It's a good question. As for what they usually do, the first thing they look at is whether the organization had proper policies in place, and then, if they had these policies, whether the employees were aware of these policies. Had they received proper privacy training? Usually, if these two things have been addressed, if technical measures and policies were in place, and if employees were aware, you clearly limit the risk. It's not a perfect system where it's 100% bulletproof, but you clearly limit the risk.
On May 1st, 2014. See this statement in context.