Law firm Orrick UK admits sending 1,200-page bundle including medical data to wrong recipient

A file containing sensitive personal information was sent in error, raising questions about how such incidents occur and how they are handled.

Recent scrutiny of Sullivan & Cromwell LLP has centred on the risks posed by artificial intelligence in legal practice. In that case, the firm proactively apologised to a New York court after submitting filings that contained inaccurate citations, later attributed to failures in internal review processes. The episode iss widely framed as a cautionary tale about emerging AI technology.

Yet the underlying issue was more familiar. It was not simply about AI, but about the reliability of professional safeguards, the systems and checks that are expected to prevent errors before they reach the outside world.

A separate incident in London, involving Orrick, Herrington & Sutcliffe LLP, brings that same question into focus from a different angle.

In a recent case, a hearing bundle of approximately 1,200 pages was transmitted via a file-sharing link to an unintended recipient. The material included personal data, financial information and vast swathes of medical records, categories generally understood to require a heightened level of care in handling.

The firm has acknowledged that the transmission occurred in error. In correspondence,

The explanation offered is that the incident arose from a mistake and was addressed within a relatively short period of time. However, the matter suggests that the issue was raised by a seperate recipient party, rather than detected by the firm before that point.

But as is often the case with incidents of this kind, the central issue does not lie in intention. It lies in what the error represents, and what follows from it.

When sensitive material is sent to the wrong recipient, the immediate focus tends to fall on what happened next. Was the file opened? Was it retained? Was it shared further?

Those are natural questions, and often important ones.

However, they are not the only lens through which such events can be viewed. There is also a prior moment the point at which the data leaves the sender’s control. From that moment onwards, there is, at least for a time, an element of uncertainty.

For individuals whose information is involved, particularly where that information includes medical or financial detail, that uncertainty is not abstract. It can carry its own weight, irrespective of what is later established about access or use.

Modern legal practice relies heavily on systems designed to minimise precisely these risks. Those systems are not limited to technology. They include procedural safeguards: checks on document content, verification of recipients, and controls intended to ensure that sensitive information is shared only with those entitled to receive it.

When an “error” occurs despite those safeguards, the question that tends to follow is not simply what went wrong, but how the safeguards operated in practice. Whether they were bypassed, misunderstood, or insufficiently robust for the circumstances.

That is not a question of fault in a narrow sense. It is a question about process and reliability.

The comparison with Sullivan & Cromwell is not exact, and it should not be overstated. The facts are different, and the contexts are distinct. One concerns the integrity of material placed before a court; the other concerns the handling of sensitive personal data.

For those observing from outside the immediate dispute, the wider point is a measured one. Errors of this kind are not unheard of, particularly in environments where large volumes of material are handled under time pressure.

But both situations illustrate a similar underlying point. Systems that are assumed to function as a matter of routine can, in certain circumstances, fail to operate as intended.

In one case, incorrect material entered a formal court document. In the other, confidential material left the intended sphere of control. In both, attention shifts from the outcome to the mechanisms that were meant to prevent it.

What gives them significance is not their rarity, but their implications. Where sensitive personal data is concerned, even a short-lived uncertainty can prompt legitimate questions about harm to the individual(s) affected, how information is managed, and how risks are mitigated.

It is in that context that incidents such as this tend to be evaluated.

What follows

In practice, situations of this kind are rarely defined solely by the initial error. They tend instead to turn on what happens afterwards: the clarity of the explanation provided, any apology, the adequacy of the safeguards in place, and the extent to which confidence can be restored.

Handled carefully, they may remain contained.

Handled less effectively, they can invite broader scrutiny not only of the incident itself, but of the systems and assumptions that allowed it to occur.

At that point, the question is no longer confined to a single mistaken transmission.

It becomes a question of whether the processes designed to prevent such events are operating as reliably as they are expected to.

And that is a question that extends beyond any one firm.

This article is published in the public interest. Orrick, Herrington & Sutcliffe (UK) LLP has been afforded an opportunity to comment, and this piece will be updated to include any response received.

Loopline Media

https://www.youtube.com/watch?v=KCh11HtI7vU

london, willis building, reflection-3529954.jpg

This Article is brought to you by

Loopline Media

Catch up with the Author

Facebook-f Twitter Linkedin

Subscribe Now to Get Regular Updates

Search

Post-Brexit: data protection
Card processor sends sensitive data to wrong address
24 August 2022

Worldline SA subsidiary Payone GmbH has been accused of breaching data protection rules after it sent sensitive employee payroll information to the wrong address by accident. The Worldline Group holdS a 60% stake in the Frankfurt based company who have a small UK market presence.

In June 2021, one of Payone GmbH’s ex UK employees (the data subject) received a “potential data breach notification” from the firm advising him that his salary, National Insurance data, nationality (Special Category Data) was amongst various bits of information sent to an incorrect home address.

This included personal information such as the former employees name, age and address.  It also included details such as the date of birth and the amount of annual work bonus he received in his bank account amongst other identifiable data.

Payone GmbH confirmed that this document was sent out in error following an employee making a mistake when re-entering data processed by their third-party payroll provider.  The error arose when the employee was fulfilling an Article 15 GDPR request. The error was spotted by the data subject when he noticed in an email version of the document that the postal address was incorrect. An attempt to notify Payone GmbH of the error went in vain as the document was already irretrievably despatched.

The data subject was alarmed with the incident which exposed him to the possibility of fraudulent activity, amidst reasonable fears his data could end up on the dark web and used by criminals.  Habitually resident in the UK he complained to the Information Commissioner’s Office (ICO) in June 2021. He similarly raised the concern in Germany via The Hessian Commissioner for Data Protection and Freedom of Information (HBDI).

The ICO reprimanded Payone GmbH for the error in their final decision letter.
Similarly, the HBDI cited a violation of Article 5(f) of the General Data Protection Regulation (GDPR) relating to integrity and confidentiality.

The ICO stated in their July 2021 findings that Payone GmbH, “should take steps to ensure that all personal data records are accurate and up to date. Holding inaccurate information, such as addresses, does increase the risk of personal data breaches and poses risks to the security of information”.

The HBDI confirmed in their October 2021 findings that Payone GmbH had taken remedial action. They concluded that a monetary fine would not be imposed on Payone GmbH as they had taken technical and organisational steps in response to the data breach. Data subjects could now request their data in an autonomous portal.

The GDPR, which came into effect in 2018, gave the Information Commissioner’s Office greater powers to tackle data breaches. The new ‘UK GDPR’ charts its own course after Brexit whilst seeking to maintain EU GDPR adequacy.  In extreme scenarios, organisations face penalties of up to £20m or 4 per cent of their global worldwide turnover, whichever is more.

In the years prior to GDPR, the ICO fines were capped at £500,000.

The data subject said: “I am just glad I spotted it; they were going to resend the document again to another wrong address. Prior to Brexit the process would have been commenced via the ICO who in turn would liaise with the HBDI on the data subjects’ behalf; but I found myself communicating with both authorities separately which was an additional step but in the end was surprisingly
effective. Unfortunately, Payone GmbH again sent my incorrect address to the
Workers Pension Trust in January 2022, and documents yet again went to the wrong address. In my opinion they have not learned from the first time and my complaint is sitting with the ICO yet again”.

The former employee is pursuing a remedy under Article 82 UK GDPR via
the Court’s of England & Wales.

Extraordinary Experiences

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Our Core Values

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
  • Locavit liberioris possedit
  • Diremit mundi mare undae
  • Spectent tonitrua mutastis

We use cookies to improve user experience and analyse website traffic. By clicking ‘Accept’, you agree to our website’s cookie use as described in our Privacy Policy.

Accept
Decline
Accept
Decline