The Brazilian Superior Court of Justice (STJ) has consolidated a significant precedent for companies facing lawsuits arising from fake payment slip (boleto) fraud.
According to the established understanding, a company may exclude its civil liability based on the concept of external fortuitous event — meaning the exclusive fault of a third party — provided that it can demonstrate the absence of internal security failures.
This decision represents an important shift in judicial analysis. The focus moves beyond the mere occurrence of fraud and toward the quality and robustness of the company’s digital governance structure.
To exclude liability, companies must demonstrate:
- No data breach occurred
- Systems are secure and protected
- Adequate access controls are in place
- Customers were previously warned through official and secure communication channels
The new evidentiary standard
The jurisprudence now requires concrete technical evidence. It is no longer sufficient to argue that the fraud was committed by a third party. Companies must prove that effective preventive measures were adopted.
The absence of:
- Structured access logs
- Formalized information security policies
- Records of consumer awareness campaigns
may be interpreted as a breach of the duty of security and information.
Governance ceases to be merely a compliance requirement and becomes a central instrument of judicial defense.
Practical risks and implications
Companies lacking adequate technical documentation may face significant challenges in producing evidence.
The absence of:
- Access traceability
- Formalized internal policies
- Preventive customer communication
may shift civil liability to the organization, even when the fraud was committed by third parties.
Additionally, the duty to inform gains greater relevance. The lack of visible and consistent consumer alerts regarding fake payment slips may be interpreted as a breach of the duty of care.
The current scenario reinforces that information security and civil liability are now directly interconnected.
Strategic recommendations
In light of this consolidated understanding, companies should:
- Strengthen access log management and retention to ensure technical traceability
- Implement and document robust information security policies focused on preventing data breaches and unauthorized access
- Conduct periodic and traceable customer awareness campaigns regarding payment slip fraud
- Centralize the issuance of payment slips exclusively through official and secure channels
- Review internal billing and customer service workflows to align with fraud prevention best practices
This consolidated case law sends a clear message: the strongest judicial defense begins with structured prevention.
Strategic alignment with corporate governance
The issue requires integration among:
- Strategic civil litigation
- Information security
- Data protection
- Compliance
- Contractual review
Companies that structure preventive governance significantly reduce the risk of adverse rulings and strengthen their position in potential litigation.
Institutional maturity becomes a decisive factor in mitigating civil liability.
The consolidation of this precedent by the STJ reflects a broader transformation in the Brazilian legal environment. Corporate civil liability now directly correlates with the maturity of digital governance.
Information security, data protection, internal compliance, and risk management are no longer merely operational tools — they are central components of litigation strategy and risk prevention.
PDK Advogados continuously monitors the evolution of case law before Brazil’s higher courts and its practical impacts on business operations. Our practice integrates strategic litigation, digital governance, data protection, and corporate compliance, always focused on risk anticipation and the construction of sustainable legal certainty.
To access further analyses on relevant court decisions and their implications for businesses, follow our insights on our website and institutional channels.
