The Information Commissioner’s Office (ICO) recently highlighted the critical need for organizations to deliver better support to those affected by data breaches:
“There are two important things I need organisations to understand: empathy and action. You have a role to stop the negative ripple effect in someone’s life from spreading further. It is vitally important to acknowledge what has happened, be human in your response and commit to making sure it doesn’t happen again. We trust organisations with some of the most sensitive personal information imaginable, yet these data breaches continue to happen. This is not just an admin error – it is about people. When data is mishandled, it can have serious and long-lasting consequences, particularly for people in vulnerable situations. We need organisations across the country to do better.” - John Edwards, Information Commissioner
The average cost of an incident today stands at 4.88 million US dollars, an increase from 4.35 million in 2022. However, all too often we neglect to consider the costs to those impacted by a data breach, from financial losses to severe emotional impact. Figures revealed by the ICO show that:
- Nearly 30 million people in the UK have experienced a data breach
- 55% of UK adults reported having had their data lost or stolen
- 30% of them experienced emotional distress as a result
- 25% said they received no support from the organizations responsible
- 32% found out through the media rather than from the organization itself
The ICO has called for organizations to better support those impacted by data breaches by demonstrating empathy, transparency, and providing real-time guidance on necessary steps after a breach occurs. This approach fosters trust and acknowledges the often profound impact that a data breach can have on individuals.
However, the importance of a preventive stance cannot be overstated. Organizations have a moral and legal obligation to take all reasonable steps to safeguard data, both as an operational standard and as a preventive measure to avoid the fallout of data breaches. Across the globe, data protection regulations (such as HIPAA, DORA, and NIS2) are evolving to increase the responsibilities on organizations to protect data in email, placing greater emphasis on advanced encryption, multi factor authentication controls, data loss prevention tools, and even proof of delivery.
How do data leaks happen?
Despite the focus on malicious attacks in the media, such as phishing and malware, the UK’s ICO consistently reveals that human error remains the leading cause of data breaches. Incidents such as missent emails, failure to redact sensitive data, or misuse of Bcc regularly see organizations in the headlines for data loss.
Controlling human error continues to challenge IT and infosec leaders. However, progressive organizations are realizing the fault lies in their technology, not in their people. After all, email wasn’t developed to be secure and lacks vital security and data loss prevention functionalities required to protect sensitive data, before, during, and after sending. To build robust defenses and empower people to avoid common causes of data loss, our technology must be enhanced.
Ultimately, data protection is not just a technical or regulatory box to check. It’s a fundamental duty of care organizations owe to their customers, employees, and stakeholders. The ICO’s call to action serves as a reminder that responsibility for data integrity is an evolving, multi-faceted task. With regulatory bodies and stakeholders demanding higher standards of security, it is time for organizations to think of data protection not only as an obligation, but as a moral imperative that requires constant vigilance and improvement. In doing so, they protect not just data but also the trust and well-being of the individuals who rely on them.
To find out how we support over 10,000 organizations globally to prevent data leaks and meet complex compliance requirements, get in touch.
