Don't worry the ICO will do...
Absolutely nothing as they don't understand how to safely send e-mails either.
I had a case last year involving a company our council outsourced some services to, they cc-d everyone who had taken the service in the city and then when realising e-mailed everyone again to ask they delete the e-mail. In this case you could have correlated some of the names in e-mail addresses to other public info and worked out the actual people. They then sent me a follow-up to the issue to me addressed to another customer!
DPO at the company didn't think they had done anything really wrong and told me to raise with the ICO if I disagreed. So I did, the ICO did agree there was an issue and made them make a number of changes and apologise for the error, however this was the classic bit from the ICO
"****** also explained that they consulted with their French head office and Google to see if any further technical measures could be introduced to reduce the likelihood of similar disclosures. However, no extra measures were deemed feasible as it was determined that no measures could realistically prevent human error, as in this case" - So the ICO accepted that nothing could be done to prevent this type of issue?!
In all the companies I have worked for e-mails to customers are not sent by individuals on an e-mail platform, you can't even get to the customers e-mail addresses to do that. Messages to customers are sent via a CRM or similar both for individual and wider e-mails which ensures issues like this don't occur, seems the ICO have not heard of this approach! Remove the human being able to send these Mr ICO?
Should I mention the ICO merged bits of data from the breach to demonstrate an individual could be identified (not myself) in the response to my complaint sent in a normal e-mail?
Biting the hand that feeds IT
