In a landmark ruling, the Superior Court of Justice (STJ) decided, in a special appeal, that insurers are objectively liable for leaks of their clients' sensitive data. The case involved Prudential do Brasil Seguros de Vida S.A., which was ordered to pay moral damages after failing to protect an insured's personal and sensitive information.
The ruling stressed that the relationship between insurer and client is governed by the Consumer Protection Code (CDC) and the General Data Protection Law (LGPD). The court recognized that the leaking of data such as banking, tax, and health information constitutes presumed moral damages, with no need to prove additional harm. The decision reinforced that the burden of proof lies with the company to demonstrate it adopted adequate data protection measures — something that was not established in this case.
The reporting justice, Minister Nancy Andrighi, emphasized that the mishandling of data exposes consumers to risks to their reputation, image, assets, and personal safety. The insurer's failure to ensure data integrity was deemed sufficient to establish objective liability, as provided under the CDC and LGPD. The STJ also upheld the R$15,000 moral damages award set by the São Paulo Court of Justice and increased attorney's fees to 20% of the total judgment.
REsp n. 2121904/SP
This post was summarized from the original ruling using ChatGPT version 4.0, with human review.