An Organisation’s Responsibility Following A Data Leak

Uploaded on 2025-07-07 in FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

When a data breach takes place, public attention often turns to financial penalties, reputational damage and regulatory consequences. However, behind every compromised record is a person whose life may be disrupted, whose trust has been broken and who may find themselves vulnerable in ways that are not always immediately visible.

This was illustrated in April 2024 when the ICO highlighted repeated breaches involving the disclosure of HIV status through improper use of email. In one case, a UK health provider copied hundreds of patients into a group email, making their addresses visible and exposing sensitive health information without consent. The ICO said this denied individuals their “basic dignity and privacy.” For many, it caused anxiety, shame and a deep loss of trust. What seemed like a minor error had serious, lasting consequences.

In response to incidents like these, the Information Commissioner’s Office (ICO) has urged organisations across the UK to place greater emphasis on empathy and meaningful follow-up in the aftermath of a data breach. Information Commissioner John Edwards made the case clearly in a recent statement. He explained that organisations have a role to play in stopping the ripple effect from spreading further. 

“There are two important things I need organisations to understand: empathy and action. You have a role to stop the negative ripple effect in someone’s life from spreading further. It is vitally important to acknowledge what has happened, be human in your response and commit to making sure it doesn’t happen again.”

“We trust organisations with some of the most sensitive personal information imaginable, yet these data breaches continue to happen. This is not just an administrative mistake. It affects real people. When data is mishandled, the consequences can be serious and long-lasting, especially for those in vulnerable situations. Organisations need to do better.”

Understanding The Full Cost Of A Data Breach

The financial implications of a breach are well known. In 2024, the average cost of a data incident rose to 4.88 million US dollars. However, what is less frequently discussed is the toll on those directly impacted. Again, according to the ICO, around 30 million people in the UK have experienced a data breach. Over half of UK adults have had their data lost or stolen, and nearly a third reported emotional distress as a result. 

These numbers highlight how much more needs to be done. When a breach happens, organisations must go beyond fulfilling basic obligations. Clear communication, transparency and real support must become standard. This includes providing immediate guidance on what steps individuals should take, whether that involves monitoring personal accounts or seeking emotional reassurance. Responding quickly and with empathy can help rebuild trust and reduce the longer-term damage.

Prevention Must Come First

Support after a breach is important. However, it cannot replace the need for strong preventative measures. Both morally and legally, organisations are expected to take reasonable steps to secure the data in their care.

New and updated regulatory frameworks such as HIPAA, DORA and NIS2 are setting higher standards across industries. These include specific expectations for securing data within email systems, which continue to be a common source of data loss. In response, organisations are being encouraged to implement more robust protections, such as end-to-end encryption, multi-factor authentication, data loss prevention tools and proof of delivery capabilities.

Meeting these requirements is not only about compliance. It is about recognising the duty of care that organisations owe to the people who entrust them with sensitive information.

Most Breaches Still Come Down to Human Error

While cyberattacks and malware often dominate headlines, the ICO has consistently reported that the leading cause of breaches is human error. These are everyday mistakes, such as sending an email to the wrong person, failing to remove sensitive information or misusing copy and blind copy fields.

This remains a major challenge for IT and security leaders. Yet more and more organisations are starting to recognise that the problem lies in the tools, not the people. Standard email platforms were not built with modern security in mind and often lack the features needed to prevent common errors.

The answer lies in improving the systems employees rely on. By strengthening the technology and incorporating safeguards that protect data before, during and after sending, we can reduce the risk of human error and support people in making better choices.

A Broader Responsibility

Ultimately, data protection is not just a technical requirement or a tick-box exercise for regulatory purposes. It is a fundamental responsibility. Every organisation that handles personal data is being trusted to protect it. That trust should be treated with care and respect.

The message from the ICO is clear. Organisations need to do more, both in preventing breaches and in how they respond when incidents occur. That means treating data protection as a continuous responsibility, and data breaches as serious events that affect individuals, not just abstract statistics.

By committing to empathy, transparency and continuous improvement, organisations can protect not just information but also the people behind it.

Wouter Klinkhamer is CEO & Co-founder at Zivver

Image: fauxels

You Might Also Read: 

Police Error Exposes Personal Data Of Crime Victims:

If you like this website and use the comprehensive *,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Fraudsters Leverage Bots To Exploit Digital Marketing Campaigns
Big Surge In Identity-Driven Cyber Threats »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Nmap Project

Nmap Project

Nmap Project is a Free and open source tool for network discovery, administration, and security auditing.

Homeland Security Advanced Research Projects Agency (HSARPA)

Homeland Security Advanced Research Projects Agency (HSARPA)

HSARPA's Cyber Security Division (CSD) was set up to address DHS cyber operational and critical infrastructure protection requirements.

Leviathan Security Group

Leviathan Security Group

Leviathan provides a broad set of information security services ranging from low-level technical engineering to strategic business consulting.

Cymulate

Cymulate

Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to know and optimize your security posture any time, all the time.

Oxford BioChronometrics

Oxford BioChronometrics

By building profiles based on electronically Defined Natural Attributes, or e-DNA, Oxford BioChronometrics protects digital networks, communities, individuals and other online assets from fraud.

Araxxe

Araxxe

Araxxe delivers Revenue Assurance, End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

GitGuardian

GitGuardian

Enable developers, ops, security and compliance professionals to enforce security policies across public and private code, and other data sources as well

Peraton

Peraton

Peraton provides innovative solutions for the most sensitive and critical programs in government today, developed and executed by scientists, engineers, and other experts.

Systems Assessment Bureau (SAB)

Systems Assessment Bureau (SAB)

Systems Assessment Bureau is an internationally recognized ISO Certification Body with a unique vision of “Excel together with global standards”.

META-Cyber

META-Cyber

META-cyber was founded by engineers with experience in process and control-protection to provide cyber security for industrial infrastructure.

AB Handshake

AB Handshake

AB Handshake offers a game-changing solution for telecom service providers that eliminates fraud on inbound and outbound voice traffic.

Limes Security

Limes Security

Limes Security GmbH is the leading OT Security expert in the German-speaking region of Europe.

BLOCX

BLOCX

BLOCX is designed to address the ever-growing challenges of managing and securing digital devices, from personal computers to corporate networks.

Cyber Industrial Networks

Cyber Industrial Networks

Cyber Industrial Networks objective is to service the needs of industry in achieving reliable, robust and secure infrastructure that supports productivity.

SecuCenter

SecuCenter

Secucenter is a trusted partner for SOC services, offering security expertise in a cost-effective way.