Data leak in the company! What to do?

The company's data leak occurred! When a security incident is identified, there are a series of procedures to be followed. Therefore, knowing and doing what needs to be done is essential . Likewise, find out how and why security incident happened.

Did you know that every 5 seconds there is a fraud attempt in Brazil? Did you know that 35% are cell phone purchases with false documents?

This is a huge industry, with frightening numbers. It is active 24 hours, seven days a week, without stopping to collect data and use it in more and more new frauds, scams and causing security incidents.

But what to do if a large part of life and work takes place digitally? Without investing in prevention (time, practices, technologies and tools ) it is practically impossible to get rid of data leaks in the company.

What to do!?

First of all: calm down!

Take a deep breath and remember: data leaks occur quite frequently .

Avoiding them is possible, affordable and simple. This is good news for businesspeople who have a minimum of knowledge about the need to prevent cyberattacks and security incidents .

The fact is that, coincidence or not, 100% of companies that do not invest in technology and compliance solutions in data security are unable to prevent data leaks .

The first action of any business owner, manager or IT professional is to understand the situation .

Find out what happened, when it happened and if it stopped happening!

Then, check what data was exposed and assess the extent of the damage .

At this point, depending on corporate culture and maturity , it is time to start acting. In a practical and quick way, to try to reduce the losses caused by data leaks in the company.

Is your company ready to face a data breach?

This should be the easiest and simplest step. After all, in theory, it would be enough to follow the pre-established protocols, processes and procedures in the event of a data leak.

This is where it gets complicated: most business owners have never thought about the possibility of a security incident.

It's an unfortunate fact , but very few managers, business owners and IT professionals consider the risk of cyber attacks.

A dangerous behavior that leads to certain losses . Because, when there is no care, even if it is minimal, the headache is great.

Even more so when there is a lack of prevention and data protection culture. A fact that has nothing to do with corporate maturity, but because companies and entrepreneurs are not afraid of being held responsible.

Often, they don't even know that they have an obligation and responsibility for the data that their companies collect, store and process.

Or, to put it more clearly, in a less politically correct : the lack of supervision, accountability and penalization is historic in Brazil.

One thing is certain: companies were neither accustomed nor afraid of paying for their inefficiency, recklessness or negligence with the data of their employees, suppliers and customers who are under their care.

Anyway, this is a very common example of a time that must cease to exist. The LGPD , policies and demands for data transparency exist to change this scenario.

We are still crawling. But the protection of data (personal, sensitive, confidential, biometric, behavioral, confidential, registration and navigation) must require compliance in data security management – ​​and fines, when applicable .

Who is responsible for data leaks in companies?

The responsibility of companies and entrepreneurs is to prevent, control and monitor risky behavior by employees.

Because, when they allow inappropriate and/or inappropriate behavior, they expose vulnerabilities and security holes :

• leave the company exposed to data leaks.
• Without prevention and control, any employee can put the company at risk.
• Without compliance processes, technologies and data security tools, companies make life easier for cybercriminals and, through negligence, become accomplices in security incidents.

It is the obligation of business owners, managers and IT professionals to preserve data integrity and privacy. To achieve this, they can and should invest in efficient digital security solutions and technologies .

Data leak: what to do?

Don't forget to watch this video . It's really worth watching and learning from the discussion about digital security and data leaks .

In a very didactic and light way, the program Opinião , on TV Cultura , delves into the issue. It provides good information about data leaks and the impact of the human factor.

With the participation of lawyer and doctor in Law Nathalie Fragoso and professor of Security and Auditing at ESPM Osmany Arruda , journalist and presenter Andressa Boni leads the program.

Together, they answer the following question: what is the explanation for these security failures and what are the consequences and risks?

After all, information and knowledge are fundamental against data leaks in companies.

As well as minimizing the impact of the human factor . To prevent against the main risks, security breaches, vulnerabilities and situations in which data protection is threatened.

And now, does your company have the culture and maturity to do what it needs to do?

With many variables involved, it is not always an easy matter to deal with within companies, between managers and employees.

Especially because, on the cybercriminals' side, there is always time and there are no rules to invent a new way to circumvent and threaten data security .

Meanwhile, on the “good” side, the rules, ways and means of preventing, protecting and avoiding cyber risks take more time and depend on day-to-day practices to ensure data security in companies .

That's why technology is a powerful ally for companies to combat security incidents. Especially against data leakage. After all, business owners and employees direct their time to produce and generate profits.

In this sense, the search for efficient technology solutions formation of culture and compliance in data security.

If, on the one hand, there is no company without people, on the other, they are the ones who make the commercial enterprise happen . This is because businesspeople and employees are responsible for everything that happens in the corporate world. The good and the bad.

This perspective makes all the difference in the management and institutional fight against security incidents. Because employees are the gateway to cyber attacks and data leaks in companies.

Therefore, it is necessary to do what must be done: train employees , structure and implement the data security and internet access management policy . Certainly, measures as relevant as security solutions, technologies and systems .

What should happen after a data breach in the company?

After assessing the size of the problem, it's time to learn, to avoid it .

How it happened and why it happened are also important questions. However, they are for a second time and for mature companies, with culture and compliance in data security management.

That's what mature companies do: they make mistakes and learn from their mistakes. Thus, by taking care to never repeat mistakes, you will go further and more successfully.

These are the most difficult answers to determine and verify . Without a doubt, because they depend on a series of factors, elements and processes present, or not , in companies.

Certainly, there are many variables. However, I will only mention the two most effective against improper access, unauthorized collection and exposure and/or sale of personal, sensitive or confidential data.

Therefore, the following are essential processes and elements against data leaks in the company:

• internet access and control policies;
• technologies and tools to prevent security incidents.

See what to do in the event of a data leak

What leaked? Why was it leaked? How should data subjects act to minimize risks, damages and losses? These are the three issues that companies must evaluate , record and report , respectively.

At a minimum, this is also the information that must be included in the fourth basic and mandatory step after a data breach in the company: notify .

We researched a set of procedures for immediately following a data breach. See the best recommendations and measures:

Get informed

If you receive notifications or hear from the media about a leak, inform yourself and try to identify which data was leaked (this helps you know what measures to take).

Find out what measures have been or will be taken, which ones should be followed, the dates of the potential leak and any announcements and news about it.

Avoid accessing websites and opening files that supposedly confirm or display leak data. If in doubt, contact the organizations involved directly and seek more information.

What to do in case of

Leaked access credentials: immediately change exposed passwords. Enable two-step verification on accounts that offer this feature, if you haven't already. Use the available mechanisms to analyze access records and report attempts/inappropriate access.

Leaked credit or debit cards: inform the card issuing institutions. Review your card and bank account statements. Dispute any irregular releases you identify, via the official channels of the respective institutions.

Who to turn to

If you find that your data has been used fraudulently or you have been harmed in any way.

Financial fraud: contact the institutions involved and follow the guidance received.

Identity theft: register the Police Report with the police authority, to enable investigation and protect yourself. Contact the institutions involved.

Leakage of personal data: when the company is a data controller, it needs to be ready to communicate and provide information whenever requested. If the company does not comply with these requests, it may be reported to the National Data Protection Authority (ANPD) .

Provide information about what data was leaked; when you became aware of the leak; whether personal data is believed to have been improperly used in some criminal action (such as embezzlement, fraud or illegal trade in personal data) and what evidence to confirm this hypothesis.

This and other information is present in the Internet Security Booklet – Data Leak Issue , produced by cert.br , nic.br and cgi.br , with the contribution of the National Data Protection Authority (ANPD) .

What to do in case of personal data leak

It is an obligation to notify the ANPD whenever there is a leak of personal data that could result in significant risk or damage to data subjects.

Every company must follow these four steps:

• Internally evaluate the incident – ​​nature, category and number of affected personal data holders, category and quantity of affected data, concrete and probable consequences.
• Report to the controller , if you are the operator, in accordance with the LGPD .
• Communicate to the ANPD and data subjects , in case of significant risk or damage to data subjects.
• Prepare documentation with the internal assessment of the incident, measures taken and risk analysis, for the purpose of complying with the principle of responsibility and accountability.

The ANPD recommends a cautious stance. That is, reporting security incidents must be carried out even in cases where there is doubt about the relevance of the risks and damages involved.

It emphasizes that under-evaluation of risks and damages by companies can be considered non-compliance with personal data protection legislation.

Therefore, communication needs to be very detailed and accompanied by documents, to help evaluate the incident, the risks and the measures taken.

ANPD provides this link with a form for reporting incidents and generating a security incident report .

Personal data holders have a series of rights and can demand information. It is essential that companies become aware of this.

Therefore, non-compliance with the legislation will be subject to inspection by the ANPD . And, failure to provide information, for example, can result in sanctions .

This content is available on the ANPD website. Access the full article on security incidents involving personal data by clicking on this link .

What to do when email or password are exposed

See the easiest and least painful paths.

• Password: Change the combination to a more secure one and use a two-step verification method.
• E-mail: avoid opening links and attachments from unknown senders, pay extra attention to the messages you receive.

Redoubling your attention is essential. Once data is exposed, it is almost impossible to get it off the internet. Therefore, attempted scams, which are already common, become even more elaborate. After all, when cybercriminals have accurate personal information, they have a greater chance of confusing users during their approach.

Full article: What to do in case of personal data leak?

5 steps to face a data leak in the company

Implement data protection compliance solutions, tools and processes. See what else is needed to address a company data breach and other security incidents.

1. Invest in and improve measures for internet access and information and data security.

2. Structure an internet access, control and data security policy in accordance with existing standards and legislation ( LGPD ).

3. Create and maintain a crisis management team. Qualified personnel who must know what to do, how to do it and when to do it to stay ahead of the company and actions during company data leaks or other security incidents.

4. Plan and incorporate into the control policy and internet access policy, control and data security, a tactical and operational plan for times of crisis. It will be the guide that the crisis management team must follow.

5. Notify the victims (holders of the leaked data) and the National Data Protection Authority (ANPD) . At a minimum, the company must complete the incident reporting form made available by the ANPD ( click here to access ).

Prevention and information are keywords against security incidents

Being well-informed, learning about data leaks and acting preventively contribute to reducing damage, avoiding losses and preserving your company's reputation .

Internet access management and control processes do not need to be difficult or complex. Investing in solutions to prevent information security incidents is the most affordable and intelligent strategy.

It is essential for your company to act in accordance with legislation ( LGPD ). Also, to preserve privacy rights and personal data security of users/consumers/citizens .

In practice, in addition to prevention , the best solutions on the market productivity and profitability indicators . Just search and compare.

Subscribe to our newsletter and receive more news and materials.