The unfolding Mossack Fonseca revelations will certainly keep us entertained for some time to come: will a British Prime Minister have to admit being the beneficiary of a dubious offshore fund inherited from his father? Will the suspicions of embezzlement around Putin finally be proved? And where are the Americans in all of this?
But looking beyond the immediate fallout, one of the most astonishing issues is how did so much client data get accessed by one person or group of persons?
This is 2016, information security is a well advanced field generally based on the sound principle of “Assume we will be attacked from inside or outside and our data will be targeted”. And on that bedrock assumption security controls are built.
Right now all around the World in law firms large and small the question being asked by the Partners is “Could this happen to us?” An excellent question which is very easy to get to the bottom of.
If your IT or Security team cannot immediately articulate how client data is protected and the controls they have in place to prevent a data breach then the answer can only be “Yes, it could happen to you”. (And if the answer from your IT team features the phrases “It’s on our own servers therefore it’s safe” or “It’s in the Cloud and Amazon/Microsoft/Google protect it with 256-bit encryption” then alarm bells should sound).
Data classification and segregation (when part of robust layered defences) are very effective controls to ensure that if or when a breach occurs the perpetrator only gets some of the family silver not all of it (and when implemented properly they certainly shouldn’t get the high value items).
Quite why these controls were not in place at Mossack Fonseca or why they failed may become clear over time, what is clear though is that if the value of the information is high enough – or the value of the damage that can be wrought with it is attractive enough – then someone will attempt to steal and release that information.
And in the Mossfon case this, in particular, is a an intriguing point to consider.
In obtaining and releasing this information to a worldwide group of investigative journalists the perpetrator(s) of the data leak have put a huge target on their backs. No matter how many $millions they received in exchange (or maybe it was done for genuine purposes) that individual or individuals – whether inside job or external hacker – will forever be looking over their shoulder for the Russian Secret Services, mafia hit men or an aggrieved former Icelandic Prime Minister coming after them.
So if someone is paid well enough or feels strongly enough that information should be released then no matter the personal risk to themselves they will do it.
Of course most law firms are not handling this kind of super-sensitive information but if – say – someone was interested in knowing the details of a commercial property purchase, an M&A bid such that they could out-bid the competitor then one could, with relative ease, find some Russian or Chinese hackers-for-hire or a disaffected employee to go and obtain that data for them.
Our experience is that outside of the Magic Circle, few laws firms have dedicated security teams, and those regional firms who have grown by acquisition and as a result have particularly messy IT are at greater risk. In the absence of dedicated security specialists the issue is left to the IT guys to manage. And – with all due respect – that’s akin to leaving the non-legally qualified Company Secretary or Finance Director to manage all of the company’s legal matters by themselves.
So it could well be that the Mossack Fonseca case becomes the watershed moment that makes every law firm wake up to threat and the reality that a breach of client data is very possible.