Anonymous
Share this content

Accidental data breach by a trainee: consequences?

Uploaded a document to a client’s portal that was meant for another client

Didn't find your answer?

I would like to ask your advice regarding the above.

I have been employed as a trainee accountant by a practice and I am still very new, currently in my probationary period.

Unfortunately, I happened to upload a document to a client's portal that was meant for another client. Apparently, there was no data breach. (I mention a data breach in the title because there could have been.)
 

I have been given a verbal warning because of this and told that if it wasn't for my other work I would be let go. I feel really bad as it is a very silly and a very serious mistake. I worked in another practice for two years before this job and never did anything like this. On this occasion I failed to double-check what I was uploading.

I received all the blame for it and was told that because of this we may lose a very good client, but I would think that as a trainee accountant, all my work, including attachments, should be checked before going out to clients and obviously wasn't this time. (I am not set up to send emails directly to clients yet.)

I have learned my lesson and now check everything twice, but I am unsure if there is any basis for me to actually stand my ground or just take it on the chin and be grateful for not being fired?

Obviously, accountants must take data security very seriously and I do realise how serious this was.

I would be grateful if you could advise if I am being unreasonable.

Replies (40)

Please login or register to join the discussion.

avatar
By Truecon
25th May 2021 14:29

You admit you made a mistake, so what would you mean by standing your ground?

Own the mistake and move on personally

Thanks (1)
avatar
By Wanderer
25th May 2021 14:33

Quote:

...but I would think that as a trainee accountant, all my work, including attachments, should be checked before going out to clients and obviously wasn't this time.

You can't expect absolutely everything to be checked by your employer, including what appears to be an admin task. If they did check everything you do then they might as well just do everything themselves. You've over two year's experence so are not the most junior of trainees.

Accept what has happened & move on.

Thanks (5)
By ireallyshouldknowthisbut
25th May 2021 14:35

If its any help, I am an experienced accountant with my own practice for 20 years and I still do stupid stuff now and again.

I am human.

The key thing to me is to learn from it and don't try and hide of make excuses. Always hold your hand up and say "sorry", never try to hide your mistakes. if you are already doing this, then there is not much else you can do apart from forgiving yourself.

Thanks (11)
Replying to ireallyshouldknowthisbut:
avatar
By Southwestbeancounter
25th May 2021 14:48

Very good advice Ireallyshouldknowthis!

Never try to cover up or blame others, just be honest and accept that we all make mistakes from time to time, and will continue to do so, but in the meantime try to learn from this mistake to double check and check again next time!

Thanks (2)
avatar
By Truthsayer
25th May 2021 14:51

It sounds like you work for a thoroughly bad employer. I bet every partner has done something like that several times, but no one knew. Yes, you should always double check what you upload just before you send it, but employers have to understand that however careful employees are, mistakes will slip through. This is in any case not a big deal, as I doubt whether even one accidental leakage in ten thousand has any consequences when it is between typical accountancy clients. It just means one business gets sent a few bits of information about another business they have never heard of and which is of no interest to them.

Thanks (0)
Replying to Truthsayer:
avatar
By Mr_awol
25th May 2021 15:03

I'm not convinced it makes them a bad employer and i have to say the assumption it will be about a random business is a bit shaky.

Personally I'd have made certain the employee knew how serious it was, but not thrown my toys completely (as it can, admittedly happen to 'anyone' and in fact probably has happened to 'everyone' at some point).

Depending on the practice the client base may be very localised, small towns, etc. Additionally, who knows how the OPs firm organise their files/docs/etc. If they are in alpha-numerical codes, for example, then these tend to be led by client surnames (or parts thereof) and I've acted for various clients who would rather you leaked their personal data to the local papers than certain family members.

Thanks (0)
avatar
By Mr_awol
25th May 2021 15:06

You cant expect them to check your uploads to a portal - and your paragraph about 'getting all the blame' would annoy me if you were one of mine. As would any attempt to 'stand your ground'. In fact this might well make me more angry than the incident itself. As you are in a probationary period you have little to no rights in terms of an unfair dismissal claim (as long as dismissal isn't discriminatory) so you should pick your fights a little more carefully perhaps.

That said, your line manager/the partner in charge/etc may be making a bigger deal of it at the time because they are the ones who have just had to tell two clients about this - one being the person who received someone else's data and the other being the one whose data it was. They've therefore been made to look/feel like a buffoon and could be taking it out on you. Perhaps it will blow over quicker than you think.

Did you report it because you realised, did the recipient report it because they picked it up first, did another internal source pick it up before the client had chance to access it? This (and the information in the document) will determine whether it is a breach - as well as your firm's role. I'm not an expert but i believe if you are a data processor (ie if it was a payroll document) you may not have to report a breach but the client may have to - in ways that's even worse.

Positive actions/approaches/mentality you could adopt instead:
1) Accept you made a mistake, and a fairly serious one at that.
2) Don't dwell on it though. It's very easily done. I dare say we have all sent an email, and when we started typing the address outlook 'helpfully' autocompleted it and (especially if we were in a hurry) wave quickly sent something o the wrong person. Anyone who says they haven't done this are probably lying, lucky, or just unaware (sent to dead email, or recipient didn't inform them, etc)
3) Make a positive suggestion. If your firm has not got a policy of passwording PDFs etc before they go into the portal, should they consider it? Obviously the portal itself is a secure area so better than email but doesn't protect against errors like this. If your practice software can be set to automatically insert a set password for that client, then security could be improved without any real effort on the firm's part.
4) Offer to phone the client(s) yourselves to apologise for your error. Proof that you are willing to take ownership/fix your own mess would go a long way with me - even if I'd refuse it in cases like this.
5) Take some (but not too much) comfort from that fact that they have referenced your good work in other areas. I don't think this would result in a good employee being dismissed at most firms, but equally it would be a sufficient excuse to get shot of someone you thought was never going to make it.

Thanks (3)
Replying to Mr_awol:
avatar
By Southwestbeancounter
25th May 2021 15:04

Good advice Awol and I agree with you about point 2) - A few years ago I had to send an email to a Margaret, Mary and another M - say Mungo! - and I accidentally copied in the wrong Mary - luckily it was just a 'chatty' email rather than anything specific and so it didn't matter per se but I felt it was unprofessional and it taught me to double check and check again!

Thanks (1)
Replying to Southwestbeancounter:
avatar
By Mr_awol
25th May 2021 15:12

Honestly i think with things like this you only ever truly learn when you make the mistake yourself. Until then people can TELL you to be careful but there is nothing like that blood curdling moment when you get a response of "i think you sent this to the wrong person" or "this isn't mine" for focussing the mind!

It wasn't my mistake granted, but I have also had clients send me sensitive financial information which rather gave away how much money they were making on a job - and accidently copy the customer in on it! Luckily the response from the customer about 'maybe we should ask for a discount' was only light-hearted.

Thanks (0)
Maytuna
By DJKL
25th May 2021 15:14

To make you feel better, we were once doing a property transaction and the solicitor for the other side made a mistake and somehow added us to the list of those on the other side of the deal who were receiving his e mails. Given this group were merrily pinging Reply All to one another we had a pretty good view how they were dealing with all matters pertaining to the transaction as it progressed.

Even partners in law firms can F Up, easily done.

And there but for the grace of god go I, a week ago I thought I had sent a reply to our solicitor re a property sale transaction we were doing ,it was only when she chased me for the document I had sent that I realised I had instead sent the e mail to a work colleague rather than to her- we are all human and all one can do is try one's best.

Thanks (0)
avatar
By Tax Dragon
25th May 2021 15:20

To save the querist posting back (thereby moving from anonym to pseudonym), can someone explain the "am I being unreasonable?" question? I've read the OP a couple of times and don't know what is happening. Is it (about) objecting to a verbal warning? (I personally wouldn't, if so.) If not... what is it about?

Although I'm not understanding the question, there's lots of great comment/insight/wisdom/experience in the responses.

Thanks (0)
Replying to Tax Dragon:
By Duggimon
26th May 2021 11:55

They are asking if it unreasonable of them to think the blame for their mistake is not all theirs and that the business is at fault for not checking every action they take.

Thanks (1)
Replying to Duggimon:
avatar
By Tax Dragon
26th May 2021 21:05

Thank you.

Thanks (0)
Routemaster image
By tom123
25th May 2021 15:20

There will not be one person on this board who has not done something similar.

See also - sending cash payments to the wrong people etc.

Employment is a two way street.

If your employer is being too much of a pain about this, in due course you may decide to move elsewhere.

What is done is done, things go wrong, if people don't like that then they are not suited to being employers.

Thanks (4)
Replying to tom123:
Maytuna
By DJKL
25th May 2021 15:26

Agreed- there is often far too much remembering the foul ups but not rewarding the stellar performances, if employers want perfect employees they ought to consider employing robots (until they of course inevitably rise up and overcome their masters)

Thanks (1)
avatar
By Paul Crowley
25th May 2021 15:28

I am struggling with the thought that a supervisor can check all documents go to the correct 'portal'.

Thanks (1)
blue sheep
By Nigel Henshaw
25th May 2021 15:41

I am limping on 2 opinions here, on the one hand you seem to want to shift the blame away from yourself when it is clearly all your fault, but on the other hand your employer sounds like an idiot to say that you would have lost your job

Thanks (0)
Replying to NH:
Routemaster image
By tom123
25th May 2021 18:48

Recruitment and training are expensive. Why would a sensible employer bring this on themselves, especially for something with no cost.

Where does it end. Do they sack everyone who crashes a company vehicle etc etc.

Thanks (0)
Replying to NH:
avatar
By Paul Crowley
27th May 2021 12:24

Agree both
Everyone makes mistakes
Employee cannot shift responsibility for their actions
Employer is a [***] suggesting one simple error is a sacking offence

Thanks (0)
Avatar
By I'msorryIhaven'taclue
26th May 2021 12:50

Are you certain there was no data breach?

Very often your firm will be not only a processor but also a controller in relation to client's data. Depends to an extent upon the type of document, and whether the client or your firm decides just how to process that data.

Go check it out. Could be a useful safeguard to have up your sleeve. And, for the record, implying and/or threatening that you might be dismissed sounds like an over reaction to me. All the more so if your firm have no safeguards in place. I'd be switching to self-preservation mode in your shoes: bare minimum of work all double and treble checked, because otherwise your next mistake will be seized upon and escalated. Sending a future document would take me at least a quarter of an hour.

Thanks (0)
avatar
By adam.arca
26th May 2021 13:34

Just picking up on a couple of points in this thread (and there's been some great ones btw):

When I was training (this was the very early 90s, recession-time), a fellow audit senior was seconded to tax, accidently faxed something sensitive to an unrelated client on speed dial and ended up sacked. So it does happen. I think it's fair to say that the firm's need to de-size played a part but the moral we all picked up was never to give the b*st*rds that opportunity.

And this does happen to everyone at some point. I can't remember the previous time I did something like this but I did actually do it about a month ago. Luckily, I now religiously password protect my pdf attachments (GDPR does have some plus points) so there was no harm done in that case.

Thanks (1)
avatar
By JD
26th May 2021 13:50

The day you think you do not ever make mistakes or or are not prepared to learn from them, is the day you need to leave the profession - very quickly.

As other have said, Own it, learn from it and move on - It's called gaining hard won experience.

Next week it will be somebody else in your office making some other error.

Thanks (0)
Replying to JD:
Avatar
By I'msorryIhaven'taclue
26th May 2021 13:59

According to (live) Sky reports, Matty Stopcock made dozens of mistakes which cost thousands of lives. If you believe Dominic Cummings (and who wouldn't!)

Worse, it seems Matty told porky-pies and tried to blame others so as to cover up his ineptitude. Which, to your credit OP, you didn't. Maybe we should make you Health Minister and give Matty Stopcock your job.

Thanks (2)
Replying to JD:
By SteveHa
29th May 2021 19:47

Quote:

The day you think you do not ever make mistakes or or are not prepared to learn from them, is the day you need to leave the profession - very quickly.

I have never made mistakes. I thought I had, once, but I was wrong.

Thanks (1)
Replying to SteveHa:
avatar
By Hugo Fair
29th May 2021 20:32

I'm reminded of an old local drunk whose proud boast was that he'd never lost an argument (because his audience always melted away in the face of unremitting hectoring) ... until the day of reckoning.
I was on my way to play football when I saw him outside a (closed) pub, muttering at his reflection in the giant victorian window. As I got closer, the tempo of his mutterings increased - and I realised that he was arguing with himself. His opponent's apparent mockery (copying his every move) inflamed him .. to the inevitable point where he tool an almighty swing.
[Fortunately there was a telephone box on the corner, and I was able to summon an ambulance]!

Thanks (1)
Replying to SteveHa:
avatar
By JD
05th Jun 2021 19:56

My mistake of course, thinking that others here might make the occasional slip....

Thanks (0)
avatar
By philrob
26th May 2021 17:31

In terms of warnings there is (normally):
- Idiot - don't do it again (i.e. an informal warning)
- Verbal Warning (which they probably have to write to you to confirm but it is still verbal)
- First Written
- Final Written
- Dismissal (go directly here for Gross Misconduct)

The pecking order for your practice should be in your staff handbook and/or contract - it might contain willfully breaching client confidentiality as an example of Gross Misconduct. From what you have said, it was not willful or deliberate.

From a client point of view how upset I would be depends on what the content was - draft accounts would worry me far less than payroll reports. (Company data vs personal data) Whether you 'caught' it unseen or whether the wrong recipient reported the mistake would also make a difference (one is a potential breach, the other is a breach)

From your bosses point of view issuing a Verbal Warning is the least action they can take and still tell the clients truthfully that "the individual concerned is well aware of their mistake and its seriousness, has received a formal warning and I am confident will have learned from the experience"

In essence, accept the warning and move on.

That said - there are probably lessons to be learned for the practice and it would be worth the practice spending a bit of time reviewing those lessons (think aircraft investigations vs surgeons glossing over poor outcomes) - What contributed to the mistake? What changes could reasonably be made to reduce the chance of it happening again etc.

As a simple example, if every filename used within the practice is in the format "clientref - description" then users would be more likely to spot a problem uploading a file with 'phil' as the clientref to a client portal with 'rob' (since all the other files in that bit of the portal would start with rob) than they would uploading files called say "2020 draft accounts" into a portal with lots of similarly generically named files.

Thanks (4)
avatar
By philrob
26th May 2021 17:53

The student was given the opportunity to ask the 'Great Leader' how they became so 'Great'.

"Ah", said the Great Leader, "I can answer that question in two words."

"Great Leader", said the student breathlessly, "Please, share your wisdom, what are those words? What is it that made you the 'Great Leader' you are? Please tell me."

"Good Decisions." Said the 'Great Leader'.

The student, hoping for something a bit more inspiring, pressed the 'Great Leader' for more.

"Great Leader," she said, "I was hoping for something more, something I could take away, something that would help me become like you. Please tell me, Great Leader, what is the secret to 'Good Decisions'."

"Ah," says the Great Leader, "the secret to Good Decisions is but one word".

"One word," exclaims the student, "Pray, tell me that word, I must know".

"Experience." Says the Great Leader.

The student, a little peeved by the near monosyllabic responses of the 'Great Leader' presses on and asks to be told the secret to gaining 'Experience'. They are more than a little frustrated when the 'Great Leader' says "it is but two words".

When pressed to reveal those two words, the ultimate secret to their Greatness the 'Great Leader' replies "Bad Decisions".

Thanks (4)
Replying to philrob:
Avatar
By I'msorryIhaven'taclue
26th May 2021 22:02

Aesop?

And, if so, why can't the Great Leader and the Student be a fox and rabbit, or tortoise and hare; or something slightly more obtuse?

If you carry on like this without metaphoric reference then you're in danger of being understood by clients. Which, of course, would be letting the side down ;-)

Thanks (0)
avatar
By New To Accountancy
26th May 2021 22:17

I have done this myself and it is horrifying. I am reiterating other posters here and I agree with them all.
I did cringe a little when you wrote:

'but I would think that as a trainee accountant, all my work, including attachments, should be checked before going out to clients and obviously wasn't this time. (I am not set up to send emails directly to clients yet.)'

- As this is trying to place the blame on your employer - something you need to learn to stop straight away. I understand it comes from panic but do take responsibility.

When I did it, I was very unprofessional in how I dealt with it, I contacted the client (whose data I had breached) and told them, but - I cried on the phone! I was just so mortified. I had emailed his payslip (he was/is the director) to another client. Both clients have the same name except their forenames have different spellings.

Both clients were absolutely wonderful with me and explained we all make mistakes and that they had done the very same thing too.

I am very lucky and grateful that both clients responded this way. Upon this happening, I decided only to use Sage software to submit payslips, as they are password-protected, I am also not as eager to press 'send' anymore on general emails, I double-check everything.

Sometimes when you're back and forth between clients, it can be tricky to get the last business out of your head, so this was a mental learning curve for me too, I mentally 'forget' the last client and focus on the current client. It can be done, I just have to deal with one client at a time and give emails a dedicated 'time slot' so I am not all over the place. Emails are the worst thing for me, they completely ruin my set tasks if I let them. I still have my 'scrambled' days, but I allow and prepare for them now, then get back into organisation mode.

This client still mocks me, when he sees me he will act as though he wants to tell me something important and whisper things such as 'I've lost my bank details, don't suppose one of your clients know them do they?'. The comments get more sarcastic too, I think he plans the next comment in advance.
I am not complaining, I love this humour.

If I was you, I would ask your employers if you can have a chat, explain to them how sorry you are and how you have accepted responsibility and explain to them what you have done to ensure YOU do not make this mistake again. Be proactive and responsible - you could use this opportunity to strengthen your relationship with your employers and build a more trusting relationship.

Good luck.

Thanks (0)
avatar
By FCExtraordinaire
28th May 2021 09:56

Accept you made a mistake but be constructive such as information on a portal should be password protected so nobody else could be opening them.
I think we have all done something similar in our time due to email addresses etc, and the receiving client will have no idea what you are talking about .
But I would enquire as to why the business is possibly losing a client over this. Did they write a letter in and complain , how did they know ?
Don't worry too much , its a storm in a teacup, the more senior person just has some explaining to do which , if handled professionally, shouldn't be an issue when they also explain what they have done to ensure it doesn't happen again.

Thanks (0)
avatar
By MarkRyan
28th May 2021 10:15

This is not your fault

It's the fault of your employer's system

If uploads to Client portals were automated, there would be no human error
A decent Client portal system acts as an extension of the internal document management system - automated, controlled and no human error

If your system relies on human intervention, it should include proper training and controls and review

Thanks (0)
avatar
By TracyClaydon
28th May 2021 10:28

There has been much decent advise given in the responses, which in the main, have come from years of experience. Accept that mistakes will be made, learn from them, fall on your sword if that is necessary, and move on. I made a rather unique mistake when working in a tax office for the Inland Revenue, pre HMRC days, so quite a few years ago! I took over ordering supplies from another officer and ordered the same amount of loo rolls as he had previously, reasonably thinking that amount had been ordered last time, therefore that must have been what was delivered, so we had used that amount. What I did not know was that the supplier had a knocked a nought off the previous order and delivered less. I did not sufficiently check that what had been previously ordered was what had been delivered. We had so much loo roll it was ridiculous and had to send it out to other tax offices. You can imagine the stick I took, and it went on for as long as I worked in that particular tax office. Who knew you could come up with so many jokes about loo roll...........

Thanks (4)
By Nebs
28th May 2021 13:23

In light of recent articles on here about information being sent to the wrong person, I'd say you have a bright future ahead working for HMRC.

Thanks (2)
By Husbandofstinky
28th May 2021 13:42

I do hope it was just an over zealous partner just laying it on a bit thick to focus the mind. If not and you are continously reminded of that fact, move on when you get the chance. It may always be held against you. Only time will tell.

As already mentioned, we have all done 'those mistakes' including the person who reprimanded you. Don't ever feel they are better than you in that sense. Perhaps there has been an even greater fail on their part over the years you do not know about?

I do probably spend a bit too much time double and triple checking things before sending it off to the void. However, I deem it necesary due to the potential consequences. Others perhaps focus more on productivity and getting the work out. Each to their own but whatever the issue, always take the mistake, admit to it whatever the gravity. No one likes a buck passer because everyone else can see right through it.

I think my worse one is calling someone a 'dxxxhead' on a call transfer to someone I work with (only two of us in the office anyhow). Hold, transfer etc but then realising I missed the button and he heard me call him that. It wasn't a customer, but one of those practice loan company's who constantly rang weekly peddling their wares a number of years back. In short sales, so I couldn't give a monkeys anyhow.

The best one I had on the receiving end, was from the big local firm of solicitors. By mistake, they had sent to me quite a lot of court documents relating to a case they were dealing with (expert witness statements etc). From memory I did see the case name, but was not interested in the detail. Too much other stuff to get on with. I don't even recall responding to that email and I think I just deleted it. A big mistake and that was from a partner I was dealing with on another case with a mutual customer. I do love solicitors.....

One poster mentioned you feeling like a 'buffoon'. Don't worry about it as this country is run by one of the greatest buffoon's. The Cummings, Boris, Hancock debacle highlights this and all of this has been going on since the begining on time, no matter what your politics. It is just a case of whether it ever comes out or not. The state is probably the expert in that field.

Thanks (0)
Pile of Stones
By Beach Accountancy
28th May 2021 19:32

I've had to turn off the auto-fill on Outlook due to sending the wrong information to John H rather than John T. Luckily John H was reasonable and just said "I don't think that's meant for me".

In my very early days, and in the infancy of internet banking, I did an inter-group transfer for £11m. HSBC Hexagon (anybody remember that) used Debits and Credits (from the bank's point of view) rather than payments in and out. Result: next morning we were £22m overdrawn. Whoops! Luckily the FD just laughed.

Thanks (1)
Replying to Beach Accountancy:
avatar
By LW64
04th Jun 2021 11:49

Working in finance in a private bank years ago, we did have an external auditor that failed to understand what a debit or credit balance from a bank perspective meant and sent all of the audit letters out back to front.

Thanks (0)
Pile of Stones
By Beach Accountancy
28th May 2021 19:32

I've had to turn off the auto-fill on Outlook due to sending the wrong information to John H rather than John T. Luckily John H was reasonable and just said "I don't think that's meant for me".

In my very early days, and in the infancy of internet banking, I did an inter-group transfer for £11m. HSBC Hexagon (anybody remember that) used Debits and Credits (from the bank's point of view) rather than payments in and out. Result: next morning we were £22m overdrawn. Whoops! Luckily the FD just laughed.

Thanks (0)
avatar
By bendybod
02nd Jun 2021 16:35

Totally agree with those who say we all make mistakes. The first payroll run that I got trusted with for a previous employer happened to coincide with my grandmother passing away. In those days, said employer used an Excel spreadsheet to make complex adjustments to the payroll for some employees who had expenses deducted by overseas offices. I made mistakes the tune of about £10,000 (in 2006) on about five people's payroll and had to ask for the money back. I had failed to notice that the formula had not picked up the overseas deductions. The CEO hauled me over the coals in front of everyone at coffee break because he, incorrectly, assumed that it had affected everyone (not that that excused him hauling me over the coals publicly). After I'd talked to my line manager about how to deal with it, I went to the CEO and told him that the error had only affected five people and that if he had (very legitimate, in this case) problems with my work then I would appreciate it if we could resolve it on a one to one basis in future. I carried on working there for five years. My point is that sometimes there is "blame" on both sides - why were they using an Excel spreadsheet that is so open to accidental error and, even good-naturedly, humiliating me in front of all of my colleagues was wrong - but how you communicate that fact says as much about how you will fit in to the organisation as the mistakes that you make. In his defence, the CEO also accepted his error in dealing with it, apologised to me in person and then publicly stated at the coffee break the following day that he had been out of order.
I remember another ex-boss saying that he never needed to lay it on thick with me because he could never "beat me up" as much as I would beat myself up about a mistake.
Now that I'm a boss, I try to keep things proportionate to the person and the error. I won't pretend that I always get that right either but generally speaking "how are we / you going to put it right" comes first, followed by "what went wrong and why".

Thanks (0)
Replying to bendybod:
avatar
By Paul Crowley
05th Jun 2021 20:26

I agree
First fix the problem
Second figure out how to avoid repeating the problem
Third share the solution

Thanks (1)
Share this content