Learning from the Panama Papers debacle

Jim Middlemiss

Never before has a single law firm done so much to crystalize global debate around offshore banking. Not only has Mossack Fonseca — the Panamanian law firm that will be forever linked to the Panama Papers — managed to focus world attention on tax havens but, at the same time, it has become the poster child for cybersecurity breaches in the legal business, not something you want to achieve.

The firm’s leak of 11 million confidential records, which it attributes to a hack, ranks with breaches at some of the world’s biggest companies, including eBay, Home Depot, Target, and JPMorgan Chase. The major difference is that those cyberbreaches didn’t bring down a world leader or require a dozen others to seek cover from intrusive media coverage or attacks from politicians.

For more than two weeks following the early April announcement that the firm’s records had been compromised and fallen into the hands of a consortium of investigative journalists, the firm made front-page news around the world. The fact that the companies it had created — more than 214,000 connected to people in more than 200 countries according to media reports — could be traced back to despots, world leaders, influential business people, celebrities, and athletes made the story all the more tantalizing.

The incident has now triggered tax evasion probes around the globe and blackened the eye of a legal offshore industry that was already suffering from a bruised image.

While Mossack Fonseca, or MossFon, complained to Panamanian authorities about being the victim of a crime, it was also later the subject of a police raid, seeking to “establish the use of illicit activities,” according to Panamanian authorities. The firm’s complaints that the media has distorted coverage of the incident and that it is engaged in a legal activity, has high standards, and is the real victim of a crime have largely fallen on deaf ears.

MossFon, which offers trust and legal services and has 500 staff with offices in more than 30 countries, now seems to be the walking deadman. It’s unlikely it will survive the leak, at least in its current form. It’s engaged in a business of trust and trust quickly erodes when your clients’ affairs are laid out in world newspapers — even if you are the victim of a hack. Who will trust the firm that it won’t happen again?

I’m betting that before this is all over, MossFon ends up on the law firm slagheap, along with firms like Dewey & LeBoeuf, and Dreier LLP, melting down amid controversy.

But it wasn’t just MossFon in the news recently over cyberbreaches. In late March, the Wall Street Journal reported that both Cravath Swaine & Moore LLP and Weil Gotshal & Mange LLP and possibly others were hacked. The WSJ reports that federal investigators are examining to see if confidential information was taken and if the attacks were related to insider trading.
And while not a hack, Proskauer Rose LLP employees were recently the victims of a phishing scam that led to workers’ personal tax information being disclosed.

It’s clear the nature of cyber espionage is changing and law firms are being targeted as a weak link.

These incidents show the need for law firms to invest heavily in protecting their IT systems or face reputational loss. Law firms store a treasure trove of data about their clients, everything from intellectual property to merger plans and litigation weaknesses, which can be gold in the wrong hands.

The MossFon breach takes things to a new level. Dan Pinnington, a vice president at legal insurer LawPRO, says “we have been very actively working to educate lawyers and law firms on the risks of exactly this kind of thing for a long time now.” He calls the MossFon incident “fairly spectacular. It puts it on the radar for law firms as something they need to think about.”

In 2013, LawPRO published a cybersecurity guide for law firms. It’s more relevant today than it ever was.

My advice is simple: Get a plan in place for dealing with an inevitable cyber-breach of some magnitude and make sure it includes a crisis communications response — because when the media comes calling, your complaint about being victim of a crime and the media being in possession of stolen information will likely fall on deaf ears, as MossFon has painstakingly learned.

While MossFon has done a good job through its firm web site of explaining to the public that it’s a legitimate operation, there has been nary a word apologizing to clients whose information has been breached, nor much reassurance that the information has been secured and its systems fortified. Rather, it’s all platitudes about the firm’s high standards, that it merely operates as an administrator setting up companies, and the media is the bad guy distorting coverage.

Foremost, clients need to know their existing information and intellectual property is safe and what steps the law firm has taken to rectify the problem. Anything less than that won’t cut it.
Law firms need to study the MossFon incident and learn from it. You don’t want to be the next cyberbreach poster child.

Jim Middlemiss is a legal writer and principal at WebNewsManagement.com.