The media focussed on the salacious details of high profile public figures who used the Panamanian firm, Mossack Fonseca, to assist avoid tax liabilities.  However the underlying story behind the 'Panama Papers' scandal, for law firms at least, is the potential liability, and reputational damage, of data loss and data theft.

The Mossack Fonseca data hack

While there remains some uncertainty regarding the exact details of the hack, the general consensus is that a 'John Doe' used an insecure email server as an in, to hack into over 11 million documents and emails which the Süddeutsche Zeitung, in conjunction with the Internation Consortium of Investigative Journalists, reviewed before making their findings public.

Regardless of the relative morality of such 'public interest' hacks, whether you are a large law firm dealing with highly sensitive dealings of high profile companies or individuals, or a high street firm with the confidential information of thousands of 'regular' clients, there are a number of relevant cyber lessons:

Cyber Lessons for professional firms

1. Patch & Update: Whether you outsource your IT function or have a dedicated internal resource, it is essential that you are confident that they are rigourously updating software, and patching security vulnerabilities.  Had Mossack Fonseca done so, there is a suggestion that the hack attempt would have been foiled.
2. Do not retain more data than necessary: there is a clear tension between the need to retain files/data for a period (not least in case of claims) and the Data Protection principles of not retaining data longer than necessary.  Mossack Fonseca had records going back decades.  Review the data that you have/require to retain regularly.  Lockton can provide guidance on this - Contact us for more information.
3. Defend your data: effective computer security systems are essential.  This does not just mean anti-virus and malware systems, but also systems that detect large outflows of data.  Given that most malicious data thefts are insider jobs, this is very relevant for all firms.

Other protections

Mossack Fonseca can expect major financial consequences from a breach of this nature.  While most firms will not be likely to face targeted attacks of this nature or extent, all law firms hold considerable quantities of valuable confidential data, and need to be alive to the risks.

Your PII policy will respond to claims from clients, but, as previous articles have detailed, will not cover costs such as notification to clients, recovery costs, and legal/public relations expenses.  Cyber insurance can help - but many policies will not cover all types of criminal attack.  Some firms may therefore wish hybrid cyber/crime policies.  Firms with a high risk profile client base or work type should consider most specialist reputational harm policies.

For more information, read our other articles and alerts on information security and cyber risk issues, or Contact Us.