The Court of Justice of Rio de Janeiro (TJRJ), in an appellate ruling, held a financial institution liable for losses suffered by an elderly client who was a victim of the "fake courier" (motoboy) scam, with particular emphasis on the institution's failure in its duty to ensure the security and protection of personal data. The decision overturned a prior ruling, ordering the cancellation of fraudulent contracts, the restitution of funds, and the payment of moral damages, grounding the bank's liability in the breach of the consumer's information security.
The case revealed a serious vulnerability in the bank's systems, as the fraudsters possessed a significant volume of detailed personal and banking data belonging to the client — including her full name, address, CPF (national ID number), parents' names, and transaction history. This confidential information was crucial in lending credibility to the scam and deceiving the victim into handing over her cards. The ruling emphasized that such unauthorized access to sensitive data constitutes a clear defect in service delivery.
The Eighth Private Law Chamber of the TJRJ emphasized that Brazil's General Data Protection Law (LGPD) explicitly establishes financial institutions' responsibility for protecting the personal data of their account holders. The court also cited Central Bank Resolution No. 4,658/2018, which requires institutions to maintain cybersecurity policies to ensure the confidentiality, integrity, and availability of data. The failure to protect this information was a central factor in establishing liability.
As a result, the court found that the bank had failed in its duty of security — as provided for by both the Consumer Protection Code and data protection regulations — by failing to prevent the fraud and to detect transactions inconsistent with the profile of an elderly consumer considered to be in a position of heightened vulnerability. This negligence led to the financial institution's conviction, reinforcing the importance of information security as an essential pillar of banking services.
This post was summarized from the original ruling with the use of AI, with human review.
TJRJ/AC n. 0807827-03.2023.8.19.0007