Personal and corporate data are one of the most valuable assets of companies in 2024, scenario that will remain in 2025. That is why the leak of this information represents more than a technical risk – it is a security incident that deeply impacts the financial health and reputation of brands. In addition to the potential costs associated with the sanctions provided for in the LGPD (General Data Protection Law), that can reach 2% of revenue or R$ 50 million in fines for violations, target companies facing leaks incur hidden costs, often underestimated, with the recovery of systems and intangible damages to image and relations with the external public
Brazilian companies can lose, on average, R$ 6,75 million for data breach, according to the Cost of a Data Breach report 2024, developed and published by IBM. However, in practice, this impact is even greater, because the gaps in the protection of sensitive information cause losses with other consequences, besides the legal ones, as customer churn that migrate to competitors with more robust security policies, interruption of operations, emergency investments in public relations and cybersecurity to mitigate the crisis
According to lawyer Marco Zorzi, digital law specialist at Andersen Ballão Advocacia law firm, the advancement of the application of the LGPD and the most recent regulations on data processing require adjustments to the system of transparency and security. Prevention starts with the identification of the data to be processed in the company's routine – what information is involved, where they are stored and with whom they are shared. Only with measures to map this flow is it possible to strengthen prevention and act immediately and efficiently in the face of security incidents. And this involves efforts, overcoat, the legal and IT teams, says Zorzi
It is worth noting that in addition to the fine and warning, non-compliance with LGPD guidelines may result in suspension of the company's personal databases for up to six months, advertisement of the infringement and prohibition of the exercise of information processing activities, that can be total or partial
According to the expert, the new regulations of the ANPD (National Data Protection Authority) on the role of the Data Protection Officer, the communication of security incidents and the international transfer of data raise the standard of corporate responsibility
HACKER ATTACKS
The urgency of recognizing risks and acting preventively was reinforced by the decision of the 3rd Panel of the Superior Court of Justice (STJ), which held Eletropaulo responsible for data leakage resulting from a hacker invasion
The court concluded that, even in cases of criminal attack, the company's obligation to protect the data remains intact. The decision was based on articles 19 and 43 of the LGPD, that determine the adoption of appropriate technical and administrative measures to safeguard the data
