Accidental data breach by a trainee: consequences?

You admit you made a mistake, so what would you mean by standing your ground?

Own the mistake and move on personally

Quote:

...but I would think that as a trainee accountant, all my work, including attachments, should be checked before going out to clients and obviously wasn't this time.

You can't expect absolutely everything to be checked by your employer, including what appears to be an admin task. If they did check everything you do then they might as well just do everything themselves. You've over two year's experence so are not the most junior of trainees.

Accept what has happened & move on.

If its any help, I am an experienced accountant with my own practice for 20 years and I still do stupid stuff now and again.

I am human.

The key thing to me is to learn from it and don't try and hide of make excuses. Always hold your hand up and say "sorry", never try to hide your mistakes. if you are already doing this, then there is not much else you can do apart from forgiving yourself.

It sounds like you work for a thoroughly bad employer. I bet every partner has done something like that several times, but no one knew. Yes, you should always double check what you upload just before you send it, but employers have to understand that however careful employees are, mistakes will slip through. This is in any case not a big deal, as I doubt whether even one accidental leakage in ten thousand has any consequences when it is between typical accountancy clients. It just means one business gets sent a few bits of information about another business they have never heard of and which is of no interest to them.

You cant expect them to check your uploads to a portal - and your paragraph about 'getting all the blame' would annoy me if you were one of mine. As would any attempt to 'stand your ground'. In fact this might well make me more angry than the incident itself. As you are in a probationary period you have little to no rights in terms of an unfair dismissal claim (as long as dismissal isn't discriminatory) so you should pick your fights a little more carefully perhaps.

That said, your line manager/the partner in charge/etc may be making a bigger deal of it at the time because they are the ones who have just had to tell two clients about this - one being the person who received someone else's data and the other being the one whose data it was. They've therefore been made to look/feel like a buffoon and could be taking it out on you. Perhaps it will blow over quicker than you think.

Did you report it because you realised, did the recipient report it because they picked it up first, did another internal source pick it up before the client had chance to access it? This (and the information in the document) will determine whether it is a breach - as well as your firm's role. I'm not an expert but i believe if you are a data processor (ie if it was a payroll document) you may not have to report a breach but the client may have to - in ways that's even worse.

Positive actions/approaches/mentality you could adopt instead:
1) Accept you made a mistake, and a fairly serious one at that.
2) Don't dwell on it though. It's very easily done. I dare say we have all sent an email, and when we started typing the address outlook 'helpfully' autocompleted it and (especially if we were in a hurry) wave quickly sent something o the wrong person. Anyone who says they haven't done this are probably lying, lucky, or just unaware (sent to dead email, or recipient didn't inform them, etc)
3) Make a positive suggestion. If your firm has not got a policy of passwording PDFs etc before they go into the portal, should they consider it? Obviously the portal itself is a secure area so better than email but doesn't protect against errors like this. If your practice software can be set to automatically insert a set password for that client, then security could be improved without any real effort on the firm's part.
4) Offer to phone the client(s) yourselves to apologise for your error. Proof that you are willing to take ownership/fix your own mess would go a long way with me - even if I'd refuse it in cases like this.
5) Take some (but not too much) comfort from that fact that they have referenced your good work in other areas. I don't think this would result in a good employee being dismissed at most firms, but equally it would be a sufficient excuse to get shot of someone you thought was never going to make it.

To make you feel better, we were once doing a property transaction and the solicitor for the other side made a mistake and somehow added us to the list of those on the other side of the deal who were receiving his e mails. Given this group were merrily pinging Reply All to one another we had a pretty good view how they were dealing with all matters pertaining to the transaction as it progressed.

Even partners in law firms can F Up, easily done.

And there but for the grace of god go I, a week ago I thought I had sent a reply to our solicitor re a property sale transaction we were doing ,it was only when she chased me for the document I had sent that I realised I had instead sent the e mail to a work colleague rather than to her- we are all human and all one can do is try one's best.

To save the querist posting back (thereby moving from anonym to pseudonym), can someone explain the "am I being unreasonable?" question? I've read the OP a couple of times and don't know what is happening. Is it (about) objecting to a verbal warning? (I personally wouldn't, if so.) If not... what is it about?

Although I'm not understanding the question, there's lots of great comment/insight/wisdom/experience in the responses.

There will not be one person on this board who has not done something similar.

See also - sending cash payments to the wrong people etc.

Employment is a two way street.

If your employer is being too much of a pain about this, in due course you may decide to move elsewhere.

What is done is done, things go wrong, if people don't like that then they are not suited to being employers.

I am struggling with the thought that a supervisor can check all documents go to the correct 'portal'.

I am limping on 2 opinions here, on the one hand you seem to want to shift the blame away from yourself when it is clearly all your fault, but on the other hand your employer sounds like an idiot to say that you would have lost your job

Are you certain there was no data breach?

Very often your firm will be not only a processor but also a controller in relation to client's data. Depends to an extent upon the type of document, and whether the client or your firm decides just how to process that data.

Go check it out. Could be a useful safeguard to have up your sleeve. And, for the record, implying and/or threatening that you might be dismissed sounds like an over reaction to me. All the more so if your firm have no safeguards in place. I'd be switching to self-preservation mode in your shoes: bare minimum of work all double and treble checked, because otherwise your next mistake will be seized upon and escalated. Sending a future document would take me at least a quarter of an hour.

Just picking up on a couple of points in this thread (and there's been some great ones btw):

When I was training (this was the very early 90s, recession-time), a fellow audit senior was seconded to tax, accidently faxed something sensitive to an unrelated client on speed dial and ended up sacked. So it does happen. I think it's fair to say that the firm's need to de-size played a part but the moral we all picked up was never to give the b*st*rds that opportunity.

And this does happen to everyone at some point. I can't remember the previous time I did something like this but I did actually do it about a month ago. Luckily, I now religiously password protect my pdf attachments (GDPR does have some plus points) so there was no harm done in that case.

The day you think you do not ever make mistakes or or are not prepared to learn from them, is the day you need to leave the profession - very quickly.

As other have said, Own it, learn from it and move on - It's called gaining hard won experience.

Next week it will be somebody else in your office making some other error.

In terms of warnings there is (normally):
- Idiot - don't do it again (i.e. an informal warning)
- Verbal Warning (which they probably have to write to you to confirm but it is still verbal)
- First Written
- Final Written
- Dismissal (go directly here for Gross Misconduct)

The pecking order for your practice should be in your staff handbook and/or contract - it might contain willfully breaching client confidentiality as an example of Gross Misconduct. From what you have said, it was not willful or deliberate.

From a client point of view how upset I would be depends on what the content was - draft accounts would worry me far less than payroll reports. (Company data vs personal data) Whether you 'caught' it unseen or whether the wrong recipient reported the mistake would also make a difference (one is a potential breach, the other is a breach)

From your bosses point of view issuing a Verbal Warning is the least action they can take and still tell the clients truthfully that "the individual concerned is well aware of their mistake and its seriousness, has received a formal warning and I am confident will have learned from the experience"

In essence, accept the warning and move on.

That said - there are probably lessons to be learned for the practice and it would be worth the practice spending a bit of time reviewing those lessons (think aircraft investigations vs surgeons glossing over poor outcomes) - What contributed to the mistake? What changes could reasonably be made to reduce the chance of it happening again etc.

As a simple example, if every filename used within the practice is in the format "clientref - description" then users would be more likely to spot a problem uploading a file with 'phil' as the clientref to a client portal with 'rob' (since all the other files in that bit of the portal would start with rob) than they would uploading files called say "2020 draft accounts" into a portal with lots of similarly generically named files.

The student was given the opportunity to ask the 'Great Leader' how they became so 'Great'.

"Ah", said the Great Leader, "I can answer that question in two words."

"Great Leader", said the student breathlessly, "Please, share your wisdom, what are those words? What is it that made you the 'Great Leader' you are? Please tell me."

"Good Decisions." Said the 'Great Leader'.

The student, hoping for something a bit more inspiring, pressed the 'Great Leader' for more.

"Great Leader," she said, "I was hoping for something more, something I could take away, something that would help me become like you. Please tell me, Great Leader, what is the secret to 'Good Decisions'."

"Ah," says the Great Leader, "the secret to Good Decisions is but one word".

"One word," exclaims the student, "Pray, tell me that word, I must know".

"Experience." Says the Great Leader.

The student, a little peeved by the near monosyllabic responses of the 'Great Leader' presses on and asks to be told the secret to gaining 'Experience'. They are more than a little frustrated when the 'Great Leader' says "it is but two words".

When pressed to reveal those two words, the ultimate secret to their Greatness the 'Great Leader' replies "Bad Decisions".

I have done this myself and it is horrifying. I am reiterating other posters here and I agree with them all.
I did cringe a little when you wrote:

'but I would think that as a trainee accountant, all my work, including attachments, should be checked before going out to clients and obviously wasn't this time. (I am not set up to send emails directly to clients yet.)'

- As this is trying to place the blame on your employer - something you need to learn to stop straight away. I understand it comes from panic but do take responsibility.

When I did it, I was very unprofessional in how I dealt with it, I contacted the client (whose data I had breached) and told them, but - I cried on the phone! I was just so mortified. I had emailed his payslip (he was/is the director) to another client. Both clients have the same name except their forenames have different spellings.

Both clients were absolutely wonderful with me and explained we all make mistakes and that they had done the very same thing too.

I am very lucky and grateful that both clients responded this way. Upon this happening, I decided only to use Sage software to submit payslips, as they are password-protected, I am also not as eager to press 'send' anymore on general emails, I double-check everything.

Sometimes when you're back and forth between clients, it can be tricky to get the last business out of your head, so this was a mental learning curve for me too, I mentally 'forget' the last client and focus on the current client. It can be done, I just have to deal with one client at a time and give emails a dedicated 'time slot' so I am not all over the place. Emails are the worst thing for me, they completely ruin my set tasks if I let them. I still have my 'scrambled' days, but I allow and prepare for them now, then get back into organisation mode.

This client still mocks me, when he sees me he will act as though he wants to tell me something important and whisper things such as 'I've lost my bank details, don't suppose one of your clients know them do they?'. The comments get more sarcastic too, I think he plans the next comment in advance.
I am not complaining, I love this humour.

If I was you, I would ask your employers if you can have a chat, explain to them how sorry you are and how you have accepted responsibility and explain to them what you have done to ensure YOU do not make this mistake again. Be proactive and responsible - you could use this opportunity to strengthen your relationship with your employers and build a more trusting relationship.

Good luck.

Accept you made a mistake but be constructive such as information on a portal should be password protected so nobody else could be opening them.
I think we have all done something similar in our time due to email addresses etc, and the receiving client will have no idea what you are talking about .
But I would enquire as to why the business is possibly losing a client over this. Did they write a letter in and complain , how did they know ?
Don't worry too much , its a storm in a teacup, the more senior person just has some explaining to do which , if handled professionally, shouldn't be an issue when they also explain what they have done to ensure it doesn't happen again.

This is not your fault

It's the fault of your employer's system

If uploads to Client portals were automated, there would be no human error
A decent Client portal system acts as an extension of the internal document management system - automated, controlled and no human error

If your system relies on human intervention, it should include proper training and controls and review

There has been much decent advise given in the responses, which in the main, have come from years of experience. Accept that mistakes will be made, learn from them, fall on your sword if that is necessary, and move on. I made a rather unique mistake when working in a tax office for the Inland Revenue, pre HMRC days, so quite a few years ago! I took over ordering supplies from another officer and ordered the same amount of loo rolls as he had previously, reasonably thinking that amount had been ordered last time, therefore that must have been what was delivered, so we had used that amount. What I did not know was that the supplier had a knocked a nought off the previous order and delivered less. I did not sufficiently check that what had been previously ordered was what had been delivered. We had so much loo roll it was ridiculous and had to send it out to other tax offices. You can imagine the stick I took, and it went on for as long as I worked in that particular tax office. Who knew you could come up with so many jokes about loo roll...........

In light of recent articles on here about information being sent to the wrong person, I'd say you have a bright future ahead working for HMRC.

I do hope it was just an over zealous partner just laying it on a bit thick to focus the mind. If not and you are continously reminded of that fact, move on when you get the chance. It may always be held against you. Only time will tell.

As already mentioned, we have all done 'those mistakes' including the person who reprimanded you. Don't ever feel they are better than you in that sense. Perhaps there has been an even greater fail on their part over the years you do not know about?

I do probably spend a bit too much time double and triple checking things before sending it off to the void. However, I deem it necesary due to the potential consequences. Others perhaps focus more on productivity and getting the work out. Each to their own but whatever the issue, always take the mistake, admit to it whatever the gravity. No one likes a buck passer because everyone else can see right through it.

I think my worse one is calling someone a 'dxxxhead' on a call transfer to someone I work with (only two of us in the office anyhow). Hold, transfer etc but then realising I missed the button and he heard me call him that. It wasn't a customer, but one of those practice loan company's who constantly rang weekly peddling their wares a number of years back. In short sales, so I couldn't give a monkeys anyhow.

The best one I had on the receiving end, was from the big local firm of solicitors. By mistake, they had sent to me quite a lot of court documents relating to a case they were dealing with (expert witness statements etc). From memory I did see the case name, but was not interested in the detail. Too much other stuff to get on with. I don't even recall responding to that email and I think I just deleted it. A big mistake and that was from a partner I was dealing with on another case with a mutual customer. I do love solicitors.....

One poster mentioned you feeling like a 'buffoon'. Don't worry about it as this country is run by one of the greatest buffoon's. The Cummings, Boris, Hancock debacle highlights this and all of this has been going on since the begining on time, no matter what your politics. It is just a case of whether it ever comes out or not. The state is probably the expert in that field.

I've had to turn off the auto-fill on Outlook due to sending the wrong information to John H rather than John T. Luckily John H was reasonable and just said "I don't think that's meant for me".

In my very early days, and in the infancy of internet banking, I did an inter-group transfer for £11m. HSBC Hexagon (anybody remember that) used Debits and Credits (from the bank's point of view) rather than payments in and out. Result: next morning we were £22m overdrawn. Whoops! Luckily the FD just laughed.

I've had to turn off the auto-fill on Outlook due to sending the wrong information to John H rather than John T. Luckily John H was reasonable and just said "I don't think that's meant for me".

In my very early days, and in the infancy of internet banking, I did an inter-group transfer for £11m. HSBC Hexagon (anybody remember that) used Debits and Credits (from the bank's point of view) rather than payments in and out. Result: next morning we were £22m overdrawn. Whoops! Luckily the FD just laughed.

Totally agree with those who say we all make mistakes. The first payroll run that I got trusted with for a previous employer happened to coincide with my grandmother passing away. In those days, said employer used an Excel spreadsheet to make complex adjustments to the payroll for some employees who had expenses deducted by overseas offices. I made mistakes the tune of about £10,000 (in 2006) on about five people's payroll and had to ask for the money back. I had failed to notice that the formula had not picked up the overseas deductions. The CEO hauled me over the coals in front of everyone at coffee break because he, incorrectly, assumed that it had affected everyone (not that that excused him hauling me over the coals publicly). After I'd talked to my line manager about how to deal with it, I went to the CEO and told him that the error had only affected five people and that if he had (very legitimate, in this case) problems with my work then I would appreciate it if we could resolve it on a one to one basis in future. I carried on working there for five years. My point is that sometimes there is "blame" on both sides - why were they using an Excel spreadsheet that is so open to accidental error and, even good-naturedly, humiliating me in front of all of my colleagues was wrong - but how you communicate that fact says as much about how you will fit in to the organisation as the mistakes that you make. In his defence, the CEO also accepted his error in dealing with it, apologised to me in person and then publicly stated at the coffee break the following day that he had been out of order.
I remember another ex-boss saying that he never needed to lay it on thick with me because he could never "beat me up" as much as I would beat myself up about a mistake.
Now that I'm a boss, I try to keep things proportionate to the person and the error. I won't pretend that I always get that right either but generally speaking "how are we / you going to put it right" comes first, followed by "what went wrong and why".