Security at Work · Best practices

How not to leak confidential company data — and protect your job

Quick answer

Most corporate data leaks are not caused by hackers, but by simple employee mistakes: an email sent to the wrong recipient, the wrong file attached, or using personal cloud storage for company documents. Protecting confidential information is the responsibility of every employee, not just the IT team. Adopting basic information-security habits dramatically reduces the risk of an accidental leak — and the consequences it brings, including dismissal for cause and fines against the company under the LGPD.

Decripte is a cybersecurity company serving businesses from 1 to 100,000+ employees — from assessment to 24x7 incident response.

Warning signs

  • You just sent an email with an attachment to the wrong recipient. A high-risk, immediate situation. Notify the recipient asking them to ignore and delete the file, alert IT, and document what happened. The LGPD requires notification to the ANPD within 72 hours in cases of personal-data leaks.
  • You are using your personal email or cloud to store work files. Even if it is for convenience, this is a leak in effect: the data has left the company's controlled environment. Move the content to the approved channels and inform IT.
  • You pasted customer data or contracts into a public AI tool. Any information sent to cloud AI services can be retained and processed outside the company's control. Alert the security team to assess the risk and review the usage policies.
  • You shared an internal document via a public link and don't know who accessed it. Public cloud-platform links can be indexed by search engines or shared inadvertently. Revoke the link immediately, notify IT, and check any available access logs.
  • A USB drive with company data was lost or stolen. If the device was not encrypted, all files it contained must be considered compromised. Notify IT and your direct manager immediately — any delay increases the regulatory impact.
  • You received a suspicious email and opened the attachment or clicked the link. Phishing is the main entry point for attacks that result in leaked credentials and data. If you are unsure whether you clicked something malicious, disconnect the device from the network and contact IT before continuing to use the equipment.

Step by step

  1. 1

    Classify the information before sharing it

    Before sending any file or data, identify its confidentiality level: public, internal, confidential or restricted. Confidential and restricted information must never leave company-approved systems without formal authorization.

  2. 2

    Use only company-approved channels and tools

    Corporate email, repositories and cloud platforms sanctioned by IT are the only secure means for handling company data. Personal Gmail, personal Google Drive, personal Dropbox and the like are prohibited for corporate files.

  3. 3

    Check the recipient before sending any email

    Autocomplete in the 'To' field is one of the leading causes of leaks. Before clicking send, verify the name and email address of each recipient, especially in messages with confidential attachments.

  4. 4

    Never enter company data into generative AI tools

    Tools like ChatGPT, Gemini and similar ones can store and use the information you send to train models. Customer data, contracts, strategies and financial information must never be pasted into these tools without approval from the security team.

  5. 5

    Avoid USB drives and personal devices

    Unencrypted USB drives and personal devices (phone, personal laptop) are blind spots in corporate security. If you need to move files, use the means approved by the company, always encrypted.

  6. 6

    Be careful with printouts and physical documents

    Printed documents left at the printer, on your desk or in the regular trash are a real and frequent form of leak. Collect your printouts immediately, shred confidential documents, and keep a clean desk when you step away.

  7. 7

    Do not generate public links to share internal files

    Public sharing links on cloud platforms can be accessed by anyone with the URL — including search engines. Share corporate files only with named permissions granted to authorized people.

  8. 8

    If you realize you leaked data, alert IT immediately

    Notifying the security team within the first few hours is the most important action in the event of an accidental leak. The faster you escalate, the greater the chances of containing the damage. Hiding the incident worsens the legal and disciplinary situation.

What NOT to do

  • Never send customer data, contracts or financial information to your personal email, even if it is 'just to work from home'.
  • Never use public generative AI tools (ChatGPT, Gemini, non-corporate Copilot) to process confidential company documents.
  • Never leave confidential physical documents on your desk, at the printer or in the regular trash — use a shredder.
  • Never share corporate passwords over WhatsApp, email or any other channel, even with coworkers.
  • Never try to hide an accidental leak: concealment turns an unintentional mistake into a serious violation, with far greater disciplinary and legal consequences.

Why employees cause most corporate data leaks

According to information-security reports, between 60% and 80% of data-leak incidents originate in human actions — not in sophisticated external attacks. In most cases the employee acts without malicious intent: the leak happens due to haste, unfamiliarity with the policies or simply because of digital habits formed outside the corporate environment.

The most common mistakes include: sending an email to the wrong recipient (autocomplete in the 'To' field is treacherous), attaching the wrong file, using personal Gmail or personal Google Drive to store work documents for convenience, sharing files via a public link instead of named permissions, and carrying data on unencrypted USB drives.

The growing use of generative artificial intelligence tools in daily work has created an entirely new leak vector: the employee pastes a contract, a financial spreadsheet or customer data into ChatGPT to get help — and that information may be retained by the provider, used to train models or accessed by third parties. This is a real leak, even if the employee never realizes it.

Information classification: the first step to not leaking data

Before sharing any data or document, every employee needs to know the confidentiality level of that content. Information classification is the foundation of any data-protection program: without it, it is impossible to know what can circulate freely and what requires strict controls.

Most corporate policies adopt four levels: Public (can be disclosed externally without restrictions), Internal (circulates within the company but should not leave it), Confidential (access restricted to specific teams, requires secure channels) and Restricted or Secret (access only for individually authorized people, with access tracking).

In practice, if you don't know the classification of a document you received, the rule is to treat it as Confidential until you verify with the owner. This conservative posture prevents sensitive information from being shared by mistake. Companies that implement clear classification policies significantly reduce accidental-leak incidents.

Assess your company for free

See in minutes what is already exposed from your business.

Decripte's free Threat Management plan maps vulnerabilities, monitors threats and shows leaked credentials — no credit card and no technical team.

Start free now

Day-to-day best practices to protect corporate data

Use only the tools and channels sanctioned by the company's IT. Collaboration platforms, corporate email, file repositories and approved management systems exist precisely to ensure data stays in controlled environments, with traceable access and managed backups.

Adopt a clean-desk policy: when you step away from the computer, lock the screen (Windows: Win+L; Mac: Ctrl+Command+Q). When you leave your desk, store confidential physical documents in locked drawers. Do not leave passwords written on sticky notes attached to the monitor. These simple practices eliminate physical leak risks that are frequently overlooked.

Before sending any email with sensitive content, make it a habit to check the recipient twice — full name and address. If possible, send the file separately from the explanatory email and confirm receipt by the correct recipient before sending more critical data. When in doubt, prefer verification by phone or a secondary channel.

Consequences of leaking company data: LGPD, dismissal and damages

The General Data Protection Law (LGPD — Law No. 13.709/2018) holds companies responsible for security incidents involving personal data. Fines can reach 2% of the company's revenue in Brazil, capped at R$ 50 million per infraction. When the incident originates in an employee's action or negligence, the company may seek recovery internally.

In the labor context, intentionally leaking confidential company data — or acting with gross negligence toward it — can constitute cause for dismissal, based on Article 482 of the CLT (subsections 'b' — incontinence of conduct or misconduct — and 'h' — act of indiscipline or insubordination). Depending on the case, there may also be a civil action for damages caused to the company or to third parties.

Beyond the legal and labor consequences, data leaks cause reputational damage to the company that can jeopardize customers, contracts and partners. In regulated sectors (healthcare, financial, legal), the impact can result in the loss of licenses and certifications. That is why protecting data is not just a legal obligation — it is a matter of professional responsibility.

What to do if you realized you leaked company data

The first and most important rule is: do not try to hide it. Accidental leaks happen to anyone, and the reaction to the incident weighs far more heavily than the mistake itself in the disciplinary and legal assessment. Immediately notifying the IT or information-security team is the action that makes the difference between a contained incident and a crisis.

Document what happened in as much detail as possible: which file or data was shared, with whom, through which channel, at what time and under what circumstances. This information is essential for the security team to assess the real impact, revoke access, notify the affected parties and meet the legal deadlines for reporting to the ANPD (National Data Protection Authority), which are up to 72 hours for incidents involving personal data.

While you wait for IT support, do not try to 'fix it yourself': do not delete evidence, do not simply ask the recipient to delete the file without a record, and do not share information about the incident with unauthorized people. Rash actions can compromise the incident response and aggravate the legal consequences for you and for the company.

Key terms

Information classification
The process of categorizing data and documents according to their degree of confidentiality and sensitivity, defining who can access them, how they can be shared and which security controls must be applied. The most common levels are: Public, Internal, Confidential and Restricted.
DLP (Data Loss Prevention)
A set of technologies and processes that monitor, detect and block the unauthorized flow of sensitive data outside the company's controlled environment — whether by email, upload to personal cloud, copy to removable devices or other channels.
LGPD
The General Data Protection Law (Law No. 13.709/2018), Brazilian legislation that regulates the processing of personal data by companies and individuals. It establishes the rights of data subjects, the obligations of organizations and penalties for security incidents, including fines of up to 2% of national revenue, capped at R$ 50 million per infraction.
Accidental leak
An information-security incident caused by unintentional human error — such as sending an email to the wrong recipient, using unauthorized tools or losing a device with corporate data — as opposed to external attacks or deliberate malicious actions. It is the leading cause of data incidents in organizations of every size.

Frequently asked questions

Can I use my personal email to send work files?

No. Using personal email for corporate files is a data leak, even if unintentional. The data leaves the company's controlled environment, ends up on third-party servers outside IT's control, and can be accessed without the protections corporate email offers. If you need to work from home, use the VPN and the systems approved by the company.

Can I use ChatGPT to review contracts or spreadsheets with customer data?

No, unless your company has formally approved a private, corporate version of the tool. Public generative AI tools can store the data you send to train their models. Customer data, contracts and financial information are confidential and must not be sent to these services without express authorization from the security team.

What happens if I send an email to the wrong recipient?

Immediately alert the wrong recipient, asking them to ignore and delete the email and the attachment. Then notify the company's IT or information-security team. If the email contained personal data of customers or employees, the company may be required to notify the ANPD within 72 hours. Acting fast reduces the impact and demonstrates good faith.

A coworker asked me for the system password to do an urgent task. Can I share it?

No. Passwords are personal and non-transferable. Sharing credentials violates most companies' security policy and can transfer to you the responsibility for actions taken with your account. If a coworker needs access, IT should grant them the appropriate permissions.

Are USB drives safe for carrying work files?

Unencrypted USB drives are one of the most common leak vectors — all it takes is losing the device or having it stolen. If the company authorizes their use, the USB drive must be encrypted (tools like BitLocker or VeraCrypt) and recorded in the IT asset inventory. Always prefer the collaboration and cloud systems approved by the company.

What is DLP and how does it protect the company from leaks?

DLP (Data Loss Prevention) is a set of technologies that monitor and control the flow of sensitive information across the company's systems. A DLP system can automatically block the sending of classified documents to personal emails, detect when confidential data is pasted into unauthorized tools, and generate alerts for the security team. It does not replace employee awareness, but acts as an additional safety net.

What are the company's main obligations in the event of a data leak under the LGPD?

Under the LGPD (Law No. 13.709/2018), the company must notify the ANPD and the affected data subjects within a reasonable time (interpreted as up to 72 hours for serious cases) when a security incident occurs that may cause relevant risk or harm to the data subjects. The company must also record the incident, assess the impact and implement corrective measures. Non-compliance can result in fines of up to 2% of revenue, capped at R$ 50 million per infraction.

Security for businesses

Decripte protects companies of every size — from solo founders to Enterprise.

A full platform and services: threat management, 24x7 SOC, incident response, pentest and compliance. Start free and see what has already leaked from your business.