Data leaks: a problem that costs Brazilian companies dearly

Personal and corporate data is one of the most valuable assets of companies in 2024, a scenario that will remain in 2025. That is why the leakage of this information represents more than a technical risk 50 million security incident that profoundly affects the financial health and reputation of brands. In addition to the potential expenses with the sanctions provided for in the LGPD (General Data Protection Law), which can reach 2% of billing or R$ 50 million fine for infringement, companies targeted for leaks face hidden costs, often underestimated, with the recovery of systems and intangible damages to the external image and public relations.

Brazilian companies lose, on average, R$ 6.75 million per data breach, according to the Cost of a Data Breach 2024 report, prepared and released by IBM. However, in practice, this impact is even greater, as the gaps in the protection of sensitive information generate losses with other consequences, in addition to legal ones, such as evasion of customers who migrate to competitors with more robust security policies, interruption of operations, emergency investments with public relations and cybersecurity to mitigate the crisis.

According to lawyer Marco Zorzi, specialist in Digital Law at Andersen Ballao Advocacia, the advancement of the application of the LGPD and the latest standards on data processing require adjustments to the system of transparency and security. Prevention begins with the identification of the data to be treated in the company's routine (which information is involved, where it is stored and with whom it is shared. “Only with the measures to map this flow it is possible to strengthen prevention and act immediately and efficiently in the face of security incidents. And this involves efforts, especially, the legal and IT teams”, says Zorzi.

It is worth noting that in addition to the fine and warning, non-compliance with the LGPD guidelines may result in suspension for up to six months of the company's personal databases, advertising of the infringement and prohibition of the exercise of information processing activities, which may be total or partial.

According to the expert, the new regulations of the ANPD (National Data Protection Authority) on the role of the Data Controller, the communication of security incidents and the international transfer of data raise the standard of corporate responsibility.

HACKER ATTACKS

The urgency to recognize risks and act in a preventive manner was reinforced by the decision of the 3rd Class of the Superior Court of Justice (STJ), which held Eletropaulo responsible for data leakage resulting from a hacker invasion.

The court concluded that even in cases of criminal attack, the company's obligation to protect data remains intact. The decision was based on articles 19 and 43 of the LGPD, which determine the adoption of appropriate technical and administrative measures to safeguard the data.