Geo Focus: The United Kingdom , Geo-Specific , Incident & Breach Response

Regulator's Call to Breached Organizations: 'Be Human'

Breaches Often Have Harmful, Under-Acknowledged 'Ripple Effect' on Victims' Lives
Regulator's Call to Breached Organizations: 'Be Human'
Suggested messaging for organizations to raise data breach fallout awareness internally. (Source: ICO)

Too many breached organizations fail to acknowledge the detrimental impact their mishandling of people's personal data can have on affected individuals.

See Also: The State of Incident Response 2021: It’s Time for a Confidence Boost

Britain's privacy watchdog is calling on breached organizations to wield greater "empathy and action."

"I want to issue a stark warning to organizations across the country: you must do better," said John Edwards, Britain's information commissioner. "Organizations need to understand that the harm doesn't end with the breach - that is only where it begins."

Slightly more than half of adults in the United Kingdom - nearly 30 million people - have had their personal data get lost or stolen. Emotional distress often results. A quarter of breach victims said they received "no support" from the organization that lost control of their personal information.

The government agency in 2022 and 2023 reprimanded seven organizations for data breaches that "put domestic abuse victims' lives at risk," including in a handful of cases an individual's "safe" address being disclosed to their abuser. It said the incidents traced to such organizations as "a law firm, a housing association, an NHS trust, a government department, local councils and a police service."

Feelings of betrayal after a breach are common. In one-third of data breaches, the regulator found that rather than being informed directly about a breach by the organization that lost their data, individuals heard it first in a media report.

The ICO said breached organizations are failing in their duty to make things right for victims, not least through the clarity and forthrightness of their communications. "Data protection has never been about computers or robots - it's about people," Edwards said. "The personal and emotional toll of this is too often overlooked."

The data protection authority wants organizations to quickly spring into action post-breach, assess what went wrong and the risks to individuals whose personal information got exposed. And be "human and accessible" throughout.

Breach shortcomings highlighted by the ICO, are a reminder that planning ahead - and practicing - are essential. "Organizations should have clear incident response plans in place, to enable them to respond efficiently and effectively to understand the nature of the breach and who is affected by it, and thereby ensure that any communications to individuals are drafted appropriately," said Laura Gillespie, partner at London-based law firm Pinsent Masons, in a blog post.

Call for Empathy

To better support victims, ICO prepared victim-focused "simple guidance" in English and Welsh that. The government agency also prepared a toolkit designed to address corporate culture deficits, not least to "ensure that empathy is at the heart of your response."

"A data breach can have a far-reaching ripple effect that disrupts people's lives in ways that many would never anticipate," reads part of the ICO's suggested messaging for organizations to circulate internally. "You have a part to play in stopping that from happening."

The call for greater empathy from breached organizations and awareness of the ramifications breaches have for individuals comes as the country records numerous data breaches that have exposed a range of personal and sometimes extraordinarily sensitive information.

Earlier this year ransomware-wielding attackers leaked Scottish children's mental health data. For the most recently released details of security incident reported to the ICO - covering July through September - the most common sector for incidents was health, comprising a fifth of all reports.

Non-Cyber Breach Causes Dominate

But the majority of data breaches have nothing to do with external attackers. The ICO's latest quarterly report found 71% of data breaches traced to a non-cyber cause such as information being sent to the wrong person, rather than resulting from the actions of someone with "malicious intent."

Last year, the Police Service of Northern Ireland inadvertently exposed personal details for its entire workforce, putting every officer and member of staff at personal risk by as sectarian tensions persist. Another incident affected 245 individuals in Afghanistan, after the Ministry of Defense accidentally disclosed their email addresses by including them all in the "to" field of an email rather than the "bcc" field, "putting their lives at risk," the ICO said.

Too often, breached organizations treat such incidents as "a temporary setback - something that can be patched up with technical fixes and compliance reviews," the ICO said. "But from the perspective of individuals - especially those in vulnerable situations - a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.