Personal and corporate data are one of the most valuable assets for companies in 2024, a scenario that will continue in 2025. That is why the leakage of this information represents more than a technical risk – it is a security incident that deeply affects the financial health and reputation of brands. In addition to potential expenses with the sanctions provided for in the LGPD (General Data Protection Law), which can reach 2% of revenue or a fine of R$ 50 million per infringement, companies targeted by leaks face hidden costs, often underestimated, with the recovery of systems and intangible damage to image and relationships with the external public.
Brazilian companies can lose an average of R$ 6.75 million per data breach, according to the Cost of a Data Breach 2024 report, prepared and released by IBM. However, in practice, this impact is even greater because breaches in the protection of sensitive information generate losses with other consequences, beyond legal ones, such as customer defections to competitors with stronger security policies, operational interruptions, emergency investments in public relations and cybersecurity to mitigate the crisis.
According to lawyer Marco Zorzi, a specialist in Digital Law at the law firm Andersen Ballão Advocacia, the advancement of the LGPD application and the most recent regulations on data handling require adjustments to transparency and security systems. Prevention starts with identifying the data to be processed in the company’s routine – what information is involved, where it is stored, and with whom it is shared. “Only with measures to map this flow is it possible to strengthen prevention and act immediately and efficiently in the face of security incidents. And this involves efforts, especially by legal and IT teams,” says Zorzi.
It is worth noting that in addition to the fine and warning, failure to comply with LGPD guidelines can result in a suspension of the company’s personal databases for up to six months, publicizing the violation, and prohibition from carrying out information processing activities, which can be total or partial.
According to the specialist, the new regulations from ANPD (National Data Protection Authority) regarding the role of the Data Protection Officer, communication of security incidents, and international data transfers raise the standard of corporate responsibility.
HACKER ATTACKS
The urgency to recognize risks and act preventively was reinforced by the decision of the 3rd Panel of the Superior Court of Justice (STJ), which held Eletropaulo liable for data leakage resulting from a hacker invasion.
The court concluded that, even in cases of criminal attacks, the company’s obligation to protect data remains intact. The decision was based on articles 19 and 43 of the LGPD, which require the adoption of appropriate technical and administrative measures to safeguard the data.
