Examples of a data breach might include the loss or theft of personal data, an unauthorised person gaining access to data or sending an email with personal data to the wrong person. Or using CC instead of BCC.
I know what a data breach is, not just because of my job, but because I’ve had one. Yes, I’ve experienced that heart-stopping moment when you realise what you’ve done but it’s too late to stop it.
It was New Year’s Eve of 2020 and the government had announced that there was a Brexit deal. This was important news and I wanted our clients to know how Brexit would impact them and how they share data to the EU. So I wrote an email, making sure that it was accurate and that it was easy to understand. Then I went to my contacts list and began adding all our clients onto the email plus other contacts that I knew would find the information useful. I had about 80 odd people on my list, all using their personal work email address. Great, all good to go, I thought. It was about noon and I wanted to get the email out before people left the office. I pushed the send button… and then it hit me, I’d put all the emails into the CC section, not the BCC section.
My heart dropped. But it was too late to recall the email. I felt a rising panic – “I’m going to lose all our clients because of this. I’m a data protection lawyer – I shouldn’t make mistakes like this. Our business will be ruined. “
So I wrote a follow-up email — I apologised for the error. I explained that I was rushing to get the email out and that I had CCed everyone instead of using BCC. I explained that it was human error – my error. I said that I would put the breach on our breach register but that it wasn’t reportable to the ICO’s office because they were all personal work emails. Apologised again.
And then I waited… I waited for the clients to call and cancel because I had made an error. Waited for the emails to arrive, criticising me for being so careless. But they never came. Not one client cancelled their contract with us. Not one critical email came. Instead, I had emails like “oh, that did make me laugh!” and “I’m so glad to hear that it isn’t just me” and “don’t worry about it, everyone makes mistakes”. And so on. No one cancelled, no one criticised me and our business wasn’t ruined. None of the things that I dreaded happening, happened. Instead, people were very understanding.
So, the moral of this story is that everyone will make a mistake and have a data breach. Everyone, including me, a data protection lawyer. What counts is how you handle it.