> Such organizations don't know what to do.

Maybe they should simply use some common sense? If someone could and would steal valuables, it seems highly unlikely that he/she/it would notify you before doing it.

If they would want to extort you, they would possibly do so early on. And maybe encrypt some data as a "proof of concept" ...

But some organizations seem to think that their lawyers will remedy every failure and that's enough.