“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victims

Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.
(Image credit: Getty Images)

The UK Information Commissioner’s Office (ICO) is calling on organizations to do more to support victims after a data breach.

According to ICO figures, nearly 30 million people in the UK have experienced a data breach. In total, 55% of UK adults reported having had their data lost or stolen, with 30% of them experiencing emotional distress as a result.

However, a quarter said they received no support from the organizations responsible and 32% found out about the breach via the media, rather than from the organization itself.

Information Commissioner John Edwards said the figures highlight that many organizations “fail to fully appreciate the harm they cause then they mishandle personal data”.

Edwards urged enterprises to act with “empathy and action” when dealing with data breach victims.

"Today, I want to issue a stark warning to organizations across the country: you must do better," he said.

"When a data breach occurs, it’s not just an admin error – it is a failure to protect someone. In many cases if that someone is in a vulnerable situation, they are already facing innumerable personal challenges, or they may be at risk of harm."

Qualitative research conducted by the ICO, meanwhile, found people have had to move homes, felt forced out of their jobs, and faced discrimination as a result of data breaches. Analysis from the data protection watchdog found the real impact on their life was insufficiently recognized by the organization responsible.

ICO issues updated guidance for organizations

New guidance issued by the ICO calls on organizations to assess the risks to the individuals involved, and carry out its reporting and notification duties promptly.

They should acknowledge what has happened to people affected by a breach, be human and accessible in their response, and commit to making sure it doesn’t happen again.

Similarly, organizations should share ICO guidance with people affected by a breach, and make sure that staff have access to the ICO toolkit of resources.

RELATED WHITEPAPER

Another key focus should be implementing changes to corporate culture and ensuring that empathy is at the heart of their response, the ICO said.

"To many organizations, a data breach might seem like a temporary setback - something that can be patched up with technical fixes and compliance reviews," said Edwards.

"But from the perspective of individuals - especially those in vulnerable situations - a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate."

TOPICS
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.