Barrister fined after idiot husband slings unencrypted client data onto the internet
When cloud backups go wrong
A barrister has been fined by the UK Information Commissioner's Office after client information was accidentally uploaded to the internet.
According to the monetary penalty notice [PDF] issued against the senior lawyer, who is unnamed, she was only stung for £1,000. The note was published today.
We're told information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet. The cockup occurred when her husband backed the documents up using an online file directory service while he was updating software on the couple's home computer.
Andy Lee, a senior associate at Brandsmiths, told The Register that according to the Bar Standards Board Code of Conduct [PDF] a barrister's sixth core duty is to “keep the affairs of each client confidential” while the tenth core duty is to “take reasonable steps to manage your practice, or carry out your role within your practice, competently and in such a way as to achieve compliance with your legal and regulatory obligations.”
According to the ICO, some 725 unencrypted documents — which were created and stored on the computer — were temporarily uploaded to an internet directory as a back-up during the software upgrade.
They were apparently “visible to an internet search engine and some of the documents could be easily accessed through a simple search”, despite six of the files containing confidential and highly sensitive information relating to people who were involved in proceedings in the Court of Protection and the Family Court.
Steve Eckersley, head of enforcement at the ICO, said today: “People put their trust in lawyers to look after their data - that trust is hard won and easily lost. This barrister, for no good reason, overlooked her responsibility to protect her clients' confidential and highly sensitive information.”
“It is hard to imagine the distress this could have caused to the people involved – even if the worst never happened, this barrister exposed her clients to unnecessary worry and upset,” Eckersley concluded.
Lee told The Register that considering the legal responsibilities of barristers, in addition to the data protection issues which the ICO handled, it was fair to say that “by reason of logic security measures must be taken and must be reasonable.”
As to what is appropriate security measures, there is no real hard and fast guidance but one can answer the question by seeing how the breach occurred and whether that was as a result of there being no security measures in place (in which case the answer is relatively clear) or for example inadequate measures which may be a little more difficult to answer but for example if client information is stored in the cloud the very least one would expect is that access to that cloud server is secure and password protected and/or the documents are encrypted/password protected.
The Bar Council's advice on information security stresses that the onus is on barristers to “protect the confidentiality of each client's affairs, except for such disclosures as are required or permitted by law or to which your client gives informed consent” and encourages them to encrypt everything.
Further advice regarding the reporting of security breaches in such incidents is available to barristers too, although neither advisories are "guidance" in the official sense.
The Bar Standards Board, which regulates barristers in England and Wales, told The Register that it does not comment as to whether or not individual barristers are the subject of a complaint or a disciplinary investigation.
If complaints are received they are usually treated confidentially unless they result in a listing for a Disciplinary Tribunal hearing. Such listings are published on the Bar Tribunals & Adjudication Service website and hearings are held in public. ®