Personal and corporate data are among the most valuable assets of companies in 2024, a scenario that will continue in 2025. That is why the leak of this information represents more than a technical risk – it is a security incident that profoundly impacts the financial health and reputation of the brands. In addition to the potential costs associated with sanctions under the LGPD (General Data Protection Law), which can reach 2% of revenue or R$50 million in fines per violation, companies targeted by leaks face hidden costs, often underestimated, related to system recovery and intangible damages to their image and relationships with the external public.
Brazilian companies lose an average of R$ 6.75 million due to data breaches, according to the Cost of a Data Breach 2024 report, prepared and released by IBM. However, in practice, this impact is even greater, as gaps in the protection of sensitive information cause damages with other consequences beyond legal ones, such as customer loss to competitors with more robust security policies, operational disruptions, emergency investments in public relations and cybersecurity to mitigate the crisis.
According to lawyer Marco Zorzi, a specialist in Digital Law at Andersen Ballão Advocacia, the advancement of LGPD implementation and the most recent data processing regulations require adjustments to the transparency and security system. Prevention begins with identifying the data to be processed in the company's routine – which information is involved, where it is stored, and with whom it is shared. "Only with measures to map this flow is it possible to strengthen prevention and act immediately and efficiently in the face of security incidents. And this involves efforts, above all, from the legal and IT teams," says Zorzi.
It is worth noting that in addition to the fine and warning, failure to comply with the LGPD guidelines may result in suspension of the company's personal databases for up to six months, publicity of the violation and a ban on carrying out information processing activities, which may be total or partial.
According to the expert, the new regulations of the ANPD (National Data Protection Authority) on the role of the Data Protection Officer, the communication of security incidents and the international transfer of data raise the standard of corporate responsibility.
HACKER ATTACKS
The urgency of recognizing risks and acting preventively was reinforced by the decision of the 3rd Panel of the Superior Court of Justice (STJ), which held Eletropaulo responsible for data leaks resulting from a hacker invasion.
The court concluded that, even in cases of criminal attack, the company's obligation to protect the data remains intact. The decision was based on Articles 19 and 43 of the LGPD, which require the adoption of appropriate technical and administrative measures to safeguard the data.
