Data Breaches: The New Risk Redefining Business Rules?

Despite governments worldwide continuously intensifying efforts to strengthen laws regulating the use, storage, and handling of personal data, the number of breaches involving this valuable information continues to increase each year. In the past, companies' primary financial losses were often associated with legal disputes and damage to their reputation. Today, however, penalties imposed by regulators for security breaches that expose customer, supplier, and employee data have taken center stage.

A recent Kaspersky study reveals that 28% of Mexican companies have experienced the leakage of confidential data following a cybersecurity breach over the past two years. During this period, organizations have faced incidents caused by internal threats, such as employees or contractors using unauthorized systems or devices to access and share data, thereby increasing the risk of exposing sensitive information.

Cybercriminals have set their sights on key sectors of the national economy, including manufacturing, retail, IT services, healthcare, education, and, of course, government entities. These industries store massive amounts of data — true digital treasures — including financial information, addresses, trade secrets, and more. This data is protected under the Federal Law on the Protection of Personal Data Held by Private Parties, which mandates that institutions ensure the privacy rights of their customers, employees, suppliers, and others.

The challenge of safeguarding this digital treasure is no small task. In fact, 24% of Mexican companies surveyed in a study conducted by our organization acknowledged that compliance with local regulations and laws on the subject is a significant challenge. This presents a latent risk, as failure to meet these requirements can worsen the consequences of a data breach. These consequences may include fines or lawsuits if it’s proven that proper protection measures weren’t implemented, as well as disruptions to services and operations.

In this complex scenario, it’s advisable to follow four key steps to collect, store, and transfer personal data while preventing incidents. The first and most crucial step: collect data only if you have a solid legal basis for doing so. Issue an electronic or physical document that clearly specifies how personally identifiable information (PII) will be processed, and ensure that it includes explicit consent from the individual. Keep this consent on file so it’s readily available in the event of legal claims or regulatory inspections.

The second step involves the storage of personal data: it is essential for companies to know where the data is stored, who has access to it, and how it is processed. It is advisable to avoid storing Personally Identifiable Information (PII) on corporate devices, external hard drives, or USB drives, as they can be stolen or lost, potentially allowing attackers to use them to access computer data. Segmenting the internal network is also a good practice; by dividing it into specific sections, the scope of unauthorized access is limited. This information should only be accessible to employees who need to consult it for work-related reasons.

The third step pertains to processes related to the transfer of personal data, an action that must be monitored and approved by the IT department. Additionally, all employees with access to PII should be given clear instructions on how to handle this information properly, which corporate or third-party services can be used for its transfer, and to whom the data can be shared.

The fourth and final step is for all companies to have a cybersecurity tool with threat detection and response capabilities to block access attempts, as well as managed protection services to efficiently investigate attacks and respond appropriately.

The beginning of this year is an excellent time for companies to assess whether their cybersecurity strategy adequately safeguards personal data, and if not, to incorporate plans and cybersecurity tools that, in 2025, will provide them with the peace of mind of operating while minimizing the risk of a security breach that could land them in the headlines.

These first months of 2025 give companies the perfect opportunity to scrutinize whether their cybersecurity strategy truly protects the personal data they are entrusted with. Failing to do so could cost far more than a simple financial loss: we’re talking about destroyed reputations, dissatisfied customers, and the company’s name making headlines for security breach scandals. Are they willing to take that risk in a world where a careless click could spell the end of their credibility?