omission or willful blindness regarding cybercrime carried out from within the company’s infrastructure.
This does not mean accepting strict liability for top management. It does mean recognizing that, in a highly digital environment, the line between systemic failure and conscious tolerance of criminal risk has become much narrower – and that, for companies in crisis, this is precisely where accusations tend to focus under Brazilian Criminal Law.
How to respond to a data breach without turning the crisis into a criminal case
The objective is not to romanticize the incident, but to structure a response that contains damage and preserves a solid defensive position. In broad terms, several fronts must move in parallel.
The first is technical: contain the incident, stop the leak, isolate critical environments and restore operations with as little disruption as possible. Here, the work of cybersecurity teams and external incident response providers is essential.
The second is evidentiary: preserve logs, evidence and digital trails using a minimally defensible forensic methodology, carefully maintaining the chain of custody and avoiding well-intentioned clean-ups that wipe out exactly what a criminal expert might later use to support the company’s narrative.
The third is regulatory and communicational: comply with notification duties to the ANPD and data subjects, in line with LGPD and its regulations, in a transparent and objective way, but without drifting into unnecessary admissions of criminal fault or hasty attributions of personal blame.
The fourth is criminal: from the outset, involve a criminal lawyer experienced in corporate crises and cybercrime who can coordinate the collection of defense elements, align the institutional narrative and prepare the company for possible investigations, search warrants and interviews with executives. In some cases, this also means assessing whether cooperation, leniency or other negotiations make sense – always with the clear goal of avoiding that defense strategy quietly turns into early confession in Criminal procedure in Brazil.
Conclusion: treating data incidents as criminal cases from day one
A data incident and cybercrime scenario is not just an IT annoyance, nor a problem solved by changing passwords and issuing a dry statement to customers. In an environment where personal data and strategic information are core business assets, every significant data breach is, at the same time, a test of governance, a data protection case and a potential criminal case.
Treating forensic preservation, chain of custody and communication without self-incrimination as pillars of the response – not as afterthoughts – is what separates companies that emerge from the crisis with controlled damage from those that, years later, are still fighting criminal charges based on poorly preserved evidence and poorly drafted notifications.
For organizations under pressure, the message is simple: when it comes to data incidents and cybercrime in Brazil, the clock starts ticking the minute the problem is detected. The quality of the decisions made in the first hours tends to determine not only the regulatory and reputational outcome, but also the distance between a managed crisis and a full-blown criminal case in which the company’s own reaction becomes a central piece of the prosecution’s case file.
