Shortly after the post regarding May and Stephens’ data leak, I received an email from the consultancy’s managing director, Jacky May. Two weeks before, I had attempted to contact her with a number of questions pertinent to the data leak, to no avail. In contrast, the first whiff of adverse publicity brought a fairly swift response:
Having been out of the office, I learned only yesterday on reading your email that a member of our response team, David Vincent sent out an email communication without the cover of blind carbon copy. For this, I personally offer you my sincere apologies and on behalf of May & Stephens I cannot express to you how mortified and saddened the whole team feels that this error has occurred.
David Vincent with whom you have emailed regarding this matter realised subsequently his failure to use the bcc protection as would be the normal process. This was an honest mistake on his part for which David is genuinely sorry and distressed about. He fully appreciates that this has created a poor impression for the business. David is undertaking an internship with us as a graduate trainee and unfortunately on this occasion did not follow procedure. His personal attempt to offer you an apology by virtue of the email he composed demonstrates the innocence of his actions.
It is deeply regrettable to think that our reputation and our efforts to provide personal job search support to help people back into work can be potentially jeopardised through genuine human error. This naturally does not excuse us from our obligations under data protection and we have today implemented enhanced precautions to guarantee that this will never be able to reoccur.
We have been proud of maintaining the utmost integrity across our business practice and have an unblemished record for the past 18 years as we have always fulfilled best practice conduct.
This incident is therefore most disappointing.
In keeping with our promise to provide ongoing support we email on a quarterly basis to update and offer any additional individual assistance that may be required, as we know this has been a particularly effective aspect of our service, and which has been proved by the positive results we have achieved in getting people back into employment.
I can only reassure you that there was no ill intent or motive for commercial gain as the exercise was purely to offer you our continued support, which is still available to you.
I look forward to receiving your reply.
Which gave me pause for thought for giving May and Stephens in general, and David Vincent in particular, such a rough time. Yes, the company committed one almighty data-protection howler; yes, of all companies, a recruitment consultancy - whose stock in trade is people’s confidential data – should know better; and yes, the gravity of the leak was exacerbated by the real potential for fraud. But, as I think most of the 700 or so addressees would agree, it certainly looked like an innocent mistake. And if, as Ms May claims, it was committed by an intern (whom I’d imagine has since been introduced to the error of his ways), it is all the more understandable.
However, less than 24 hours later, I received another email, this time from the Information Commissioner's Office, requesting further information regarding May and Stephens’ data leak.
As it says on its website, the Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. At a time when public and private sector organizations are spewing personal data left, right and centre, it is of some comfort that there exists an organization – which is slowly but surely acquiring greater powers with which to back up its remit – that is trying to persuade them not to.
But whatever the judgement of the ICO, it can only pursue its aims if these cases are reported, by disclosure either from the organizations responsible (unlikely, if not entirely unknown) or those to whom the data pertains.
So I’m in a bit of a fix as to whether to just accept the whole thing as a fait accompli and forget it, or to respond to the ICO’s request. Compounding my indecision is the fact that I am only one of several hundred people who were affected, so in a way it’s not just my decision to take. (Taken to its natural conclusion, in the age of mass digital connection, privacy issues over data leaks and cybercrime affect an extraordinary amount of people, including anyone reading this.)
So to resolve my indecision, I’ve set up a poll. I’d imagine many people are heartily sick of the whole voting thing by now, but I can at least predict with near-certainty that this ballot will be more decisive than the one last Thursday. I’ve set out what I see as the main points for and against, and would be enormously grateful if you would see fit to state your opinion below as to whether May and Stephens should be referred to the Information Comissioner’s Office.
If there are any angles you think I haven’t addressed and which merit attention, do use the comments section to voice them. While the vote is anonymous, multiple votes bearing the same IP address will be discarded. The deadline for casting votes is 5:00pm Wednesday 19 May 2010.
Should May and Stephens be referred to the ICO?
It was a one-off error, purportedly committed in innocence by an intern who has, in any case, probably learned a valuable lesson. There is no evidence to suggest it is part of a recurring pattern of behaviour. As one commenter pointed out on the original post, nor would it be possible to prove any subsequent attempted phishing scams transpired as a result.
An honest mistake it might have been, just as such cases nearly always are. The absence of malevolent intention, however, does not stop data leaks being used by others for malevolent purpose, and ignorance cannot be regarded as a defence. The very fact that an inexperienced intern was left with the data, without sufficiently rigorous training, to make such an error demonstrates the standing in which May and Stephens holds data security issues. If such organizations are not referred to the ICO, it cannot properly undertake its duties and those who fail to comply with the Data Protection Act will be able to carry on leaking personal confidential data, whether by mistake or not. The gravity of this aspect is made all the more serious by the company’s partnership with the Department for Work and Pensions.