Data leaks: a problem that costs Brazilian companies dearly

Personal and corporate data are among companies' most valuable assets in 2024, a scenario that will remain the same in 2025. That's why a data leak represents more than a technical risk—it's a security incident with profound repercussions for a brand's financial health and reputation. In addition to the potential costs of penalties under the LGPD (General Data Protection Law), which can reach 2% of revenue or R$$ 50 million in fines per violation, companies targeted by data leaks face hidden, often underestimated, costs associated with system recovery and intangible damage to their image and relationships with external stakeholders.

Brazilian companies lose, on average, R$6.75 million per data breach, according to the "Cost of a Data Breach 2024" report, prepared and published by IBM. However, in practice, this impact is even greater, as breaches in the protection of sensitive information generate losses with consequences other than legal ones, such as customer churn, which leads to competitors with more robust security policies, operational disruptions, and emergency investments in public relations and cybersecurity to mitigate the crisis.

According to attorney Marco Zorzi, a Digital Law specialist at Andersen Ballão Advocacia, the advancement of LGPD enforcement and the most recent data processing regulations require adjustments to the transparency and security system. Prevention begins with identifying the data to be processed in the company's routine—what information is involved, where it is stored, and with whom it is shared. "Only by taking measures to map this flow can we strengthen prevention and act immediately and efficiently in the event of security incidents. And this requires efforts, above all, from the legal and IT teams," says Zorzi.

It is worth noting that in addition to the fine and warning, failure to comply with LGPD guidelines may result in suspension of the company's personal databases for up to six months, publicity of the violation, and a total or partial ban on carrying out information processing activities.

According to the expert, the new ANPD (National Data Protection Authority) regulations on the role of the Data Protection Officer, the reporting of security incidents, and the international transfer of data raise the bar for corporate responsibility.

HACKER ATTACKS

The urgency of recognizing risks and acting preventively was reinforced by the decision of the 3rd Panel of the Superior Court of Justice (STJ), which held Eletropaulo responsible for data leaks resulting from a hacker invasion.

The court concluded that, even in cases of criminal attack, the company's obligation to protect data remains intact. The decision was based on articles 19 and 43 of the LGPD, which require the adoption of appropriate technical and administrative measures to safeguard data.