Data breach at the company! What to do?

A data breach has occurred at the company! When a security incident is identified, there are a series of procedures to be followed. Therefore, knowing and doing what needs to be done is fundamental . Similarly, discovering how and why the security incident happened is crucial.

Did you know that a fraud attempt occurs every 5 seconds 35% of these involve purchasing cell phones with fake documents?

This is a massive industry with staggering numbers. It operates 24/7, relentlessly collecting data and using it for more and more fraud, scams, and security incidents.

But what to do if a large part of life and work takes place in the digital environment? Without investing in prevention (time, practices, technologies and tools ) it is practically impossible to avoid data leaks in the company.

What to do!?

First of all: calm down!

Take a deep breath and remember: data breaches happen quite frequently .

Avoiding them is possible, accessible, and simple. That's the good news for business owners who have even a basic understanding of the need for prevention against cyberattacks and security incidents .

The fact is that, coincidence or not, 100% of companies that do not invest in technology solutions and data security compliance fail to prevent data breaches .

The first action of any entrepreneur, manager, or IT professional is to understand the situation .

Investigate what happened, when it happened, and if it stopped happening!

Next, verify what data was exposed and assess the extent of the damage .

At this point, depending on the company's culture and maturity , it's time to start acting. Practical and quick action is needed to try and reduce the damage caused by the data breach.

Is your company prepared to face a data breach?

This should be the easiest and simplest step. After all, in theory, it would be enough to follow the pre-established protocols, processes, and procedures for the event of a data breach.

That's where it gets complicated: most business owners have never considered the possibility of a security incident.

It's a regrettable fact , but very few managers, business owners, and IT professionals consider the risk of cyberattacks.

A dangerous behavior that leads to certain losses . Because when there is no care, even minimal care, the headache is significant.

Even more so when there is a lack of a culture of prevention and data protection. This has nothing to do with corporate maturity, but rather because companies and business owners are not afraid of being held accountable.

Often, they are unaware that they do, in fact, have an obligation and responsibility for the data that their companies collect, store, and process.

Or, to put it more clearly, less politically correct way : the lack of oversight, accountability, and penalties is a historical problem in Brazil.

One thing is certain: companies were neither accustomed to nor afraid of paying for their inefficiency, recklessness, or negligence with the data of their employees, suppliers, and customers under their care.

In short, this is a very common example of a time that should cease to exist. The LGPD (Brazilian Protection Law), policies, and demands for data transparency exist to change this scenario.

We are still in the early stages. But data protection (personal, sensitive, confidential, biometric, behavioral, confidential, registration, and browsing data) must demand compliance in data security management – ​​and fines, when appropriate .

Whose responsibility is it for data breaches in companies?

It is the responsibility of companies and business owners to prevent, control, and monitor risky employee behavior.

Because when they allow inappropriate and/or improper behavior, they expose vulnerabilities and security gaps .

• They leave the company exposed to data leaks.
• Without prevention and control, any employee can put the company at risk.
• Without compliance processes, technologies, and data security tools, companies make life easier for cybercriminals and, through negligence, become complicit in security incidents.

It is the obligation of business owners, managers, and IT professionals to preserve the integrity and privacy of data. To this end, they can and should invest in efficient digital security solutions and technologies .

Data breach: what to do?

Be sure to watch this video . It's well worth watching and learning from the discussion about digital security and data leaks .

In a very didactic and lighthearted way, the program Opinião , on TV Cultura , delves into the issue. It provides good information about data leaks and the impact of the human factor.

With the participation of lawyer and PhD in Law Nathalie Fragoso and ESPM professor of Security and Auditing Osmany Arruda , journalist and presenter Andressa Boni hosts the program.

Together, they answer the following question: what is the explanation for these security flaws, and what are the consequences and risks?

Ultimately, information and knowledge are fundamental in preventing data leaks in companies.

As well as minimizing the impact of the human factor . To prevent against the main risks, security breaches, vulnerabilities and situations in which data protection is threatened.

So now, does your company have the culture and maturity to do what it needs to do?

With so many variables involved, it's not always an easy subject to address within companies, between managers and employees.

That's because, from the cybercriminals' perspective, there's always time and no rules for inventing new ways to circumvent and threaten data security .

Meanwhile, on the "good" side, the rules, methods, and ways to prevent, protect, and avoid cyber risks take more time and depend on day-to-day practices to ensure data security in companies .

That's why technology is a powerful ally for companies in combating security incidents , especially data leaks. After all, business owners and employees dedicate their time to producing and generating profits.

In this sense, the search for technology solutions goes hand in hand with building a culture of and ensuring compliance with data security standards.

While no company exists without people, it is people who make the business venture happen . This is because entrepreneurs and employees are responsible for everything that happens in the corporate world, both the good and the bad.

This perspective makes all the difference in managing and combating institutional security incidents. Because employees are the gateway for cyberattacks and data breaches in companies.

Therefore, it is necessary to do what needs to be done: train employees , structure and implement data security and internet access management policies . Certainly, measures as relevant as security solutions, technologies, and systems are .

What should happen after a data breach at a company?

After assessing the size of the problem, it's time to learn how to avoid it .

How it happened and why it happened are also important questions. However, these are for a later stage and for mature companies with a culture and compliance in data security management.

That's what mature companies do: they make mistakes and learn from them. By taking care never to repeat past mistakes, they go further and achieve greater success.

These are the most difficult questions to answer and verify . Undoubtedly, because they depend on a series of factors, elements, and processes that are present, or not , in companies.

Certainly, there are many variables. But I will only mention the two most effective against unauthorized access, collection, and exposure and/or sale of personal, sensitive, or confidential data.

Therefore, the following processes and elements are indispensable for preventing data leaks in the company:

• Internet access and control policies;
• Technologies and tools to prevent security incidents.

See what to do in case of a data breach

What was leaked? Why was it leaked? How should data subjects act to minimize risks, damages, and losses? These are the three questions that companies should assess , record , and report , respectively.

At a minimum, this is also the information that should be included in the fourth basic and mandatory step after a data breach at the company: notifying .

We researched a set of procedures to follow immediately after a data breach. Here are the best recommendations and actions to take:

Find out more

If you receive notifications or learn about a data breach through the media, investigate and try to identify what data was leaked (this helps you know what steps to take).

Find out what measures have been or will be taken, which ones should be followed, the dates of the potential leak, and any announcements or news regarding the matter.

Avoid accessing websites and opening files that supposedly confirm or display the leaked data. If in doubt, contact the organizations involved directly and seek more information.

What to do in case of

Leaked login credentials: change any exposed passwords immediately. Enable two-step verification on accounts that offer this feature, if you haven't already done so. Use available mechanisms to review login logs and report any unauthorized attempts/access.

Leaked credit or debit cards: inform the issuing institutions of the cards. Review your card and bank account statements. Dispute any irregular charges you identify through the official channels of the respective institutions.

Who to turn to

If you find that your data has been used fraudulently or you have been harmed in any way.

Financial fraud: contact the institutions involved and follow the instructions you receive.

Identity theft: file a police report with the authorities to enable an investigation and protect yourself. Contact the relevant institutions.

Personal data breach: when a company is a data controller, it needs to be prepared to communicate and provide information whenever requested. If the company fails to comply with these requests, it may be reported to the National Data Protection Authority (ANPD) .

Provide information about what data was leaked; when you became aware of the leak; whether you believe the personal data was misused in any criminal activity (such as fraud, scams, or illegal trading of personal data); and what evidence you have to support this claim.

This and other information can be found in the Internet Security Guide – Data Leakage Booklet , produced by cert.br , nic.br and cgi.br , with the contribution of the National Data Protection Authority (ANPD) .

What to do in case of a personal data breach

It is mandatory to notify the ANPD whenever a breach of personal data that could pose a significant risk or harm to the data subjects.

Every company should follow these four steps:

• Assess the incident internally – its nature, category and number of personal data subjects affected, the category and amount of data affected, and the concrete and probable consequences.
• Notify the controller , if you are the operator, in accordance with the LGPD (Brazilian General ).
• Notify the ANPD (National Data Protection Authority) and data subjects in case of significant risk or harm to the data subjects.
• Prepare documentation containing an internal assessment of the incident, measures taken, and risk analysis, for the purpose of complying with the principle of accountability and transparency.

The ANPD (Brazilian National Data Protection Authority) recommends a cautious approach. That is, security incidents should be reported even when there is doubt about the relevance of the risks and damages involved.

It emphasizes that the underestimation of risks and damages by companies may be considered a breach of personal data protection legislation.

Therefore, communication needs to be very detailed and accompanied by documentation to help assess the incident, the risks, and the measures taken.

The ANPD (Brazilian National Data Protection Authority) provides a form for reporting incidents and generating a security incident report at this link .

Data subjects have a number of rights and can request information. It is crucial that companies are aware of this.

Therefore, non-compliance with the legislation will be subject to inspection by the ANPD (National Data Protection Authority ). And, failure to provide information, for example, may result in sanctions .

This content is available on the ANPD website. Access the full article on security incidents involving personal data by clicking on this link .

What to do when your email or password is exposed

Look for the easiest and least painful paths.

• Password: Change the combination to a more secure one and use a two-step verification method.
• Email: avoid opening links and attachments from unknown senders, and pay close attention to incoming messages.

Paying extra attention is essential. Once data is exposed, it's almost impossible to remove it from the internet. Therefore, attempted scams, which are already common, become even more sophisticated. After all, when cybercriminals have accurate personal information, they have a greater chance of confusing users during their approach.

Full article: What to do in case of a personal data breach?

5 steps to deal with a data breach in your company

Implement data protection compliance solutions, tools, and processes. See what else is needed to address a data breach in your company and other security incidents.

1. Invest in and improve measures for managing and controlling internet access and for information and data security.

2. To structure an internet access, data control and security policy in accordance with existing regulations and legislation ( LGPD ).

3. Create and maintain a crisis management team. Qualified personnel who must know what to do, how to do it, and when to do it to stay ahead of the company and its actions during data breaches or other security incidents.

4. Planning and incorporating a tactical and operational plan for crisis situations into internet access and control policies, as well as data security and control guidelines, will be the guide that the crisis management team should follow.

5. Notify the victims (owners of the leaked data) and the National Data Protection Authority (ANPD) . At a minimum, the company must complete the incident reporting form provided by the ANPD ( click here to access ).

Prevention and information are key words against security incidents

Being well-informed, learning about data breaches, and acting proactively all contribute to reducing damage, avoiding losses , and preserving your company's reputation .

Managing and controlling internet access doesn't have to be difficult or complex. Investing in solutions to prevent information security incidents is the most accessible and intelligent strategy.

It is essential for your company to act in accordance with the law ( LGPD ). This is also necessary to preserve the privacy and security rights of users'/consumers'/citizens' personal data .

In practice, in addition to prevention , the best solutions on the market productivity and profitability indicators . Just do some research and compare.

Subscribe to our newsletter and receive more news and materials.