News

US firm Paul Hastings in email blunder that lets prospective trainees see who they’re up against

By on
50

Exclusive: Almost 400 applicants notified

US law firm Paul Hastings has come a cropper after prospective applicants to its London training contract programme received an email containing the contacts of nearly 400 fellow TC chasers.

The email — sent by an external company to applicants yesterday morning, and seen by Legal Cheek — flagged “technical problems” with the service provider’s external website on training contract deadline day yesterday. Paul Hastings accordingly extended the deadline for its 2021 trainee scheme until today.

What would have been a well-intentioned gesture, unfortunately, backfired, when the email was sent out with all 388 prospective applicants’ email addresses (some of which featured the names of candidates) in the ‘Cc’ field rather than the ‘Bcc’ one.

A spokesperson for Paul Hastings said: “We have been notified this morning of a third-party data incident affecting applicants to our training contract scheme. We are in touch with the relevant third party, our e-recruitment services provider, to investigate what has happened and why, to ensure this does not happen again. We are acting swiftly including discussing with the regulatory authorities as appropriate. We are sorry this has occurred, and everyone affected will be contacted.”

The 2019 Legal Cheek Firms Most List

Paul Hastings, which is headquartered in Los Angeles, California, offers around seven training contracts in its London office each year. Trainees start on a salary of £45,000.

A spokesperson for Thomson Reuters, the company responsible for sending the email, told Legal Cheek: “We are aware of the email in question and are looking into it as a matter of urgency as we take the privacy of personal information very seriously.”

The gaffe comes just weeks after a new partner at Winckworth Sherwood fell foul to a similar Bcc blunder. Blair Adams, who was previously at Wedlake Bell, fired off an email announcing his new gig to 600 or so contacts in the ‘To’ field rather than the ‘Bcc’ field meaning everyone could see the names on the list. It was his first day on the job.

For a weekly round-up of news, plus jobs and latest event info

Sign up to the Legal Cheek Newsletter

50 Comments

Anonymous

And why does PH not have an LC most list page? Anyway, what do you expect when you’re at a firm’s backwood office… I’ll take CMS ahead of PH any day due to job security and stable training.

(6)(36)

Top top

No proper us firm does. I was going to join Cadawalader on NQ but when I saw they weren’t on here I went to fieldfisher instead.

(41)(0)

Anonymous

Sounds like the name of somebody’s uncle.

PH = data controller, so it is on them to notify the ICO and data subjects.

(11)(0)

Anonymous

Paul Hastings sounds like the name of a small lorry company up in the Midlands

(34)(1)

Anonymous

Paul 10.66″ Hastings sounds like a pro-Brexit pornstar

(11)(3)

Anonymous

Snob!

(0)(1)

Paul Hastings

My name actually is Paul Hastings (srs).

(16)(0)

Anonymous

And?

(9)(3)

Anonymous

No, Paul. Do keep up.

(1)(0)

Anonymous

Pretty top firm but sweaty af. Pays about £125k NQ

(11)(0)

Anonymous

Pays more, doesn’t advertise figures like some other US firms – it’s 135k plus bonuses

(12)(0)

Anonymous

Phat

(2)(0)

Anonymous

133
140
154
178
196
213
220
230

+ bonus

(3)(2)

Anonymous

immensely sweaty.

help.

(4)(0)

Anonymous

This seems to be the story about Paul Hastings. Any idea why it’s so sweaty? Worse than Latham?

(1)(0)

Anonymous

No more sweaty than the magic circle My ex trained here, average hours 8:30-10pm. Sometimes he’ left much earlier. Same as my MC mates

(5)(1)

Kestrel Selby-Body

What’s with the money-centric comments on here? If you want money, go into another sector of Business and have the prospect of a non-boring and sociable life. 130k is nothing in the grand scale of things, particularly if you are working in London.

(5)(4)

Anonymous

Ow did someone get rejected?

(0)(0)

Anonymous

Comments are already being deleted. Yeah, noice.

(15)(0)

Anonymous

They obviously don’t know much about either agency law or their duties as a data controller if they regard this as a “third party” incident. Own it.

(2)(1)

Anonymous

Er…my understanding is that it is the third party, Thomas Reuters, who has screwed up, and the firm says it is contacting everyone and the ICO…which it is supposed to do….so I mean it is owning it as far as reasonably necessary…it’s obviously not their fault – they have a contract with someone else to deliver a service, I might say it’s unfortunate but I wouldn’t take responsibility to my group of friends if my Deliveroo pizza driver turns up to the wrong address…

(5)(2)

FmrCityLawFirmWorker

Unfortunately the Data Protection Act 1998 and subsequent amendments disagrees with your position. Data controller cannot contract out of responsibility.

(1)(2)

Anonymous

I didn’t say they contracted out; I said they are complying with all necessary obligations, but it’s not their fault at all and so can’t be particularly apologetic. Please read more closely.

(2)(0)

Anonymous

Lols DPA 1998, that’s cute.

Did you miss out on 2018?

(5)(0)

Anonymous

Have they notified the ICO? Legalcheek perhaps you could follow-up.

(4)(0)

Anonymous

FOI…

(1)(0)

Anonymous

Lol, if it’s not on Twitter or Roll on Friday it won’t be on LC.

(2)(0)

Anonymous

I received the email . They begged us to delete it. I’m not gonna haha. Don’t be negligent next time , they are lucky I’m not reporting Them for Data protection breaches

(11)(8)

Anonymous

Good luck getting a training contract. You sound like a right twat.

(46)(3)

Anonymous

Piss off

(1)(5)

Anonymous

Salty. You’ll go far in this profession

(5)(3)

Anonymous

She’s been rotting in the ground for 3 years now. I wouldn’t.

Anonymous

Given his basic witless banter, dead grannies is about his level. On a good night.

Anonymous

Alright G Unit

(3)(0)

Anonymous

How on earth do you plan to leverage that information? What a mug

(12)(0)

Anonymous

If you don’t know you must be retarded and there’s no point explaining it to you lol

(1)(8)

Anonymous

Have you reported yourself to the ICO then for you improper retention of private information?

(8)(0)

Anonymous

No have you? Smartarse

Anonymous

ICO Have no power here you fool.

Anonymous

Are you Mr T in disguise? Or are you basic and thick? I’m going the latter.

Anonymous

sell their email address to companies, spam mail, advertising, look up each individual on linkedin to see if they have offers accepted and blackmail them. the list goes on

(3)(2)

Anonymous

If you have that much spare time, maybe you ought to rethink some of your life choices.

(16)(0)

NotAHacker

Oh yeah, sell 400 email addresses? Mate, the money involved in the sale of 400 email addresses would be peanuts. If you wanted to sell email addresses on the dark web, you’d ideally need over a million addresses, or at the very least, one hundred thousand.

(3)(0)

FBI OPEN UP!

You sure you’re not a hacker mate?

Anonymous

I also received the email. They didn’t beg us to delete it. Nonetheless, I deleted it because I’m not a twat. I feel confident that I won’t be seeing you at the assessment centre.

(3)(0)

Anonymous

While not their fault, it should be a mandatory requirement for both Practice Certificate renewal and being admitted on to the roll that everyone can show a full grasp of how to use a computer properly.

(4)(0)

Anonymous

Who gives a fuck?

Data leak penalties are grossly disproportionate to the harm caused.

(2)(1)

Anonymous

On an individual case by case basis yes, but you need a substantial sting on the basis that not everybody gets stung. If you live without fear of being stung, you get complacent.

(0)(0)

Anonymous

Hello, I’d like to call in a hit please…

(1)(0)

Archibald Pomp O'City

You have to be fucking stupid to use the bcc field for anything you actually don’t want people to see. Use of that field should be banned and anybody who uses it spanked.

(0)(0)

Comments are closed.