A security incident is a situation where personal data and/or client confidential data may potentially be compromised and should be reported without delay to our Corporate Counsel to determine whether there is a breach of UK GDPR and/or SRA Regulations. Breaches include:
If you believe the firm or any colleague may have breached UK GDPR/SRA rules on client confidentiality or if you become aware of data having fallen into the wrong hands by any means, you must report the matter to our Corporate Counsel without delay. Keystone has legal obligations to self-report not only to the SRA, but also to the ICO.
Sending an email to the incorrect recipient deserves a special mention as fast action can avert a breach. Here is what to do, and note that steps 5 through 9 should be tackled jointly with our Corporate Counsel:
1.Assess the email. If it is nothing confidential or sensitive, then you might not need to do anything other than to prevent a reoccurrence, see prevention, at para 9 below.
2.Send the email to the correct recipient, as you were planning to do.
3.If the email is material, then call the incorrect recipient and try and get the email deleted unread. If you can't reach the recipient, don't stop there. It might be a blessing in disguise. An IT team or PA might be able to delete the email unread too. They have an obligation to help you, especially if it is a law firm on the other side. Then report the matter to our Corporate Counsel.
4.If you cannot get the recipient to delete the email, then report the matter to our Corporate Counsel. We will help you write to them again, telling them they need to delete it and that they must not use it or send it on, e.g., to their client. We will ask them to let you know if they have done so already.
5.Consider the impact of the error on us. Do we need to notify our insurers, or the data subject? Are we now conflicted and cannot act? Do we need to set the record straight?
6.Consider the impact of the error on the recipient. If you send an email to a solicitor on the other side and tell them not to read it or it's clear that they should not read it, then, if they do, they are likely conflicted and cannot act, but we may be liable to their client for the cost of moving lawyers/firms. If they action the email, eg to forward it to their client, then they may be committing serious misconduct and we may need to report them to the SRA.
7.Consider if there is anything else we can do to put matters right.
8.Telling the client: if the client is impacted, we will need to tell them. After an apology, we'll need to address what, if anything, we can do to put matters right.
9.Prevention: Consider how you made the error. Usually, it's because you typed in the beginnings of the intended recipient's name, but then picked the wrong recipient through to the auto complete function in Outlook. So, where you have contacts with confusable names, delete the contacts you don't need from your contacts or auto complete. If you need both email addresses (ie the intended recipient and the actual recipient) in your contacts or auto complete, then consider still deleting them from your auto complete and renaming them in your contacts. You can add a Mr/Mrs pre fix, you can swap first name and surname, you can use an abbreviation; anything with the result that the first few letters of the two recipients per how you have saved them in your contacts now differs from the other confusable contact. Also make sure you check email addresses/recipients carefully. Do you need to place a sending delay on your emails in future. This is not much of a help, as you typically don't realise right away you've sent the email to the wrong place. See the last section of this email for guidance on this.
If you receive an email sent to you in error, you should note the following:
1.As soon as you form the view that you should not be reading the email you have been sent, stop reading.
2.Consider if the email was material. If not material, just delete it.
3.If material, then consider what you have to do with it.
4.If it is a simple matter of deleting the email, then write to the sender a new email referring back to the email by date and time, but don't reproduce any of the content. Say what you have done, ie deleted it largely unread.
5.If it is not a simple matter then call our Corporate Counsel. It might be we need to keep a copy but not access it. Central Office can do this and record that this has been done. You can then delete the email without accessing it.
6.Do not action the email and do not forward on.
7.If you read more than you should have, then call our Corporate Counsel. We may need to consider if you can still act. The sender may have to pay for the cost of the client moving law firms or legal teams, if you acted reasonably and become conflicted.
8.If you have forwarded it on, then call our Corporate Counsel. We will need to think if we need to self-report to the SRA.
9.Consider what, if anything, we need to tell the client. The contents of the email are confidential and may be privileged, but the fact that an email was sent to you is not. However, where you stop reading (as you should) and so don't know what the email was about, then the fact that an email was sent will not likely be of much relevance.