how could the situation be prevented or how it could be handled based on Data Governance?

Lessons to be learnt in Victoria Mutual data breach On February 14, 2020 there was a press release from Victoria Mutual Wealth Management saying: "Personal information of more than 5,000 clients was inadvertently sent out in an e-mail attachment to about 200 people on Thursday night. The e-mail detailed the names, addresses, telephone numbers, taxpayer registration numbers, investment account number, and e-mail addresses of the company's clients. Chief executive officer of Victoria Mutual Group of Companies Courtney Campbell says the breach was caused by human error and he does not believe the information released can be used to commit identity theft." This was after social media got wind of the breach and began to create a firestorm online. International trends tell us that this has happened before to other companies and the incidence of this occurrence will increase if dramatic cultural changes and business practices are not adopted. In addition to the reputational damage, Victoria Mutual Wealth Management is now also exposed to criminal sanctions as, even in the absence of a Data Protection Act, financial institutions still have statutory and regulatory duties to protect the confidentiality of customer data and not divulge any information relevant to a customer's account. According to the latest figures from the Information Commissioner's Office, in 2019, UK organisations had reported 1,357 data breaches that were caused by people e-mailing the incorrect recipients. Of this almost half ( 43 per cent) of all data breaches reported to the Information Commissioner Office in the first half of 2019 were the result of incorrect disclosure. As far back as 2011, under the old UK Data Protection Act, Surrey County Council in the UK was served with a civil monetary penalty of 120,000 after three data breaches that involved misdirected e-mail: - A member of staff e-mailed a file containing the sensitive personal data of 241 individuals to the wrong e-mail address. As the file was neither encrypted nor password-protected, every recipient of the e-mail could access the data. Subsequently, the council was unable to confirm whether the recipients had destroyed the data or not; - Personal data was e-mailed to over 100 recipients on the council's newsletter mailing list; and - The children's services department sent sensitive personal data to an incorrect internal group address. North Somerset Council was served with a civil monetary penalty of 60,000 after five email, two of which contained details of a child's serious case review, were sent to the wrong National Health Service (NHS) employee. A council employee selected the wrong e-mail address during the creation of a personal distribution list. The data itself had not been encrypted, and thus it was viewed by the unintended recipient. The Jamaican Parliament, as part of one of the processing standards, amended the initial draft of the data protection Bill to include as part of its technical and organisational measure the requirement to employ encryption and pseudonymisation in keeping with the General Data Protection Regulation. If either the e-mail or the attachment in the e-mail was encrypted there would have been no damage done to the privacy rights of their customers. The Information Commissioner's Office, as part of their education and awareness initiatives, in one of the documents they prepared stated that encrypted e-mail can provide the capability to encrypt the body and attachments of e-mails. The sending and receiving of encrypted e-mail requires the use of compatible e-mail client software and requires configuration in advance. A wide range of free and proprietary products are available for desktop, laptop, and mobile operating systems