‎Brazil News

 

 

 

The 3rd Panel of the Superior Court of Justice (STJ) decided, unanimously, that banks are responsible for the leakage of confidential personal data of customers, later used by criminals to commit fraud.

 

According to the process, the customer contacted the bank via email requesting information on how to pay off a financing contract. Days later, she was contacted via WhatsApp by an alleged employee of the institution and received a bill worth around R$20,000. The client paid the bill, but later discovered that the document had been issued by criminals. As she continued to be charged by the bank, she also continued to pay the following installments.

 

She has access to JOTA PRO Poder, a political monitoring platform with behind-the-scenes information that offers more transparency and predictability for companies. Discover!

When considering the case, the ministers of the STJ reformed the ruling of the Court of Justice of the State of São Paulo (TJSP) to reestablish the sentence that condemned the bank BV (BV Financeira SA Crédito Financiamento E Investimento) to consider the debt settled by paying the invoice false and to return the amount that has been paid since then, with correction and late payment interest of 1% per month.

 

 

In the now amended ruling, the TJSP had understood that the scam against the client had been applied through negotiations carried out informally. The court also considered that the information on the false bill differed from the data contained in the financing contract and that the consumer failed in her duty of safety and caution. Therefore, the bank should not be held responsible for the fraud.

 

The STJ's understanding of the leakage of bank data

Minister Nancy Andrighi, rapporteur of the client's appeal, disagreed with the TJSP. She explained that, under the terms of the thesis established in the judgment of Repetitive Theme 466 – which contributed to the publication of Precedent 479 of the STJ –, banking institutions respond objectively for damages generated by internal fortuitous circumstances in the case of fraud committed by third parties, in view of that the responsibility arises from the risk of the activity.

 

In relation to social engineering scams, the rapporteur commented that criminals usually know the victims' personal data and, based on them, use psychological techniques of persuasion – such as simulating a real banking service – as a way of achieving their illicit objective. .

 

“Thus, in order to attribute responsibility to financial institutions, in relation to the leakage of personal data that culminated in the facilitation of fraud, it must be ensured that the origin of the undue treatment is the banking system. The causal links and imputation, therefore, depend on the hypothesis specifically analyzed”, considered the minister.

 

In this scenario, the minister pointed out that the bank could not be held exclusively responsible in the event of a leak of basic registration data, such as name and CPF, because this information can be obtained from alternative sources. On the other hand, if consumer data is linked to banking operations and services, the institution has a duty to store and protect it, under penalty of any leakage constituting a failure to provide the service.

 

GDPR

Nancy Andrighi highlighted that, under article 44 of the General Personal Data Protection Law (LGPD), data processing will be irregular when it does not provide the security that the data subject expects, considering the result and risks of such processing.

 

In this case, the minister reinforced that, according to the information in the file, the criminals held the client's personal data relating to her banking operations. The rapporteur also pointed out that, although the fake bill had differences in relation to real documents, an ordinary person is not expected to always be able to identify them.

 

According to the rapporteur, some circumstances weigh in favor of holding the bank responsible: the swindler was aware that the victim was a client of the financial institution, he knew that she sent an email with the purpose of paying off her debt and he also had data relating to the financing. This information, especially personal banking data, is confidential, and its processing is the exclusive responsibility of the banking entity, concluded the minister when reinstating the sentence.

 

Contacted by JOTA, Banco BV informed that it will not comment on the STJ's decision.