Engineering Firm Faces Internal Backlash Following Circulation of Confidential Ethics Memo
The Challenge
In early 2025, Stonebridge Advisors, a respected national legal consultancy, was thrusted into the public spotlight for all the wrong reasons. A whistleblower policy blog published excerpts from confidential internal memos related to legal advice the firm had prepared for a federal agency. These memos, addressing national security exemptions and emergency surveillance powers, were never meant for public release. Yet they were now fueling a media storm, igniting a broader conversation about government transparency and overreach.
The source of the leak turned out to be embarrassingly simple: two senior consultants had exchanged the sensitive documents over personal email accounts, circumventing the firm's secure internal systems. A recently departed employee, who still retained access to archived communications on a personal backup device, had been the unintentional vector. In their rush to meet client needs, the consultants had violated internal protocols—none of the documents had gone through a compliance or legal review before being shared.
The backlash was immediate and intense. Advocacy groups accused the firm of aiding in policy overreach. Public outrage swelled, prompting parliamentary calls to investigate all of Stonebridge’s current and past government contracts. The consultancy's lack of a structured exit policy for departing employees only compounded the issue.
Our Solution
We were called in to manage both the reputational crisis and regulatory fallout. Our first step was containment, working with Stonebridge’s IT team, we performed a full audit of data archives and revoked access for all inactive accounts. Simultaneously, we supported the legal team in reporting the incident to the Office of the Privacy Commissioner of Canada, supplying documentation to prove the leak was unauthorized and not malicious.
We developed and implemented a firm-wide secure communications protocol. All consultants were migrated to encrypted messaging platforms for client correspondence, and a firm-wide review of off-platform communications was initiated. A formal data exit policy was introduced, ensuring personal backups and archive access were thoroughly scrubbed when an employee departs the firm.
The Value
While Stonebridge avoided formal penalties, the reputational impact was significant. Several federal contracts were paused or suspended, and public trust wavered. To address these concerns, the firm issued a public transparency report detailing the reforms. Mandatory ethics training was introduced across all departments to reinforce accountability when handling sensitive information.
The total avoided cost of terminated contracts, regulatory fines, and brand erosion was estimated to exceed $250,000. But beyond the financials, the incident served as a critical wake-up call for Stonebridge’s leadership. In sectors handling national security matters, professionalism must extend to data handling and communications at every level.
Implementation Roadmap
Revoke access of former consultants to archived email content
Implement secure communications protocols for client work
Engage Privacy Commissioner with breach report
Audit personal device usage policies
Mandate ethics and secure comms training for all staff
