Will the CofE go New or Old Testament?
Kennedys has apologised and reported itself to the SRA after it accidentally revealed the names of dozens of people who had registered for updates on the Church of England’s redress scheme for victims of Church-related abuse.
The firm was appointed to administer the Church of England’s redress scheme for victims and survivors in March 2024.
But on Tuesday evening, someone at Kennedys sent an email to 194 individuals and law firms who had registered to receive updates for the scheme without blind copying them.
As a result, all the email addresses were visible to all the recipients. The firm said attempts to recall the message “were only partially successful”.
In a statement on its website attributing the galactic mistake to human error, Kennedys said it was “deeply sorry for the hurt and concern caused to everyone affected by this significant error and accepts full responsibility”.
“We have contacted everyone who received the message and have reported the incident to the Charity Commission, the Information Commissioner’s Office and the Solicitor’s Regulatory Authority”, it said.
Kennedys said it would fully comply with any investigations and had also launched an internal investigation “to understand how this could have occurred and will incorporate any lessons learnt into our procedures immediately”.
“We understand the significant impact this will have on those affected for which we apologise unreservedly”, added the firm.
Mark Stibbe, a victim of CofE abuse who was on the list, told Channel 4 News, “I actually had a very physical reaction when I saw what had happened”.
“I started shaking… I was shocked, first of all, that such a data breach had happened and that a new low had been reached in terms of incompetence.”
“But also I think it was anxiety, particularly about what other victims who were on that list were perhaps feeling in that moment when they had been very intentional about maintaining their anonymity.”
Stibbe said it would be unfair to target the Kennedys employee who sent the email, given they may be junior or may not have been properly briefed.
But he said it was an example of how the CofE “keeps making an absolute shambolic mess of the whole process”, and suggested the Bishop of Winchester, who chaired the board which set up the redress scheme, may have to consider standing down.
In a statement the Church of England said, “This should not have happened”.
“While the Church of England is not the data controller for the Redress Scheme and does not hold or manage the data in question, we are nonetheless profoundly concerned”, it said.
“We are in discussions with Kennedys to understand how this breach occurred and to ensure robust steps are taken to prevent anything similar from happening again.”
Comments
68
20
Did Kennedys hire the unfortunate person from the MOD Afghan division by any chance?
39
23
no mercy for Kennedys, I still remember that bluddy queen music video by the dunderheads who fled there after spectacularly nosediving Halliwells into the ground
26
19
The legal ombudsman is pushing for the payment of compensation for emotional strain when a law firm’s service has fallen short of a reasonable standard.
This seems right, but will be expensive in situations like this (but also if the role of the lawyers in the Post Office scandal ever gets adequately tackled).
71
23
This is at least in part a tech design problem.If i tty to send an email without a subject line, or if it contains the word “attach” but i have not attached anything, the system will pointb this out before sending. A feature which asks “Do you really want to Reply all?” before sending would save a lot of people from disaster.
43
31
They never interview a victim who says "no bother, it's just an email address".
102
26
I have a lot of sympathy for the person at Kennedys. It literally could happen to any of us.
34
17
What a shambles.
29
62
The Partner in question should be held responsible and shown the door. Others will vote with their feet over this… Massively unimpressive.
63
15
@10.20 - you have no idea how a global law firm operates
43
19
"A feature which asks “Do you really want to Reply all?” before sending would save a lot of people from disaster"
Quite.
Would it really decrease productivity too much if we had a pop-up that said "Yo buddy, there's over ten people in the 'CC' field here, did you really mean to include them all?" when we sent stuff?
I mean sure, at Irwin Mitchell they're all going to add three units for clicking "you fucking bet I did" each time, but for the rest of us it would be a godsend.
14
24
Such mistake is not new and should never have happened these days if the sender, particularly if he or she is a lawyer, takes a few seconds to think before hitting the cc or bcc button.
25
23
Technology based email Safety Net systems will only take you so far..... whats really needed is Lawyers and BD people need to take some personal responsibility and engage their brains when firing off mailshots.
28
18
slow handclap for anon 12.37, winning the Sybil Fawlty award for the bleedin obvious
30
18
They have a significant cyber and data privacy practice which is concerning insofar as the incident has been managed. It'll be interesting to see if the ICO comes down hard on them as they have a number of public sector organisations and charities in recent years.
22
35
Surely there are protocols in a case like this and supervision and checks? Surely?
32
17
I like the way Kennedys suggest it was “human” error paving the way for someone low down to take the blame when those above should have ensured that such a disastrous error in sensitive circumstances should never have been possible.
28
20
So Kennedys consider it to be “human” error. Good luck with that one.
21
20
It might be understandle if you send your Tescos shopping list to unintended adressess but if you are being trusted and paid premium rates for keeping sensitive information safe, it is unforgivable. Particualrly so given the damaging consequences. Those responsible for managing the scheme need to brought to account
22
21
Only divine intervention here was roll on Friday ensuring the public knows.
27
16
So Mark Stibbe thinks it would be unfair to target the employee who sent the email...yet wants the Bishop who doesn't even have access to the data to step down? I get that he is naturally going to be biased against the CofE with him being a victim. But can the CofE really be held responsible for the data breach?