Cybercrime in Brazil: the laws and what to do when your company is a victim
Direct answer
Brazil criminalizes cyber offenses under Article 154-A of the Penal Code (introduced by Law 12,737/2012), which punishes unauthorized access to a device with up to 4 years' imprisonment, made more severe by Law 14,155/2021, which also created electronic fraud (Article 171, §2-A) and theft through electronic fraud (Article 155, §4-B), raising penalties to up to 8 years. Victim companies must preserve evidence, file a police report and, where personal data has been exposed, notify the ANPD.
Key takeaways
- ›The Carolina Dieckmann Law (Law 12,737/2012) introduced Article 154-A into the Penal Code and was the first specific milestone against unauthorized access to computer devices in Brazil.
- ›Law 14,155/2021 increased the penalties of Article 154-A to up to 4 years, created electronic fraud (Article 171, §2-A, penalty of 4 to 8 years) and aggravated theft through electronic fraud (Article 155, §4-B, penalty of 4 to 8 years).
- ›The Brazilian Internet Civil Framework (Law 12,965/2014) governs provider liability and requires access logs to be retained for 1 year, making it an essential tool for the judicial request of data.
- ›The LGPD (Law 13,709/2018) requires the data controller to report incidents involving relevant risk to the ANPD and to affected data subjects within 72 hours of becoming aware of the event.
- ›The immediate preservation of digital evidence — logs, hashed screenshots, forensic images — is decisive for the success of criminal and civil actions; evidence collected without a chain of custody may be ruled inadmissible.
- ›Specialized Cybercrime Police Units (such as DRCI/SP, NUCIBER/RS and others) and the state electronic police station allow police reports to be filed online, making it easier to formalize the crime for procedural purposes.
What the Carolina Dieckmann Law (Law 12,737/2012) says
Law 12,737 of November 30, 2012, popularly known as the Carolina Dieckmann Law, introduced Article 154-A into the Brazilian Penal Code, criminalizing the act of accessing another person's computer device, whether or not connected to a computer network, through the undue breach of a security mechanism, in order to obtain, tamper with or destroy data, or to install vulnerabilities. In its original wording, the penalty was 3 months to 1 year of detention, plus a fine.
The law was an important advance because, until its enactment, conduct such as improper access to email and profile cloning was awkwardly framed under criminal offenses such as violation of correspondence or property damage. With the law, it became clear that the computer device — computer, tablet, smartphone — is legally protected property. Article 154-B establishes the criminal action as public conditioned upon a complaint, except when the crime is committed against the Public Administration, a public-service concessionaire or a financial institution.
The changes brought by Law 14,155/2021 and the new criminal offenses
Law 14,155 of May 27, 2021, carried out the most significant reform of Brazilian cyber criminal law since 2012. In Article 154-A, the penalty for unauthorized access to a computer device was raised to imprisonment of 1 to 4 years, and the aggravating circumstances now cover the disclosure, sale or transmission of the obtained data to third parties. When the intrusion results in economic loss, the increase is from one-third to double the penalty.
The law also created electronic fraud, adding §2-A to Article 171 of the Penal Code, which classifies fraud committed through the use of social media, contacts made by telephone or the sending of email, with a penalty of 4 to 8 years' imprisonment plus a fine. In addition, Article 155 now includes §4-B, which criminalizes aggravated theft through electronic fraud — scams that compromise bank accounts and digital wallets through malware, phishing or unauthorized remote access — with the same penalty range of 4 to 8 years.
The severity of the penalties reflects reality: Brazil is one of the countries with the highest volume of digital financial attacks in the world. The new aggravating factors not only increase the expected sanction but also allow the accused to be held in custody during the criminal proceedings if the requirements of Article 312 of the Code of Criminal Procedure are met, something unfeasible under the previous penalties below 4 years.
The Internet Civil Framework and the importance of logs for investigations
Law 12,965/2014, known as the Brazilian Internet Civil Framework (Marco Civil da Internet), establishes principles, guarantees, rights and duties for the use of the internet in Brazil. From a forensic standpoint, its most relevant provision for companies that are victims of cybercrime is the obligation to retain records: connection providers must keep connection logs for 1 year; application providers, for 6 months. These data can be requested by a judicial authority to identify the perpetrator.
For the victim company, the Internet Civil Framework is a tool for accessing evidence held by third parties — hosting, ISP, email platforms — through a court order. Article 22 allows the injured party to request that a judge order the early production of evidence to collect this information before the retention period expires. This makes speed in formalizing the complaint a critical factor: waiting weeks may result in the irreversible loss of the records that would identify the perpetrator of the attack.
The LGPD and the obligations of a company that is a victim of a data breach
The General Data Protection Law (Law 13,709/2018) imposes on the controller — the company that decides how and why personal data is processed — the obligation to report to the National Data Protection Authority (ANPD) and to affected data subjects any security incident that may result in relevant risk or harm. Resolution CD/ANPD No. 15/2024 establishes that this communication must take place within 72 hours of becoming aware of the incident.
What constitutes 'relevant risk or harm' includes health data, financial data, access credentials, data of children and adolescents, or any set of data whose exposure may lead to discrimination, fraud, reputational damage or financial loss to the data subject. The communication must describe the nature of the affected data, the approximate number of data subjects involved, the measures taken to mitigate the harm and the contact channels of the data protection officer (DPO). Failure to comply with the reporting obligation may result in a fine of up to 2% of the company's revenue in Brazil, capped at R$ 50 million per infraction.
It is important to stress that the LGPD and criminal legislation are parallel and non-exclusive paths. A company may simultaneously file a police report for the crime of unauthorized device access (criminal sphere), activate its incident response plan, notify the ANPD (administrative sphere) and bring an action for damages against the perpetrator (civil sphere), as well as trigger cyber insurance, if any.
How to preserve digital evidence with legal validity
The chain of custody is the set of procedures that guarantees the integrity and authenticity of digital evidence from its collection to its presentation in court. In Brazil, Article 158-A of the Code of Criminal Procedure, introduced by Law 13,964/2019 (the Anti-Crime Package), enshrined the chain of custody as a formal requirement, making explicit the need to document every stage of handling the trace evidence. Evidence collected without these procedures runs the risk of being contested or discarded.
In practice, preservation begins with the immediate isolation of the compromised system — disconnecting it from the network, without shutting down the equipment if there is volatile evidence in RAM. Next comes forensic acquisition: a bit-by-bit copy of the device with certified tools (such as FTK Imager or dd with hash verification), generating an immutable file. The cryptographic hash (SHA-256 or MD5) of each collected file must be calculated and recorded immediately, serving as the evidence's fingerprint. Screenshots must be accompanied by metadata: date, time (in UTC), operating system name and browser version.
The expert report, produced by a qualified professional, documents the methodology, tools used, hashes of the evidence and technical conclusions. This document is what effectively supports the police investigation and any eventual criminal action. The absence of an experienced forensic expert in the initial phase of the incident is one of the most common mistakes that undermine the viability of subsequent criminal proceedings.
Where and how to report: specialized police units and electronic channels
Filing a police report (Boletim de Ocorrência) is the formal act that initiates the criminal prosecution and is a procedural requirement for the Public Prosecutor's Office to bring charges in crimes of public action conditioned upon a complaint, such as unauthorized device access under Article 154-A. It should be done as soon as possible, as it records the date the crime became known and starts the clock for the judicial request of logs.
Most Brazilian states have specialized cybercrime police units: the DRCI (Police Unit for the Repression of Computer Crimes) in São Paulo, NUCIBER (Cybercrime Combat Unit) in Paraná, the DRCC (Police Unit for the Repression of Crimes Against the Tax, Economic Order and Consumer Relations) in Minas Gerais, and equivalent structures in the other states. These units have trained experts to properly receive and analyze digital evidence.
For electronic filings, each state provides an online police station — in São Paulo it is the site delegaciaeletronica.policiacivil.sp.gov.br; in Rio de Janeiro, ddionline.pcerj.rj.gov.br. At the federal level, crimes involving federal government systems, large-scale banking networks or transnational organized crime can be reported to the Federal Police, which has the Cybercrime Combat Unit (CIPOC). In parallel, the Brazilian National Computer Emergency Response Team (CERT.br), maintained by NIC.br, accepts incident notifications and assists in coordinating the response, especially when there is abuse of third-party infrastructure.
How to comply
- 1
Contain the incident without destroying evidence
Immediately isolate the compromised system from the network, but do not shut it down if there are active processes in RAM that may contain relevant forensic artifacts (credentials, encryption keys, active connections). Document the state of the system with photos of the screen and hashed captures before any intervention.
- 2
Activate the incident response team and preserve the logs
Notify the internal security team or a specialized partner (such as Decripte) immediately. Collect and store firewall, SIEM, email server and endpoint logs with a timestamp (UTC). Calculate the SHA-256 hash of each collected log file and record it in a signed document.
- 3
Perform forensic acquisition with a chain of custody
Produce bit-by-bit copies of the devices involved using certified forensic tools. Each image must have its hash verified and recorded on a chain-of-custody form (Article 158-A of the Code of Criminal Procedure). Store the original evidence on immutable, sealed media, with access control and a record of who handled it.
- 4
File the police report at the specialized unit
Go to your state's cybercrime police unit (or use the state electronic police station) as early as possible. Bring screenshots, hashes, a preliminary incident report and, if possible, the initial forensic report. The police report opens the criminal prosecution and allows the police to judicially request provider logs before they expire.
- 5
Assess the obligation to notify the ANPD and data subjects
Check whether the incident involved personal data. If so, assess the potential risk or harm to data subjects. Where there is relevant risk, the company has up to 72 hours to report to the ANPD (via the form on the portal anpd.gov.br) and to notify affected data subjects, in accordance with Resolution CD/ANPD No. 15/2024. Document the rationale of the risk assessment.
- 6
Gather evidence for the civil action for damages
Beyond the criminal sphere, the injured party may bring an action for material and moral damages against the perpetrator. To do so, with legal support, produce a statement of loss calculations: hours of downtime, remediation cost, lost revenue, reputational damage and notification costs. The forensic report with a chain of custody serves as evidence in all spheres.
- 7
Activate the recovery plan and document the lessons learned
After containment and legal formalization, restore the systems from verified backups, apply the patches corresponding to the exploited vulnerability and review access controls. Produce a post-incident report documenting root cause, timeline, impact and improvements implemented. This document reduces future risks and demonstrates the maturity of the security program to the ANPD and any auditors.
Frequently asked questions
What is the difference between the Carolina Dieckmann Law and Law 14,155/2021?
Law 12,737/2012 (Carolina Dieckmann) created the crime of unauthorized access to a computer device under Article 154-A of the Penal Code, with an original penalty of 3 months to 1 year of detention. Law 14,155/2021 reformed this article, raising the penalty to imprisonment of 1 to 4 years, and added two new aggravated offenses: electronic fraud (Article 171, §2-A, penalty of 4 to 8 years) and theft through electronic fraud (Article 155, §4-B, penalty of 4 to 8 years). The 2021 law represents a significant toughening of the criminal response to digital financial crimes.
Is a company that suffered a ransomware attack required to notify the ANPD?
It depends. The obligation to notify the ANPD arises when the incident may result in relevant risk or harm to the affected personal data subjects, in accordance with Resolution CD/ANPD No. 15/2024. Ransomware that encrypted data without proven exfiltration may be assessed as a lower risk, whereas an attack with confirmed exfiltration of financial, health or children's data creates an unequivocal obligation to report within 72 hours of becoming aware of the incident. The company must document the reasoning of the risk assessment in both cases.
What crime does phishing that captures banking passwords fall under?
Banking phishing may simultaneously constitute multiple crimes: unauthorized device access (Article 154-A of the Penal Code, if there is unauthorized access to the banking system or the victim's device), electronic fraud (Article 171, §2-A, for inducing error via an electronic message) and aggravated theft through electronic fraud (Article 155, §4-B, if it results in a transfer of assets from the victim's account). The definitive classification depends on the factual circumstances and the analysis of the Public Prosecutor's Office.
Does digital evidence collected by the company itself hold value in court?
Yes, provided it is collected with an adequate forensic methodology and chain-of-custody documentation. Article 158-A of the Code of Criminal Procedure establishes formal requirements for the chain of custody. Evidence collected in a disorderly manner — without a hash, without a record of who handled it, without a verifiable date and time — may be contested by the defense. For this reason, it is advisable to involve an independent forensic expert as early as possible, since the report they produce carries a technical presumption of reliability and greater persuasive power before the court.
What is the deadline to file a police report and not lose the providers' logs?
The Internet Civil Framework (Law 12,965/2014) requires connection providers to keep logs for 1 year and application providers for 6 months. These periods begin to run from the date the access was recorded, not from the date of the crime. In practice, logs of an attack that occurred 5 months ago at an application provider may already have been deleted. Filing the police report and asking the police unit to judicially request the data as quickly as possible — ideally within 30 days — significantly increases the chance of obtaining the necessary evidence.
What happens if the company fails to meet the 72-hour deadline to notify the ANPD?
Failure to meet the reporting deadline is an autonomous infraction of the LGPD, subject to the sanctions of Article 52, which include a warning, a simple fine of up to 2% of the company's gross revenue in Brazil in the last fiscal year (capped at R$ 50 million per infraction) and publicizing of the infraction. The ANPD may apply cumulative sanctions. In addition, the failure to report may aggravate the company's civil liability toward affected data subjects, as it demonstrates negligence in complying with the legal obligations of data protection.
Sources
- Law No. 12,737 of November 30, 2012 — Provides for the criminal classification of computer offenses
- Law No. 14,155 of May 27, 2021 — Increases the penalties for computer device violation, theft and fraud committed electronically or over the internet
- Law No. 12,965 of April 23, 2014 — Brazilian Internet Civil Framework (Marco Civil da Internet)
- Law No. 13,709 of August 14, 2018 — General Data Protection Law (LGPD)
Decripte implements compliance — without you building an in-house team.
Adherence assessment, auditable technical controls, pentest and documentation for the regulator/auditor. Or start free by seeing what is already exposed.
