Telling the truth about SME life today

What Is A Breach Of Confidentiality In Business?

What Is A Breach Of Confidentiality In Business

A breach of confidentiality in business refers to the unauthorised disclosure of sensitive and private information. This is the kind of information that needs to be kept secret and it is often protected by agreements or laws.

It can often encompass trade secrets, employee records, customer data, financial details or any other information that is supposed to be confidential.

A breach of confidentiality in business is a serious issue that can lead to legal proceedings, fines, and damage to your company’s reputation.

Overview Of Confidentiality Breaches 

A breach of confidentiality occurs when private information is shared to individuals or organisations that are unauthorised to view it. A breach can be either intentional or accidental.

An intentional breach of confidentiality occurs when somebody takes deliberate steps to leak or sell information for their own gain. This could take the form of selling company secrets to competitors or private investigators gaining access to personal records through theft. In all cases of intentional breaches, the person making the breach is knowingly breaking non-disclosure laws.

Accidental breaches are usually the result of improper security measures being taken to protect private data. This leads to hacking threats, device theft or email interception. Whilst there was no intent to disclose information in any of these scenarios, the confidentiality of the affected parties is still breached through the negligence shown.

Any unauthorised access to sensitive information can make businesses vulnerable. Some of the most common results of this happening are financial losses in terms of fines, lawsuits, bankruptcy, and significant damage to reputation.

How Do Accidental Confidentiality Breaches Happen?

Accidental Confidentiality breaches can happen in several ways, including:

Human Error: 

The most common cause of an accidental breach is always human error. This is when private data is shared to the wrong party or person through email or other communication channels.

For example, a document may be left by mistake in an insecure, computers are left open without password protecting them, or an email with sensitive information is sent to the wrong person.

In all of these examples, an unauthorised party will be able to access information that wasn’t intended for their eyes. This is classed as a confidentiality breach due to human error.

Lack of Training:

Employees without training might not understand the sensitivity or importance of the data that they are working with. If they are not properly trained in recognising. Handling and protecting confidential data, they might expose it through poor security measures.

Poor Data Governance:

It’s possible for businesses to lose their data if they don’t have an efficient data management system. Ineffective access controls, classification schemes and security policies can lead to serious data breaches. For example: if a business fails to wipe devices of their data before disposal, their data can be exposed to external viewing by parties that are not entitled to see this information.

Third- Party Risks: 

Every business will have a supply chain and external partnerships that require information to be shared. For example, a data storage company working for a business will be able to see and access the data. If there is sensitive data available, this is open to exploitation without proper controls being put in place.

There are times when external vendors, partners or contractors mishandle the data or fail to protect it, so business stakeholders need to be carefully vetting when confidentiality is of utmost importance.

Businesses can manage their risk with air-tight SLAs and liability clauses relating to information risk mitigation. Multi-factor authentication, encryption and cyber security audits should also be deployed.

Physical Theft/Loss: 

Wi-fi in public spaces used for remote work and the physical loss or theft of devices that contain confidential information both present exposure dangers for confidentiality breaches.

It is common to face loss or theft of laptops, disks, devices and paperworks with encrypted information so it’s important to have a process in place should this happen. This might involve remotely wiping a device, using tracking features to locate the missing device, or endpoint wipe protocols.

How Do Intentional Confidentiality Breaches Happen?

Insider Threat:

It is quite possible that a person or association with authorised access to the data exploit their rights and privileges. They might leak information for any personal benefit, for revenge, power show or ideological motivations.

These kinds of breaches are quite common and they bypass many technical controls leaving the business with loss of data and violated trust.

Hacking & Cyber Attacks: 

Another common cause of security breach is an attack on the security system by an external party. Since most of business information is now shared and saved online, it can be vulnerable to targeting hacking and cyber attacks if not properly protected. A common risk here could be phishing emails that target staff and result in data theft.

Examples of High-Profile Confidentiality Breaches

  • Edward Snowden: The former NSA contractor leaked a massive trove of classified government information to journalists in 2013, exposing global surveillance programs.
  • US Office of Personnel Management: Hackers compromised personnel records and extremely sensitive SF-86 security clearance documents of 20+ million current and former federal employees in 2015.
  • Marriott Hotels: In 2018 hackers stole data on 500+ million guests from its Starwood reservations system, including financial and passport info, in one of the largest breaches ever.
  • Facebook: In 2018 a developer data API vulnerability enabled sharing of profile data on 87 million users without consent, sparking lawsuits and government probes.

These cases highlight the damage from insider threats, cyber crime and governance breakdowns.

Tangible Effects of Confidentiality Breaches

A breach in confidentiality can lead to serious complications. Some of the most common effects are:

Customer loss and revenue declines

When customers lose trust in a company that has experienced a breach, they may start buying from the company’s competitors instead. This can lead to the company losing its competitive edge, a decrease in its market share, and lower sales overall.

Investigation and notification costs

Performing forensic analyses to identify the underlying causes and measure the effects of a breach increases costs, just like legal fees do. The expense of sending notifications through mail, email, websites, and call centres can quickly increase, especially when dealing with large-scale breaches.

Services for post-breach monitoring and assistance

Over time, there are significant costs associated with providing credit reporting services, fraud insurance protections, account monitoring, call support centres, and identity protection services to affected customers.

Regulatory compliance penalties

Violating strict data protection laws such as GDPR and CCPA can result in regulatory authorities imposing hefty fines. These are created to penalise organisations and discourage them from future non-compliance.

Settlement payments and litigation awards

When there are big incidents of breaches in confidentiality, class action lawsuits can be filed to help the victims. These lawsuits aim to get millions of dollars in compensation for the victims. Many cases are resolved outside of court because going through a lengthy legal process can be risky.

Preventing Breaches of Confidentiality

In order to maintain the confidentiality of the information in your possession, it’s imperative that your business has good policies, efficient controls and regular training to minimise risks.

Here are some simple steps that you can take to try and prevent breaches of confidentiality: 

  • Organise data based on how sensitive it is and implement suitable security measures.
  • Only allow access to confidential data for individuals who need it.
  • Establish and enforce strict policies for managing sensitive information, including implementing strong access controls.
  • Require all staff and third parties to sign non-disclosure and confidentiality agreements when working with you.
  • Make sure that your staff receives regular training on security protocols and their obligations regarding confidentiality.
  • To protect sensitive information, make sure to encrypt it when it is stored and when it is being transferred.
  • Regularly conduct thorough evaluations and audits to identify any weaknesses or gaps in your security policies.
  • Make sure to prioritise and enforce secure practices when sharing data with partners and vendors.
  • Please report and promptly address any potential breaches of confidentiality.
  • Review data breaches to create guidance and take steps that will prevent the same issue from happening again in the future.
  • Implement a system that ensures different staff members are involved in completing confidential tasks, thus promoting the separation of duties.
  • Perform background checks on individuals who have access to sensitive data on screens.
  • Ensure that the security and access credentials of employees that have left the company are promptly deactivated.
  • Implement restrictions on remote access for employees who are travelling.
  • Ensure that confidential data is properly protected and secured in testing and staging environments.

Legal Obligations Around Confidential Data

There are several laws and regulations in the UK that specifically cover the protection of confidential data.

The Data Protection Act 2018

The Act regulates how personal data is collected. used and stored in the UK. It specifies that anyone using or processing personal data that can personally identify an individual must follow specific data protection principles.

Common Law Duty of Confidentiality

Common law is a legal obligation that prohibits sharing information that has been disclosed in the belief it would not be shared further. It applies between two parties in a relationship of confidence such as doctors and patients, banks and customers and employers and staff.

Contract Law:

Contract law is intended to create confidentiality between pirates via non-disclosure agreements (NDAs) and service contracts with privacy clauses. Whilst NDAs legally prohibit information sharing, contracts obligate privacy behaviours that if breached, would result in legal proceedings.

Intellectual Party Law:

Intellectual property laws mandate commercially sensitive trade secrets like inventions and formulas to safeguard competitive advantage. Anyone that steals this protected information is open to legal proceedings.

Insurance Protections For Confidentiality Breaches

Sometimes, every possible step can be taken to protect sensitive information but a breach can still occur. In these instances, insurance policies are available to offer another layer of protection to businesses that find themselves at risk of financial penalty due to a confidential data breach.

Cyber Insurance

Cyber insurance is a type of insurance that helps cover the costs associated with data breaches. This includes expenses related to investigations, notifying and monitoring affected individuals, running public relations campaigns, dealing with lawsuits, paying fines, and managing any interruptions to business operations.

Errors & Omissions (E&O) insurance

It is a type of insurance that provides protection against claims of negligence. It specifically covers situations where clients experience financial losses due to a breach of duty.

Directors & Officers (D&O) insurance

This is a type of insurance that can provide protection to executives and board members. It specifically covers them in the event of lawsuits brought by shareholders due to breaches of confidentiality.

Crime Insurance

Crime insurance offers protection against financial losses caused by theft, including losses resulting from data theft.

Even though insurance policies cover the confidentiality insurance claims effectively, the process of claiming against the policy can be challenging.

Some of the challenges that one might face are:

  • You will need to submit detailed documents of the incident reports and forensics analysis reports. They will help insurers understand the situation.
  • You need to justify your claims of costs or losses that are linked with the breach during the processes of claims.
  • You need to prepare yourself to potentially face legal challenges regarding liability decisions if insurers determine that policyholders share some responsibility.
  • Be cautious of the restrictions regarding additional expenses related to security enhancements that are required after incidents.


To put it simply, a breach of confidentiality occurs when private data is leaked to people or organisations that it shouldn’t be without authorisation. This results in a loss of trust between the data handler and the data owner and opens up the party who facilitated the breach to a number of negative outcomes.

While cyber attacks tend to receive a lot of attention, it is actually human error and policy gaps that are most frequently responsible for causing data breaches. Businesses can take proactive steps to prioritise confidentiality by classifying data, restricting access, securing systems, training personnel, monitoring partners, and insuring against risks.

In today’s interconnected world and with the ever-changing landscape of privacy laws, it is crucial for business leaders to stay vigilant in fulfilling their responsibilities regarding sensitive data.


Related Stories

Most Read


If you enjoyed this article,
why not join our newsletter?

We promise only quality content, tailored to suit what our readers like to see!