back to article Barrister fined after idiot husband slings unencrypted client data onto the internet

A barrister has been fined by the UK Information Commissioner's Office after client information was accidentally uploaded to the internet. According to the monetary penalty notice [PDF] issued against the senior lawyer, who is unnamed, she was only stung for £1,000. The note was published today. We're told information …

  1. IrishFella
    WTF?

    £1,000 fine

    she has only been fined £1,000 by the ICO

    .....and what do these people earn per hour??

    1. Anonymous Coward
      Anonymous Coward

      Re: £1,000 fine

      £1,000, I think that's about a 15 minute phone call with their junior assistant.

    2. Anonymous Coward
      Anonymous Coward

      Re: £1,000 fine

      .....and what do these people earn per hour??

      Earn, or charge? The hourly charge to you isn't either average or take home pay, as our contracting and zero hours IT bretheren can attest. I'd expect your hourly charge to never be much less than £100 an hour and upwards from that towards £1,000 an hour. But out of that barristers have to pay their supporting clerks, admin, premises costs and the like.

      A junior barrister in a provincial city could be earning less than £40k a year before their deductions, and even senior barristers can struggle to push through £100k a year, although it depends greatly on what they are specialised in. On the other hand, those doing top end commercial litigation out of a top flight London office ("Chambers") can exceed £1m a year gross.

      1. DJV Silver badge

        Re: £1,000 fine

        "senior barristers can struggle to push through £100k a year"

        My heart bleeds...

      2. Potemkine Silver badge

        Re: £1,000 fine

        A junior barrister in a provincial city could be earning less than £40k a year before their deductions, and even senior barristers can struggle to push through £100k a year

        Could you remind me the value of median and average incomes in UK please?

        1. Anonymous Coward
          Anonymous Coward

          Re: £1,000 fine

          What's the median income of people in the UK with two degrees and an 80-hour working week?

          1. Sherrie Ludwig

            Re: £1,000 fine

            What's the median income of people in the UK with two degrees and an 80-hour working week?

            Well, in the US, my niece teaching special needs students needed three degrees for her job, works the same hours during the school year (and about half that for summer terms) and would LOVE to make 40% of that.....

      3. Doctor Syntax Silver badge

        Re: £1,000 fine

        "even senior barristers can struggle to push through £100k a year"

        Back in the '70s & '80s the senior criminal barristers in NI were reputed to be making £250k a year. I'm not sure of the evidence for this, however.

  2. Crazy Operations Guy Silver badge

    Why store them on a shared computer in the first place?

    I don't see why she would store those files on a shared machine in the first place, was she not issued a laptop from her organization? Or if they are completely independent, do they not have the money to buy a cheap laptop? And how would they support their client if they needed one of those files while at the court house, do they just drag the family computer around with them?

    I have no sympathy for idiots like this. People trusted their most sensitive information to this person (not even the government would have access to the data being held). £4 per person affected isn't enough, a pound of flesh per client affected would probably be a better punishment...

    1. ArrZarr Silver badge

      Re: Why store them on a shared computer in the first place?

      If the computer was only shared with her other half then it's only shared in the most technical sense. It's not like she was storing them on a PC at a webcafé. If the computer was up to date with security patches & AV then that could certainly count as having reasonable protections in place. The file could even have been password protected on the drive.

      Now I hate to be the voice of reason when we could be laughing at lawyers but given that details in the story are scarce on how the information was stored, I think you may be going a bit far.

      1. David Neil

        Re: Why store them on a shared computer in the first place?

        I'm sure "shared in the most technical sense" would be fine by you if a GP's spouse uploaded a copy of your STI test to dropdrive and allowed it to be picked up by the googlebot

      2. Anonymous Coward
        FAIL

        @ArrZarr

        "The file could even have been password protected on the drive.

        Now I hate to be the voice of reason when we could be laughing at lawyers but given that details in the story are scarce on how the information was stored, I think you may be going a bit far."

        Which part of: "visible to an internet search engine and some of the documents could be easily accessed through a simple search" did you chose to ignore from the article?

        1. ArrZarr Silver badge

          Re: @ArrZarr

          The part where adequate protections may have been in place on the computer itself but stripped during the upload by somebody the barrister trusted.

          I was umming and aahing about adding that bit about the password protection but it's not inconceivable that it could have been protected and lost that protection.

          @David Neil On the note of whether I would be happy if it were my data? Of course I wouldn't be happy but I certainly wouldn't be going as far as demanding pounds of flesh from said barrister which was the post I was calling out as going a bit far.

      3. P. Lee Silver badge

        Re: Why store them on a shared computer in the first place?

        >Now I hate to be the voice of reason when we could be laughing at lawyers

        It may not have even been shared. Maybe hubby was asked to do the IT maintenance and organise backups etc.

        It highlights the problem that people still think they "have the internet on my computer" and that what is on my local screen is on my local hardware. It isn't your personal computer any more.

        More importantly, what kind of backup system immediately shoves the content at a search engine?

        More interesting than the barrister's name would be the backup system's name.

        1. TRT Silver badge

          Re: More interesting than the barrister's name would be the backup system's name.

          Definitely. This sound a very dodgy bit of gear.

        2. DropBear Silver badge

          Re: Why store them on a shared computer in the first place?

          "It may not have even been shared. Maybe hubby was asked to do the IT maintenance and organise backups etc."

          And asking a rather incompetent bloke to do maintenance on her laptop would have been no big deal for a wife - as a barrister though she's kinda expected to seek properly competent maintenance if needed. And I'm not even going to ask whether she ever considered what happens if said laptop ever gets lost / stolen.

          1. TRT Silver badge

            Re: Why store them on a shared computer in the first place?

            Whole device encryption means bugger all if you are copying the decrypted data out to another location.

        3. Paul Hovnanian Silver badge

          Re: Why store them on a shared computer in the first place?

          "Maybe hubby was asked to do the IT maintenance and organise backups etc."

          I don't know how client confidentiality works in the legal profession or in the UK. But in my world of classified information, my wife has no more privileges than does the family of Russian spies living down the street.

        4. Doctor Syntax Silver badge

          Re: Why store them on a shared computer in the first place?

          "More interesting than the barrister's name would be the backup system's name."

          Definitely.

    2. Aristotles slow and dimwitted horse Silver badge

      Re: Why store them on a shared computer in the first place?

      And I'm assuming that in your frenzied Daily Mail appetite to see her villified, publicly humiliated, and no doubt leaving her (hard earned) career and reputation in tatters; that a public hanging, drawing and quartering and burning at the stake would be a better punishment?

      Thought so. But thankfully most of us are a little more forgiving and civilised.

      It seems to me that lots and lots of people are still learning about this sort of stuff. From huge global corporates, to what we have here - which whilst in no way lightens to idiocy, but that after consideration and review maybe represents the ACTUAL end damage done.

    3. This post has been deleted by its author

      1. Crazy Operations Guy Silver badge

        Re: Why store them on a shared computer in the first place?

        "Barristers are usually self-employed." And that is why the next sentence exists, a laptop or computer specifically for this purpose wouldn't break the bank, and is cheaper than even an hour of their time. Heck, a 5+ year old used laptop would work just fine for managing legal documents.

        "Your use of spelling and words suggests you're American"

        Actually I'm Icelandic. But I was educated and lived in the US for my formative years. Yes, things are a bit different than in the 'Kingdom, here in Iceland we hold our public servants / professionals accountable for violating our trust in them.

        1. Ben Tasker Silver badge

          Re: Why store them on a shared computer in the first place?

          >"Barristers are usually self-employed." And that is why the next sentence exists, a laptop or computer specifically for this purpose wouldn't break the bank

          I don't see anything in the article that suggests this wasn't already the case

          > The incident occurred when her husband backed them up using an online file directory service while he was updating software on the couple's home computer.

          It's equally possible this was her "dedicated" laptop, but she passed it to her husband to install some updates.

          She'd still have misplaced her trust, but that'd be slightly different. Either way she should have used encryption.

          The point being, you've got scant details available on what actually happened, so put out your torch and put the pitchfork back in the shed.

    4. Allan George Dyer Silver badge
      Coat

      Re: Why store them on a shared computer in the first place?

      @Crazy Operations Guy - a pound of flesh? You are going to be in REAL trouble if you try collecting.

      - Mine's the one with the playscript in the pocket.

    5. Doctor Syntax Silver badge

      Re: Why store them on a shared computer in the first place?

      "I don't see why she would store those files on a shared machine in the first place, was she not issued a laptop from her organization? Or if they are completely independent, do they not have the money to buy a cheap laptop?"

      Hmmm. Let's look at it differently. Let's think what might happen if she'd used only a laptop and had files of >700 people on it. Let's say that laptop was reported stolen. My guess is that we'd then have a Crazy Operations Guy saying "Why did she have them all on the laptop? Couldn't she have used a separate computer to keep the files on and just kept the ones she needed at the time on the laptop?".

  3. Pen-y-gors Silver badge

    Online backup?

    Whether or not it was a shared computer, the bit that worries me is the 'cloud' backup that included features to allow files to be publicly read.

    Call me a Luddite but local backup to an encrypted USB drive or stick which is then kept in the garden shed is a) faster b) not readily accessible by GCHQ/NSA (or, in this case, Google and the public) and c) a hell of a lot safer. Problem is the punters aren't experts and are seduced by the cloudy salesmen.

    1. Just Enough

      Re: Online backup?

      Your idea of ShedDrive intrigues me. Please expand further. Can it be used by my Greenhouse VM?

      1. creepy gecko

        Re: Online backup?

        The ShedDrive would need to be padlocked when not in use, obviously.

      2. Korev Silver badge
        Coat

        Re: Online backup?

        Your idea of ShedDrive intrigues me.

        Would it use Shed or Attached Storage?

    2. TReko

      Re: Online backup?

      Online backups are stored on the Cloud, which is another word for someone else's computer. Unless you encrypt data before uploading it to cloud storage, you run a risk of having it stolen.

      Local encryption, is easy and can be done before uploading to the cloud is available through a wide variety of apps. VeraCrypt http://veracrypt.org works with DropBox, while SyncDocs https://syncdocs.com encrypts Google Drive.

      I wonder how they caught her? Did some client's names appear in a Google search?

      1. monty75

        Re: Online backup?

        And Cryptomator works with any cloud storage provider.

        1. TRT Silver badge

          Re: Online backup?

          Do I need to replicate in next door's shed?

          1. Soruk

            Re: Online backup?

            > Do I need to replicate in next door's shed?

            You could get arrested for that...

            1. TRT Silver badge

              Re: Online backup?

              I laid a fat pipe in between the two sheds.

      2. Doctor Syntax Silver badge

        Re: Online backup?

        "I wonder how they caught her? Did some client's names appear in a Google search?"

        Reading the linked PDF that appears to have been the case.

        1. Roland6 Silver badge

          Re: Online backup?

          "I wonder how they caught her? Did some client's names appear in a Google search?"

          Reading the linked PDF that appears to have been the case.

          Plus her name appeared as the author of some of the documents...

    3. Doctor Syntax Silver badge

      Re: Online backup?

      In the case of data like this UnShed storage would be better. Got to keep it separate from everything else.

  4. creepy gecko
    Facepalm

    Top Tips For Barristers...

    "when her husband backed them up using an online file directory service while he was updating software on the couple's home computer"

    Top Tip... Buy yourself a laptop. Don't let anyone else use it. You could even consider using encryption...just a passing thought.

    1. Commswonk Silver badge

      Re: Top Tips For Barristers...

      Top Tip... Buy yourself a laptop. Don't let anyone else use it. You could even consider using encryption...just a passing thought.

      And FFS don't lose it.

      The original article mentioned that information about something like 250 people was involved; I have no idea what a barrister's caseload is like but that seems like an awful lot. From this it follows that some of the information was no longer "current" and should have been archived somewhere else and deleted from the PC (or any other personal device).

      I also find myself wondering if barristers - being largely if not wholly self - employed - are also required to be Data Controllers as defined in the DPA. Is the data "theirs" or does it belong to the chanbers in which they work? Do the various chambers have an appointed Data Controller who is supposed to have overall charge of the information processed through the the chambers concerned?

      Having skim - read the referenced guidance note for barristers I have to say that I found it a bit wooly; too many "shoulds" and not enough "musts". That said the document goes to some trouble to say that its standing is not entirely to be relied upon, so to speak.

      To me this incident highlights the fact that material handled by barristers (and almost certainly solicitors as well) is not being as closely controlled as it really ought to be; there are too many opportunities for confidential material to slip through the net because nobody really knows whose net it is.

      1. Triggerfish

        Re: Top Tips For Barristers...

        The original article mentioned that information about something like 250 people was involved; I have no idea what a barrister's caseload is like but that seems like an awful lot.

        Not neccessarily they could be complaintants against an organisation or someone for their actions.

      2. Wensleydale Cheese

        Re: Top Tips For Barristers...

        "To me this incident highlights the fact that material handled by barristers (and almost certainly solicitors as well) is not being as closely controlled as it really ought to be"

        This area is a prime candidate for a proper training course which would cover the risks and present workable solutions.

        A nice little business idea for one of you.

      3. Doctor Syntax Silver badge

        Re: Top Tips For Barristers...

        "I also find myself wondering if barristers - being largely if not wholly self - employed - are also required to be Data Controllers as defined in the DPA."

        Read the ICO's PDF linked from TFA.

    2. Pascal Monett Silver badge

      Indeed

      This is the exact issue I have with all the "automation" that is being offered willy-nilly.

      You have a job dealing with people's personal data. You cannot allow yourself to treat the paltform you're working on as something on which you can just go and install any FaceBook, SnapChat, DropBox or whatever other shiny-shiny you feel like.

      With a barrister's revenue, one would think that it would be possible to have one laptop for working and another one for dicking around on Instagram or whatever.

      In any case, this fine is a necessary wake-up call to everyone dealing with personal data on their laptops : do things right and, if you're not sure, ask an IT pro what is right. Yes, it will cost money. What you need to ask yourself is how much more would it cost to your reputation to not do things right.

      1. usbac

        Re: Indeed

        @ Pascal Monett

        I used to do a lot of IT work for lawyers. It always amazed me that lawyers that charge clients $300-$500 per hour, were cheap SOB's when it comes to paying for IT support. The only clients I ever got stiffed by were lawyers. Good luck collecting from them!

        They have the attitude that their time is worth X, and no one else's time it worth anything.

        1. Commswonk Silver badge

          Re: Indeed

          They have the attitude that their time is worth X, and no one else's time it worth anything.

          Shakespeare got it right over 400 years ago: The first thing we do, let's kill all the lawyers

          ( Henry VI, Part 2, Act IV, Scene 2.)

        2. Pascal Monett Silver badge

          @ usbac

          I hear you.

          In 20 years consulting in Luxembourg, I've done a few lawyer establishments in my time. As fancy as the marble floor at the entrance may be, I've always been surprised at how the IT guy would never have a spare PC for me to work on in his office under the roof that you can only get to through rickety stairs that haven't seen a carpenter since 1946.

          And of course, he would have to stay right next to me (standing because no additional chair) while I worked on his PC to solve whatever problem it was I had come for.

          I was always glad to leave those places. Suits and ties do not mean everything.

    3. MachDiamond Silver badge

      Re: Top Tips For Barristers...

      Top tip topper. Don't put all of your sensitive data on a laptop and carry it around with you. Transfer working files encrypted on a thumb drive kept in a pocket (not a purse or bag). Laptops loaded with sensitive data seem to go missing all of the time.

      A further lesson is Cloud = Public. Even knowing that barristers struggle with maths, that one should be easy enough. Now where did I put those naughty pictures of Jennifer Lawrence?

      1. MachDiamond Silver badge

        Re: Top Tips For Barristers...

        Just a day after I make a post about laptops going missing with sensitive data on them, a US Secret Service agent has a laptop stolen from her car, in her driveway containing, presumably, unencrypted details about presidential security at Trump Tower and evacuation protocols and information regarding the investigation of Hillary Clinton's private email server. Whoops!

        Any bets that it might have been done on purpose so some leaked information can be attributed to the theft?

  5. This post has been deleted by its author

    1. Pascal Monett Silver badge
      Coat

      Re: Gavel picture in article.

      I accept that that is true, but it is also very likely that the English population has been just as brainwashed (if not more) with all the American police shows as the rest of the world, so the gavel remains a pertinent image.

      1. Mr Dogshit
        Joke

        Re: Gavel picture in article.

        Her husband is an auctioneer.

      2. Truckle The Uncivil

        Re: Gavel picture in article.

        @Pascal Monett

        I think that "potent" would be more accurate than "pertinent". People are complaining that it is not pertinent to the article. Your reply indicates (correctly I believe) that it is a potent image.

      3. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Who Reported?

    I'm curious how this was brought to the attention of the ICO.

    It seems like it would have had to have been self-reported, or that someone did indeed view these documents on the internet and reported.

    1. phuzz Silver badge
      Facepalm

      Re: Who Reported?

      *hubby goes looking for the pr0n stash he thinks he's just uploaded from the family PC

      "oh shit, this isn't the goatse I was looking for!"

  7. David Nash Silver badge

    How on earth did an online backup service (if that's what it was) allow content to be indexed by Google and accessible to anyone without credentials?

    1. Hugh McIntyre

      @ David Nash

      Re: "How on earth did an online backup service (if that's what it was) allow content to be indexed by Google and accessible to anyone without credentials?"

      I assume from the article that the files were backed up to something like OneDrive/GoogleDocs/Dropbox, i.e. not a real on-line backup service.

  8. Scott Broukell
    Facepalm

    Quote: " . . head of enforcement at the ICO said: “People put their trust in lawyers . . "

    More worryingly: People put their (blind) trust in computers.

  9. Anonymous South African Coward Silver badge
  10. viscount

    Out of interest, does anyone know why such a person/case would by anonymous? The ICO documents are redacted, but why is that necessary or helpful?

  11. Woodnag

    Husband

    It seems to have passed notice that the barrister's spouse had access to the confidential work information. That's not a accident, but gross incompetence.

    Imagine if a GP's spouse had full access to the GP's medical records.

    1. Korev Silver badge

      Re: Husband

      100% agree. Upvoted.

    2. Adam 52 Silver badge

      Re: Husband

      "Imagine if a GP's spouse had full access to the GP's medical records."

      You think that they don't?

      A GP's spouse will have full access to any records left on the dining room table. And, now it's all computerised, so do 750,000 other people. And Google.

    3. Doctor Syntax Silver badge

      Re: Husband

      It seems to have passed notice that the barrister's spouse IT support had access to the confidential work information. That's not a accident, but gross incompetence.

      Imagine if a GP's spouse IT support had full access to the GP's medical records.

      Does that put it in terms which might be more familiar to el Reg's readership? Unless we expect everyone dealing with confidential material to be able to provide their own IT support it's a problem that doesn't go away.

  12. Don MacVittie

    Everything is relative.

    I think part of the problem is that we're a bunch of IT pros discussing the mistake of a barrister and her husband.

    Every lawyer that has seen my contracts has either shaken their heads, or offered me services.

    Just as I am not a Lawyer, she is not an IT pro.

    Should she (and hubby) het training? Yes. But the mistake they made is made 1000 times a day across the globe... By people who see computers as tools for their real jobs.

    Just as I see my contracts as tools for my real job.

    1. Adam 1 Silver badge

      Re: Everything is relative.

      Fair enough and I'm sure she feels terrible, BUT...

      There is a limit to the scope of contract you as an IT Pro would be willing to sign before bringing lawyers at 12 paces. IANAL, but i have seen clauses in contacts that aren't worth the paper they are written on because the thing they try to claim indemnity for (as an example) can not be indemnified against due to legislative protections.

      I would expect a barrister to understand their liability for breaking client privilege or publishing information with various suppression orders active. And knowing that, it would be incredibly surprising to think it's ok for the data to be downloaded onto a shared computer where the husband alone might accidentally stumble upon confidential documents whilst searching for something he needs. And i would expect such computers used to handle that data to be maintained by people who have signed both confidentiality agreements and agreements that state that the data will be handled in accordance with best security practices. So again, she either failed to obtain those assurances or her husband should be rather nervous about his breach of contract.

      And finally £1000?? Did she park in a bus zone or compromise the private documents of hundreds of people through at best carelessness?

  13. MJI Silver badge

    I think a case of

    Education required more than punishment.

    1. Woodnag

      Education vs punishment

      Prison in UK used to be intended as rehabilition for offenders, proving some skills.

  14. Boohoo4u

    Where did he find a cloud backup tool/service that doesn't do encryption by default?

    1. Dwarf Silver badge

      Where did he find a cloud backup tool/service that doesn't do encryption by default?

      It was just the cheapest one he found that said cloud in the description.

    2. Adam 1 Silver badge

      Don't mix up encryption with public access. The data being encrypted is about physical protection (eg if the laptop is lost/stolen) and to prevent MitM. It doesn't help if you configure your server to send it to anyone who asks.

    3. Roland6 Silver badge

      Re: Where did he find a cloud backup tool/service that doesn't do encryption by default?

      "15. ... he temporarily upload Ms X's files (725 documents) to an online directory to back them up."

      So it is clear he didn't use a backup tool, but used a service like Dropbox/OneDrive/iCloud Drive.

      However, what I find interesting, is the nature of the update being applied, as effectively backing everything up immediately implies the update(s) were significantly more than the usual monthly Windows security updates.

      Interestingly, the date (19th September 2015) seems to predate either the Win10 major update or the OSX 'El Capitan' release.

  15. Dr Scrum Master

    Just like the countless lawyers who'd be reading legal documents on the train into Leeds in the morning?

    Or the secretary who backed up her laptop to a company shared drive whilst upgrading it and left the credit card, passport, etc details of senior staff for all on the network to see?

    1. tiggity Silver badge

      I have seen all sorts of interesting sensitive information on my train commutes.

      Not deliberately I should add, as Dr Scrum Master says, all sorts of people sitting there with sensitive documents on the train tables & I deliberately do not consciously read any of the content, but obviously when you are bored eyes flicking around the carriage then in the same way you register a few lines of news in someones newspaper you register a few lines of a mental health assessment (or whatever) on an individual.

  16. Lewis R

    Even more than meets the eye

    Wow. Where to begin?

    First, the husband, unless covered by NDA, has no business having access to this information. That being said, he's just the tip of the iceberg, here. Was the data secured at all on her machine? What if the husband isn't the only one with access? Does she have a cleaning service? Does she leave her computer unattended when others are in her home/office/hotel/etc.?

    If we were talking about leaving paper files lying about, there wouldn't even be room for debate.

    Was the transport to the "cloud" secured? I'm talking here of the actual connection, separate and apart from the apparent lapse on the part of the cloud provider. As an IT professional and an accountant, I can tell you that we take extraordinary measures in our office to protect client data. I would never, ever entrust to an unknown third party (or a known third party, with unknown or known employees/contractors) sensitive client data. Such records should be kept under the direct control of principals and contracted staff, ONLY. What was she thinking? I don't give my wife access to my clients' information, just like she doesn't sit in on tax consultations. My daughter has access, but she *works* for me, under contract (with a non-disclosure clause - no kidding).

    We have a stated privacy policy and an information security policy, which we really do review at least annually. Cleaning staff is not allowed into my personal office unless I am physically present in the office. Cleaning staff is not allowed into our file room or our server room, period. Why is this stuff so obvious to some of us and yet seems to escape so many others?

    1. Roland6 Silver badge

      Re: Even more than meets the eye

      First, the husband, unless covered by NDA, has no business having access to this information.

      Err, missed first base, why did the wife have confidential work materials on the home computer, a shared system? Clearly she did not consider it to be a problem, before this incident. Was this because of lax IT security awareness in the chambers she was a member of, or other reasons.

      I have a home computer, it gets used by all the family, as administrator I naturally have full access; thus if I want to do something such as perform normal systems housekeeping and install updates that may or will impact user data, I will back everything up and afterwards restore it. Now I have no idea whether among the hundreds of files whether there is or isn't information I shouldn't have access to or not, I just perform my task.

      The question I'm really interested in knowing the answer to is:

      What was the cloud service used and how was it the folders were visible to Internet search - so we can avoid this mistake.

      A secondary question asked out of technical interest is:

      What was the nature of the update - was the husband being overly cautious or did it really warrant extra precautions.

      As for your business, I take it that you do not use a (shared) home computer for any client related activities...

      1. Tom Paine Silver badge

        Re: Even more than meets the eye

        Err, missed first base, why did the wife have confidential work materials on the home computer, a shared system...

        For the same reason millions of gullible suckers have fallen for the notion that BYOD is a good idea rather than a disaster waiting to happen -- money. It's quicker and easier and much much cheaper than buying everyone a second computer to use at home (not many lawyers want to be lugging heavy high-end laptops around public transport every day, spoiling the cut of their nice tailored jackets with the shoulder strap, etc.)

        As I've often had to remind colleagues -- when a user's doing something crazily insecure, it's usually* not because they're lazy, stupid or malevolent -- it's because it's the quickest, easiest way to get their job done, the thing they're paid to do, and either no-one's warned them not to, or no-one's warned them not to well enough. And who's responsible for training normal people on everyday opsec? Why yes, us in security. So when you're slagging some poor sod off because they didn't realise it was a bad idea to upload sensitive data to Dropbox as a backup, have a look in the mirror before casting the first stone.

        * OK, yes, of course there are the odd user who really IS stupid, lazy or malevolent, but not so many that it should be your assumption about the root cause of a fail.

      2. Lewis R

        Re: Even more than meets the eye

        <quote>

        As for your business, I take it that you do not use a (shared) home computer for any client related activities...

        </quote>

        Actually, no, no I don't.

        My wife has her own system, and each of my two daughters has her own system. I don't put client information on USB sticks which can be lost, either. (Well, there are some files which are delivered to us on USB stick, the data is copied to the server, and then the stick is securely erased - no kidding. In the days when we received data on burned optical media, the disc was copied and then shredded. Floppies were reformatted - and not quick formats, either.)

        We maintain our own mail server, and handheld devices do not access other servers for mail. We don't use cloud services for anything (calendaring, messaging, email, file transport). Server backups are done in-house, with monthly tapes (LTO) encrypted and stored offsite in case of disaster. Each of our small offices is behind a secure, standalone firewall, and the offices are connected using IPSec VPN. Email (IMAP, POP3, and SMTP) is sent (transferred to and from the server and our connected devices) encrypted, including logon credentials (naturally, we don't encrypt mail sent outside the office, but we do not include sensitive information in client emails and immediately snip any such information sent to us (and try to practice "sane" quoting in messages). Loose lips sink ships.

        We do not hire outside shredding companies, either. We do not allow tradesmen or even clients to wander freely about the office. In short, we take information security very seriously. There's nothing hard about it. It's just a matter of practice. I've been doing this since the days of NetWare 2.0 (and probably before; my dad had Litton minicomputers in the office in the 1970's, and even then, we were aware of the potential for theft of sensitive information. It's more a state of mind than anything else.

        BTW, how *does* one properly quote in these forums? I've been a Reg reader for ages, but this mystery seems to elude me...

        1. Doctor Syntax Silver badge

          Re: Even more than meets the eye

          "BTW, how *does* one properly quote in these forums?"

          Simple way. See what I did above.

          Fancier way. Look at what you did. Replace the word "quote" by the word "em".

        2. Roland6 Silver badge

          Re: Even more than meets the eye

          "BTW, how *does* one properly quote in these forums? I've been a Reg reader for ages, but this mystery seems to elude me..."

          El Reg don't provide any 'prettifying' tools, however they do accept HTML text tags.

          See https://www.theregister.co.uk/2012/02/01/register_comments_guidelines/

      3. Doctor Syntax Silver badge

        Re: Even more than meets the eye

        "Was this because of lax IT security awareness in the chambers she was a member of, or other reasons."

        I wonder how many jobbing barristers outside London are based in chambers. Maybe, like a lot of other professionals these days, they work from home. In that case a home PC (or maybe a home NAS) and a laptop carrying today's cases wouldn't be an unreasonable combination. But, as others have said, how on Earth did the husband find a backup service that was open to the net?

  17. Brenda McViking
    Flame

    A grand. for this?

    Reading the penalty notice - apparently it's discounted 20% if you pay early and don't appeal. So actually the penalty could be as low as 800 quid. What an absolute mockery - as if it's as serious as a parking fine, barely a slap on the wrist.

    She had better be identified to the clients whose information she leaked and sued if there is to be any justice from this. Considering that if it were an IT professional, they'd have had their entire life and career destroyed over such a transgression, not to mention a fine that they'd have to mortgage a typical house for.

    I'm clearly in the wrong job. The risk:reward ratio for Law would appear to be absolutely laughable compared to any sort of job that you know... actually benefits society.

    1. Tom Paine Silver badge

      Re: A grand. for this?

      I don't think you CAN sue if you haven't suffered any loss, as in this case.

  18. CAPS LOCK Silver badge

    A public spanking is in order...

    ... or is that just me?

  19. Red Bren
    Paris Hilton

    Idiot Husband?

    Why the casual sexism? What exactly was it that the husband did that was idiotic?

    He was performing a software update on a home computer. He took the precaution of making a temporary, off-site backup to prevent data loss. Not a bad thing to do, I use free tools do do similar.

    Did he know his wife had stored confidential/sensitive client information on their home computer? As others have said, she should have a dedicated machine for such work.

    Should he have checked through his wife's files for any confidential/sensitive data? No, because even if he did, he would not be authorised to read the sensitive documents in order to determine their sensitivity.

    Paris icon, hasn't that joke passed its use-by date?

    1. Doctor Syntax Silver badge

      Re: Idiot Husband?

      "He took the precaution of making a temporary, off-site backup to prevent data loss. Not a bad thing to do, I use free tools do do similar."

      If I were making a backup whilst doing an upgrade I'd plug in a USB disk. I like to keep my data where I can see it. If there was a need for keeping the backup off-site I could simple unplug said disk and take it offside.

  20. Anonymous Coward
    Anonymous Coward

    appropriate and reasonable

    As to what is appropriate security measures, there is no real hard and fast guidance but [if the breach occurred] as a result of there being no security measures in place [..] or for example inadequate measures ..."

    I hate this sort of "principles based regulation" nonsense. The FCA does it too. It's a simple way to cop out from providing any guidance that (if it later proves insufficient) they can be blames for, Instead, you're on your own arguing with management about whether, say, deploying a NIDS or hardening Windows clients with sandboxing / micro-virtualisation is "reasonable" and "appropriate". What's appropriate and reasonable? How long's a piece of string? From management's point of view, if we didn't get hacked last year, our security is reasonable and appropriate. Therefore there's never a need for any more security budget or for nerds in the security dungeon in the basement to be given the authority to intervene to prevent horribly insecure stuff going live.

    Why yes I do work in security. See these grey hairs?

    1. Doctor Syntax Silver badge

      Re: appropriate and reasonable

      "Why yes I do work in security. See these grey hairs?"

      You've not torn them out?

  21. Anonymous Coward
    Anonymous Coward

    ICO - Proves they're a chocolate teapot.

    Again.

    From the ICO website: "... uphold information rights in the public interest..."

    I feel safer already :/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019