Solicitor - data breach - who cares?
Discussion
OK, so not data breach of the century...
I have received an email tonight from a solicitors. It contains a detailed settlement offer for a case with identifiable data for the complainant, the settlement offer and both parties data (names, addresses, etc).
It seems from the data that my email address is very close to that of the complainant.
I don't like personal data breaches, it's sloppy practice. Companies should be held to account (it seems to be a keying error given the chain of emails with the document) otherwise they won't put controls in place...
Who is the right party to raise this to?
I have received an email tonight from a solicitors. It contains a detailed settlement offer for a case with identifiable data for the complainant, the settlement offer and both parties data (names, addresses, etc).
It seems from the data that my email address is very close to that of the complainant.
I don't like personal data breaches, it's sloppy practice. Companies should be held to account (it seems to be a keying error given the chain of emails with the document) otherwise they won't put controls in place...
Who is the right party to raise this to?
- Notify the solicitor, of course (should I speak to their data controller or senior partner?)
- Notify ICO?
- Does the SRA have an interest in data breaches?
You should tell the sender straight away so they can tell their client that a mistake has been made, and get it to the correct recipient ASAP. A time limit may be ticking away.
If you really feel like reporting them for what sounds like human error then then they have breached the solicitor's duty to keep client information confidential, which is something the SRA could potentially be interested in - it's a breach of the code of practice. However, I think that's probably over kill, especially bearing in mind that it doesn't sound like any harm has been done. Even the code itself makes provision for what should happen when something is sent to the other side of the matter in question in error (which obviously had much more significant potential consequences). I would also say that if anyone should be making a complaint it's their client, not you.
If you really feel like reporting them for what sounds like human error then then they have breached the solicitor's duty to keep client information confidential, which is something the SRA could potentially be interested in - it's a breach of the code of practice. However, I think that's probably over kill, especially bearing in mind that it doesn't sound like any harm has been done. Even the code itself makes provision for what should happen when something is sent to the other side of the matter in question in error (which obviously had much more significant potential consequences). I would also say that if anyone should be making a complaint it's their client, not you.
When looking at remortgaging last year I contacted a PHer after positive comments on the site. They sent me the form to fill in about all my financials and it had someone else's complete information - literally everything. I informed them but their response was somewhat blasé and I couldn't trust them with my data after that.
The worst part is that I can't post publicly on here who it was and I see them still receiving recommendations on here and lots of PHers using them.
The worst part is that I can't post publicly on here who it was and I see them still receiving recommendations on here and lots of PHers using them.
Vaud said:
Thanks all. I'll take a moderate approach and inform the sender - and see what reaction I get.
why not just let them know of the error and delete it. sounds like you are jumping up and down for no reason and creating mischief for your own fun/importance. A bit like being offended on behalf of someone else.Funk said:
When looking at remortgaging last year I contacted a PHer after positive comments on the site. They sent me the form to fill in about all my financials and it had someone else's complete information - literally everything. I informed them but their response was somewhat blasé and I couldn't trust them with my data after that.
The worst part is that I can't post publicly on here who it was and I see them still receiving recommendations on here and lots of PHers using them.
Similar - I needed a short term mortgage to act as a bridging loan between properties - when same person realised there was not going to be a good fee in it he dropped me like a stone.The worst part is that I can't post publicly on here who it was and I see them still receiving recommendations on here and lots of PHers using them.
Muncher said:
Vaud said:
Thanks all. I'll take a moderate approach and inform the sender - and see what reaction I get.
Why do you want to try and hang someone out for an honest mistake? If you send enough emails it happens, it cannot be avoided.Vaud, what did you hope to gain from this?
Bit of a t
tty thing to do.xjay1337 said:
Muncher said:
Vaud said:
Thanks all. I'll take a moderate approach and inform the sender - and see what reaction I get.
Why do you want to try and hang someone out for an honest mistake? If you send enough emails it happens, it cannot be avoided.Vaud, what did you hope to gain from this?
Bit of a t
tty thing to do.I asked for opinions.
I was guided by those and responded that I would inform the sender and delete the email.
What do I want to achieve?
Organisations should have controls in place. Those dealing with sensitive information, even more so. The controls are not just about people, they are about the people, systems AND processes .
How can an organisation improve if they aren't aware of their system deficiencies? It's not about getting someone into trouble. This isn't about getting an email with an invoice for the wrong product and wrong person.... it's a solicitor with case details.
Vaud said:
I'm not sure what to say.
I asked for opinions.
I was guided by those and responded that I would inform the sender and delete the email.
What do I want to achieve?
Organisations should have controls in place. Those dealing with sensitive information, even more so. The controls are not just about people, they are about the people, systems AND processes .
How can an organisation improve if they aren't aware of their system deficiencies? It's not about getting someone into trouble. This isn't about getting an email with an invoice for the wrong product and wrong person.... it's a solicitor with case details.
It was clearly a mis-type. It wasn't a huge "BCC the entire customer contact" list.I asked for opinions.
I was guided by those and responded that I would inform the sender and delete the email.
What do I want to achieve?
Organisations should have controls in place. Those dealing with sensitive information, even more so. The controls are not just about people, they are about the people, systems AND processes .
How can an organisation improve if they aren't aware of their system deficiencies? It's not about getting someone into trouble. This isn't about getting an email with an invoice for the wrong product and wrong person.... it's a solicitor with case details.
It wasn't leaving an unprotected laptop on a train.
It was a single, human error, which affected no-one other than you having an opportunity to have a nose into someone's life :-)
xjay1337 said:
It was clearly a mis-type. It wasn't a huge "BCC the entire customer contact" list.
It wasn't leaving an unprotected laptop on a train.
It was a single, human error, which affected no-one other than you having an opportunity to have a nose into someone's life :-)
Which is why I followed the advice given... though it is much more in the spirit of PH to be puerile and beat up on the OP when he asks a reasonable and balanced question.It wasn't leaving an unprotected laptop on a train.
It was a single, human error, which affected no-one other than you having an opportunity to have a nose into someone's life :-)
I value people like Tonkers advice. I miss Breadvans contributions.
Other posters? Less so...
Vaud said:
I'm not sure what to say.
I asked for opinions.
I was guided by those and responded that I would inform the sender and delete the email.
What do I want to achieve?
Organisations should have controls in place. Those dealing with sensitive information, even more so. The controls are not just about people, they are about the people, systems AND processes .
How can an organisation improve if they aren't aware of their system deficiencies? It's not about getting someone into trouble. This isn't about getting an email with an invoice for the wrong product and wrong person.... it's a solicitor with case details.
It's not an error related to a process or system however, what measures would you propose from preventing a similar thing does not happen again?I asked for opinions.
I was guided by those and responded that I would inform the sender and delete the email.
What do I want to achieve?
Organisations should have controls in place. Those dealing with sensitive information, even more so. The controls are not just about people, they are about the people, systems AND processes .
How can an organisation improve if they aren't aware of their system deficiencies? It's not about getting someone into trouble. This isn't about getting an email with an invoice for the wrong product and wrong person.... it's a solicitor with case details.
Recently I had another law firm that over the space of a few months send me 6 incorrectly addressed emails, my name obviously got into the matter correspondence list in error and several people then proceeded to make the same error over and over again. I had a word each time but didn't take it any further than that.
Muncher said:
It's not an error related to a process or system however, what measures would you propose from preventing a similar thing does not happen again?
Explicit email validation with client when they set up the customer account - before sending key data out (easy but not foolproof) but easy to set up.A basic CRM would hold a master record - only allowing staff to send to the registered email in the CRM. Harder to implement but case management systems probably allow.
Peer validation for key data entry.
etc
Of course, many might be overkill for this scenario. The first would be the easiest to implement and remove a good % of issues. Allowing staff in a workflow to enter freeform emails is a business risk for the sending of sensitive data. You can place some process controls around this that do not place an excessive nor supererogatory burden on a role.
Presumably it is not encrypted (you could read it) and sent in plain text to an internet recipient. It could have been read in transit anyway even if sent to the correct recipient. Same as the thousands of forms/info sent by email every day...
I would just send them a mail telling them they sent it to you in error, and delete it.
Same thing as the guy who received a filled in form - if the form was blank would you have put your details in it then sent it back??
Internet Email is not vaguely secure until we all start using encryption, and that seems further off than in old the days when only us geeks used it and put our pgp public keys in our sigs
I would just send them a mail telling them they sent it to you in error, and delete it.
Same thing as the guy who received a filled in form - if the form was blank would you have put your details in it then sent it back??
Internet Email is not vaguely secure until we all start using encryption, and that seems further off than in old the days when only us geeks used it and put our pgp public keys in our sigs
You're doing exactly the right thing. Inform the sender, gauge their reaction, and take it from there.
We recently had a data breach from a county court, who sent sensitive information to the wrong party, potentially costing us over £3000. When I raised the issue with court staff, they simply ignored it - which meant I raised the issue further. Only for them to seek advice from a judge, who misunderstood the whole thing and said they acted correctly...
I'll inform the ICO at some point.
Just to add, the ICO won't look at it unless you've exhausted an internal complaints procedure anyway.
We recently had a data breach from a county court, who sent sensitive information to the wrong party, potentially costing us over £3000. When I raised the issue with court staff, they simply ignored it - which meant I raised the issue further. Only for them to seek advice from a judge, who misunderstood the whole thing and said they acted correctly...
I'll inform the ICO at some point.
Just to add, the ICO won't look at it unless you've exhausted an internal complaints procedure anyway.
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff