Barrister fined after idiot husband slings unencrypted client data onto the internet A barrister has been fined by the UK Information Commissioner's Office after client information was accidentally uploaded to the internet. According to the monetary penalty notice [PDF] issued against the senior lawyer, who is unnamed, she was only stung for £1,000. The note was published today. We're told information …
.....and what do these people earn per hour??
Earn, or charge? The hourly charge to you isn't either average or take home pay, as our contracting and zero hours IT bretheren can attest. I'd expect your hourly charge to never be much less than £100 an hour and upwards from that towards £1,000 an hour. But out of that barristers have to pay their supporting clerks, admin, premises costs and the like.
A junior barrister in a provincial city could be earning less than £40k a year before their deductions, and even senior barristers can struggle to push through £100k a year, although it depends greatly on what they are specialised in. On the other hand, those doing top end commercial litigation out of a top flight London office ("Chambers") can exceed £1m a year gross.
What's the median income of people in the UK with two degrees and an 80-hour working week?
Well, in the US, my niece teaching special needs students needed three degrees for her job, works the same hours during the school year (and about half that for summer terms) and would LOVE to make 40% of that.....
I don't see why she would store those files on a shared machine in the first place, was she not issued a laptop from her organization? Or if they are completely independent, do they not have the money to buy a cheap laptop? And how would they support their client if they needed one of those files while at the court house, do they just drag the family computer around with them?
I have no sympathy for idiots like this. People trusted their most sensitive information to this person (not even the government would have access to the data being held). £4 per person affected isn't enough, a pound of flesh per client affected would probably be a better punishment...
If the computer was only shared with her other half then it's only shared in the most technical sense. It's not like she was storing them on a PC at a webcafé. If the computer was up to date with security patches & AV then that could certainly count as having reasonable protections in place. The file could even have been password protected on the drive.
Now I hate to be the voice of reason when we could be laughing at lawyers but given that details in the story are scarce on how the information was stored, I think you may be going a bit far.
"The file could even have been password protected on the drive.
Now I hate to be the voice of reason when we could be laughing at lawyers but given that details in the story are scarce on how the information was stored, I think you may be going a bit far."
Which part of: "visible to an internet search engine and some of the documents could be easily accessed through a simple search" did you chose to ignore from the article?
The part where adequate protections may have been in place on the computer itself but stripped during the upload by somebody the barrister trusted.
I was umming and aahing about adding that bit about the password protection but it's not inconceivable that it could have been protected and lost that protection.
@David Neil On the note of whether I would be happy if it were my data? Of course I wouldn't be happy but I certainly wouldn't be going as far as demanding pounds of flesh from said barrister which was the post I was calling out as going a bit far.
>Now I hate to be the voice of reason when we could be laughing at lawyers
It may not have even been shared. Maybe hubby was asked to do the IT maintenance and organise backups etc.
It highlights the problem that people still think they "have the internet on my computer" and that what is on my local screen is on my local hardware. It isn't your personal computer any more.
More importantly, what kind of backup system immediately shoves the content at a search engine?
More interesting than the barrister's name would be the backup system's name.
"It may not have even been shared. Maybe hubby was asked to do the IT maintenance and organise backups etc."
And asking a rather incompetent bloke to do maintenance on her laptop would have been no big deal for a wife - as a barrister though she's kinda expected to seek properly competent maintenance if needed. And I'm not even going to ask whether she ever considered what happens if said laptop ever gets lost / stolen.
"Maybe hubby was asked to do the IT maintenance and organise backups etc."
I don't know how client confidentiality works in the legal profession or in the UK. But in my world of classified information, my wife has no more privileges than does the family of Russian spies living down the street.
And I'm assuming that in your frenzied Daily Mail appetite to see her villified, publicly humiliated, and no doubt leaving her (hard earned) career and reputation in tatters; that a public hanging, drawing and quartering and burning at the stake would be a better punishment?
Thought so. But thankfully most of us are a little more forgiving and civilised.
It seems to me that lots and lots of people are still learning about this sort of stuff. From huge global corporates, to what we have here - which whilst in no way lightens to idiocy, but that after consideration and review maybe represents the ACTUAL end damage done.
This post has been deleted by its author
"Barristers are usually self-employed." And that is why the next sentence exists, a laptop or computer specifically for this purpose wouldn't break the bank, and is cheaper than even an hour of their time. Heck, a 5+ year old used laptop would work just fine for managing legal documents.
"Your use of spelling and words suggests you're American"
Actually I'm Icelandic. But I was educated and lived in the US for my formative years. Yes, things are a bit different than in the 'Kingdom, here in Iceland we hold our public servants / professionals accountable for violating our trust in them.
>"Barristers are usually self-employed." And that is why the next sentence exists, a laptop or computer specifically for this purpose wouldn't break the bank
I don't see anything in the article that suggests this wasn't already the case
> The incident occurred when her husband backed them up using an online file directory service while he was updating software on the couple's home computer.
It's equally possible this was her "dedicated" laptop, but she passed it to her husband to install some updates.
She'd still have misplaced her trust, but that'd be slightly different. Either way she should have used encryption.
The point being, you've got scant details available on what actually happened, so put out your torch and put the pitchfork back in the shed.
"I don't see why she would store those files on a shared machine in the first place, was she not issued a laptop from her organization? Or if they are completely independent, do they not have the money to buy a cheap laptop?"
Hmmm. Let's look at it differently. Let's think what might happen if she'd used only a laptop and had files of >700 people on it. Let's say that laptop was reported stolen. My guess is that we'd then have a Crazy Operations Guy saying "Why did she have them all on the laptop? Couldn't she have used a separate computer to keep the files on and just kept the ones she needed at the time on the laptop?".
Whether or not it was a shared computer, the bit that worries me is the 'cloud' backup that included features to allow files to be publicly read.
Call me a Luddite but local backup to an encrypted USB drive or stick which is then kept in the garden shed is a) faster b) not readily accessible by GCHQ/NSA (or, in this case, Google and the public) and c) a hell of a lot safer. Problem is the punters aren't experts and are seduced by the cloudy salesmen.
Online backups are stored on the Cloud, which is another word for someone else's computer. Unless you encrypt data before uploading it to cloud storage, you run a risk of having it stolen.
Local encryption, is easy and can be done before uploading to the cloud is available through a wide variety of apps. VeraCrypt http://veracrypt.org works with DropBox, while SyncDocs https://syncdocs.com encrypts Google Drive.
I wonder how they caught her? Did some client's names appear in a Google search?
"when her husband backed them up using an online file directory service while he was updating software on the couple's home computer"
Top Tip... Buy yourself a laptop. Don't let anyone else use it. You could even consider using encryption...just a passing thought.
Top Tip... Buy yourself a laptop. Don't let anyone else use it. You could even consider using encryption...just a passing thought.
And FFS don't lose it.
The original article mentioned that information about something like 250 people was involved; I have no idea what a barrister's caseload is like but that seems like an awful lot. From this it follows that some of the information was no longer "current" and should have been archived somewhere else and deleted from the PC (or any other personal device).
I also find myself wondering if barristers - being largely if not wholly self - employed - are also required to be Data Controllers as defined in the DPA. Is the data "theirs" or does it belong to the chanbers in which they work? Do the various chambers have an appointed Data Controller who is supposed to have overall charge of the information processed through the the chambers concerned?
Having skim - read the referenced guidance note for barristers I have to say that I found it a bit wooly; too many "shoulds" and not enough "musts". That said the document goes to some trouble to say that its standing is not entirely to be relied upon, so to speak.
To me this incident highlights the fact that material handled by barristers (and almost certainly solicitors as well) is not being as closely controlled as it really ought to be; there are too many opportunities for confidential material to slip through the net because nobody really knows whose net it is.
The original article mentioned that information about something like 250 people was involved; I have no idea what a barrister's caseload is like but that seems like an awful lot.
Not neccessarily they could be complaintants against an organisation or someone for their actions.
"To me this incident highlights the fact that material handled by barristers (and almost certainly solicitors as well) is not being as closely controlled as it really ought to be"
This area is a prime candidate for a proper training course which would cover the risks and present workable solutions.
A nice little business idea for one of you.
This is the exact issue I have with all the "automation" that is being offered willy-nilly.
You have a job dealing with people's personal data. You cannot allow yourself to treat the paltform you're working on as something on which you can just go and install any FaceBook, SnapChat, DropBox or whatever other shiny-shiny you feel like.
With a barrister's revenue, one would think that it would be possible to have one laptop for working and another one for dicking around on Instagram or whatever.
In any case, this fine is a necessary wake-up call to everyone dealing with personal data on their laptops : do things right and, if you're not sure, ask an IT pro what is right. Yes, it will cost money. What you need to ask yourself is how much more would it cost to your reputation to not do things right.
@ Pascal Monett
I used to do a lot of IT work for lawyers. It always amazed me that lawyers that charge clients $300-$500 per hour, were cheap SOB's when it comes to paying for IT support. The only clients I ever got stiffed by were lawyers. Good luck collecting from them!
They have the attitude that their time is worth X, and no one else's time it worth anything.
I hear you.
In 20 years consulting in Luxembourg, I've done a few lawyer establishments in my time. As fancy as the marble floor at the entrance may be, I've always been surprised at how the IT guy would never have a spare PC for me to work on in his office under the roof that you can only get to through rickety stairs that haven't seen a carpenter since 1946.
And of course, he would have to stay right next to me (standing because no additional chair) while I worked on his PC to solve whatever problem it was I had come for.
I was always glad to leave those places. Suits and ties do not mean everything.
Top tip topper. Don't put all of your sensitive data on a laptop and carry it around with you. Transfer working files encrypted on a thumb drive kept in a pocket (not a purse or bag). Laptops loaded with sensitive data seem to go missing all of the time.
A further lesson is Cloud = Public. Even knowing that barristers struggle with maths, that one should be easy enough. Now where did I put those naughty pictures of Jennifer Lawrence?
Just a day after I make a post about laptops going missing with sensitive data on them, a US Secret Service agent has a laptop stolen from her car, in her driveway containing, presumably, unencrypted details about presidential security at Trump Tower and evacuation protocols and information regarding the investigation of Hillary Clinton's private email server. Whoops!
Any bets that it might have been done on purpose so some leaked information can be attributed to the theft?
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
