Data leaks: a problem that costs Brazilian companies dearly

Personal and corporate data are one of the most valuable assets for companies in 2024, a trend that will continue in 2025. This is why the leakage of this information represents more than just a technical risk – it's a security incident that profoundly impacts the financial health and reputation of brands. Beyond the potential costs of sanctions under the LGPD (General Data Protection Law), which can reach 21% of revenue or R$1,045,000 (BRL 1,045,000) in fines per infraction, companies targeted by leaks face hidden costs, often underestimated, associated with system recovery and intangible damage to their image and relationships with the public.

Brazilian companies are losing, on average, R$6.75 million per data breach, according to the 2024 Cost of a Data Breach report, prepared and released by IBM. However, in practice, this impact is even greater, as breaches in the protection of sensitive information generate losses with consequences beyond the legal ones, such as customer attrition as they migrate to competitors with more robust security policies, operational disruptions, and emergency investments in public relations and cybersecurity to mitigate the crisis.

According to lawyer Marco Zorzi, a specialist in Digital Law at Andersen Ballão Advocacia, the advancement of LGPD application and the latest data processing regulations require adjustments to transparency and security protocols. Prevention begins with identifying the data processed in the company's routine – what information is involved, where it is stored, and with whom it is shared. "Only by mapping this flow can we strengthen prevention and react immediately and efficiently to security incidents. And this requires effort, particularly from the legal and IT teams," states Zorzi.

It's important to note that in addition to fines and warnings, non-compliance with LGPD guidelines can result in the suspension of a company's personal data banks for up to six months, public disclosure of the violation, and a prohibition on the exercise of data processing activities, which may be total or partial.

According to the expert, the new ANPD (National Data Protection Authority) regulations regarding the role of the Data Protection Officer, the reporting of security incidents, and the international transfer of data raise the standard of corporate responsibility.

HACKER ATTACKS

The urgency of recognizing risks and taking preventative action was reinforced by the decision of the 3rd Chamber of the Superior Court of Justice (STJ), which held Eletropaulo liable for a data breach resulting from a hacker attack.

The court ruled that even in cases of criminal attack, the company's obligation to protect data remains intact. The decision was based on articles 19 and 43 of the LGPD, which mandate the adoption of adequate technical and administrative measures to safeguard data.