The Rio de Janeiro Court of Justice ordered Banco do Brasil to reimburse funds and compensate a customer for moral damages after finding a banking security failure that enabled fraud and the misuse of personal data. The plaintiff was the victim of a scam after being contacted by phone — supposedly by a bank employee — and induced to carry out financial transactions, including wire transfers (TED and PIX) and the fraudulent taking out of a loan, all made possible through unauthorized access to the customer's banking data.
The ruling recognized that the fraud was only possible because the plaintiff's personal and banking information — for which the financial institution is responsible under Brazil's General Personal Data Protection Law (LGPD) — was used without authorization. The court emphasized the obligation of banks to implement effective data and system protection measures, as required by Article 44 of the LGPD and the Consumer Protection Code, noting that liability cannot be dismissed as an unforeseeable external event given the inherent risks of the banking business.
In addition to full reimbursement of the amounts withdrawn from the account, the bank was ordered to pay moral damages of R$7,000.00. The ruling reinforces the application of the LGPD to financial institutions, which have a duty to prevent data leaks and misuse and are held liable whenever they cannot demonstrate adequate security in their operations and systems — even when the fraud involves third parties.
The decision expressly stated that the service failure and the data leak make the bank strictly liable, in line with precedents from Brazil's Superior Court of Justice (STJ) and the TJRJ itself, thereby broadening consumer protection in cases involving information security and personal data protection.
This post was summarized from the original ruling using ChatGPT version 4o, with human review.
TJRJ/AC No. 0001246-06.2022.8.19.0212