Solicitor has cc’d a stranger into an email containing sensitive and personal information about myself and my child

[Marbsmumma]

I can’t believe this. My daughters father and I are putting together a new child arrangements order and using his solicitor for this process.

A trainee solicitor has sent myself, another solicitor and my child’s father an email containing 18 attachments. These documents contain our previous child arrangements order, parenting agreement, notice of proceedings, and screenshots of WhatsApp messages between myself and my DC’s father and many more documents containing mine and my child’s name, address and goodness knows what else! There are 18 attachments of very personal information.

The trainee solicitor has also sent the email and documents to a complete stranger! I can see this strangers photo on Gmail (so email address is live and being used) I have never given this email address as mine as it’s not and never has been. I’ve asked my DC’s father if he has given it out by mistake and he’s said ‘no’. The mail address is my first name and surname @ yahoo.com. The solicitor has literally just assumed (?) it’s my email because it’s my name in the email address . It’s not a mistake because my actual email address is more than just a few letters off.

On top of that, she sent it to my actual email address that I have used to reply to a previous email from her but she still chose to cc an extra email address that isnt actually mine!

She was supposed to send me these 18 documents days ago before a court date but only sent a parenting Agreement leaflet instead. She then claimed she HAD sent me the documents when I enquired about why I hadn’t received them. Hence her sending me (and a stranger!) the email with the documents today after the court date.

Does anyone know what I can do about this?

Could you email the person with your name and ask what happened?

Unintended recipients often do respond to flag up issues like this - there are examples of people doing exactly that upthread.

I would like to think the comment from the director regarding the unintended recipient's response is true - solicitors are professionally obliged to act with integrity and it's more than a practicing certificate is worth to lie out of self interest in these sorts of situations.

Law firms take this sort of data breach very seriously but there is a limit as to what they can do other than try and get the data back or deleted, and apologise, and the employee concerned will doubtless have a warning and further training. I know that might seem like small comfort to you, but I am sure they are taking it very seriously indeed.

Even if this was true I'd still be really annoyed.

flitwit99 - that’s what I’m thinking. I know there are honest people who will do this but why didn’t they mention this earlier to me to reassure me. It’s a bit weird that they reply this evening with this highly convenient story, just in time.

Debenhamshandtowel - I’m tempted to do this.

As a previous poster mentioned on this thread, I’m sure they sent the email twice to the wrong address because they asked me to confirm receipt of this email a few days before they sent it yesterday. But guess what? I didn’t receive the first email they said they’d sent on the 8th. I wonder who did?!

I informed two solicitors at the firm that I had not recieved the documents and that’s why they sent again on the 11th.

I asked the director today if they had sent this email twice to the wrong address and he failed to even mention that in his response email to me.

Humans make mistakes. Have you never made a mistake when junior? The chances of the random person misusing the information is minimal. That trainee is probably mortified. I wouldn’t be thrilled and would flag it then move on.

Have they explained how the wrong email address got on there? Were they just randomly guessing email accounts with your name or did someone write it down wrong at some point? I would be more likely to forgive on than the other.

pinkpushchairs - exactly! Because I’m sure the wrong recipient did read the documents. Even if she did contact them and state otherwise. How do I know that’s true. Mone and my child’s as well as my child’s father has very personal information sent to a complete stranger. For all we know this person could’ve forwarded it to anyone and everyone.

But tbh, I don’t believe the director at all.

Will the ICO and SRA investigate whether the unintended recipient did actually contact the firm and say this? Or can a solicitor literally just say this to a caseworker at the ICO with no evidence at all and have their word taken as truth?

If he’s lying he will be in serious trouble as I’m not letting this go on his word.

Whilst it's very concerning that a solicitor would accidentally do this, the unintended recipient will not have any use of the information. This happened to me (social services this time!) and I did simply delete but sent an email alerting them to their mistake.

I am a solicitor. This sounds like negligence.

1. Ask for ALL email correspondence with the external Third Party. Any emails relating to your matter and someone else’s matter should be redacted but you still require to see them. If they refuse to hand these over, ask for an explanation.

2. Ask for confirmation that they have alerted their insurer to the incident.

3. Note that you are not satisfied with the Firms explanation. Request to see ALL correspondence with the ICO. If they refuse this, ask for an explanation.

The key issue is one of professional negligence, and while there has been a data breach, the issue is whether the Firm has acted negligently. That is not to do with the ICO.

My firm have a no saved email addresses policy ie no drop down options for ‘To’ because it is judged to be a security risk.

Good luck. Keep pursuing this.

MsTSwift - it’s a big mistake to make for such a professional practice and the way in which they dealt with it afterwards was terrible. Do you mind if I have personal information about you and your children so I can read at my leisure?? And pay for the pleasure? Are you being serious?

I have received confidential emails not intended for me because of autocompleted email addresses. I immediately contacted the sender and deleted the email, emptied deleted items.
I have also had to point out to my manager that he has accidentally done the same and had to contact the recipient on his behalf to confirm deletion.

Just curious as to what you want from this. Financial compensation perhaps?

PersonaNonGarter - thanks so much for this information I will do this.

I wish we’d used your firm!

It sounds like they're trying to deal with it internally, and hope you'll just forget it and accept whatever they say. They've sinewy sent me than one email to the stranger. Persona's advice above sounds like a good plan.

DownToTheSeaAgain - Just curious as to what you want from my response. A rise?

Ignore the trolls.
You shouldn't need to cross your fingers and hope that any random stranger who has been sent this information does the right thing. That's just nonsense.

I got std test results for someone

I had similar happen but luckily the email they sent it to did not exist. Could have been catastrophic if it did.

I hope you get this sorted and no more harm done.

Of course it’s bad but can’t help feeling sorry for the trainee that cocked up. People make mistakes. What do you want? Financial compensation? The trainee to lose her job?

I work with sensitive information, I would have my ass handed to me if I did anything like this.

If the firm had responded immediately and contacted the other recipient immediately I bet the OP would be a lot happier.

Their handling of the situation was appalling.

I am a DPO in a national firm of accountants.

Our experience is that recipients do often contact us to advise that they have received documents not intended for them. They generally do advise they have shredded/deleted the documents. Sonetimes they ask to have them collected or they return by hand.

According to my procedures, I would not be required to self report to the ICO in this situation. I have reported a major breach, and subsequently received closure without censure from ICO.

It doesn't matter what posters her think. What's relevant is whether the firm has broken the law or professional guidelines, and whether the relevant authorities have been informed.