The largest leak in history is from a law firm.
All 11.5 million files came from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. The fact that Mossack Fonseca is a law firm and not a bank is easy to forget, since the most explosive allegations so far involve finance. The leaks indicate that the firm was helping politicians exploit secretive offshore tax regimes and evade money laundering laws.
Mossack Fonseca is robustly defending its conduct broadly, saying it complies with anti-money-laundering laws and carries out thorough due diligence on all its clients, while citing client confidentiality to refuse to discuss specific cases of alleged wrongdoing. It says it tries to prevent misuse of its services and cannot be blamed for the activities of intermediaries such as banks, law firms, and accountants.
While this leak just hit the news, VICE had part of the story in 2014.
How did that leak happen?
Some background: Money laundering often involves shell companies, or companies that create distance between money and its owner. Shell companies need a registered agent to file the required incorporation papers and whose office usually serves as the shell’s address. This agent is often an attorney or law firm, as appears to be the case with Mossack Fonseca.
According to VICE, Mossack Fonseca filed papers and then served as the address for President Bashar al Assad’s money laundering shell from July 4, 2000 to late 2011. This is the same period of time Assad helped cause the deaths of hundreds of thousands of his own citizens.
Reporter Ken Silverstein’s source on Mossack Fonseca appears to be rather circuitous.
In 2006 the New Statesmen reported that no foreign company can do business in Syria without the approval and involvement of Rami Makhlouf, the richest and most powerful businessman in Syria.
Then WikiLeaks released a classified 2008 cable from the American embassy in Damascus which described Makhlouf as the “poster boy of corruption in Syria.”
Then the US Treasury Department banned US companies from doing business with Makhlouf. Then in 2011 the US and the European Union put Makhlouf on a list of people whose international assets should be traced and seized.
In July 2012, the Treasury Department identified Drex—a dummy entity with a British Virgin Islands address—as the corporate vehicle Makhlouf secretly controlled and used “to facilitate and manage his international financial holdings.”
How did this leak happen?
VICE is now reporting that German newspaper Suddeutsche Zeitung (SZ) claims an anonymous source contacted its reporters more than a year ago to provide them with 2.6 terabytes of data from Mossack Fonseca.
It’s still unclear whether there is one leaker acting on their own or a coordinated effort.
Lessons for law firms
While Mossack Fonseca has more than 40 offices worldwide, there are lessons here for law firms of any size. Here are a few things to keep in mind as you read about the Panama Papers.
Employees, not hackers, are your number-one threat.
Remember the Ashley Madison hack? A group of hackers calling itself “The Impact Team” took credit, but IT security analyst John McAfee claims the data was stolen by a woman operating on her own who worked for Avid Life Media.
While everyone is focused on preventing external hackers from accessing law firm data, the truth is that many top IT security experts believe that most data breaches come from the inside.
The biggest threat to your firm’s data security isn’t hackers, or even whistleblowers. It’s employees screwing up. At most small firms, every employee has access to every bit of data. That means that one lost and unsecured phone, tablet, or laptop can spell doom for your data security. One person falling for a fake login page can render your passwords useless.
While genuine screwups are more common, you can’t ignore the possibility of malfeasance.
In early 2015 Proctor & Gamble filed suit against four former Gillette Company employees, accusing them of disclosing confidential information and trade secrets to a direct competitor for personal profit. Later that year, Merit Health Northwest Mississippi accused an employee of stealing patient names, addresses, dates of birth, Social Security numbers, health plan information and clinical information to commit identity theft.
Beyond profit, many employees steal and distribute data to get back at their employers for real or perceived slights.
And then, of course, we can’t ignore the whistleblowers.
So what can firms do to help protect their data? Your best bet is a combination of employee training and limited access. In other words, teach them how to handle data properly, and only give them access to the data they need to do their jobs.
Here are some tips for doing this, from 5 Must-Dos for Law Firm Cybersecurity in 2016.
1. Get cyber risk insurance
Before I joined my colleague Rachel Burger at Capterra she wrote “Surviving Cyberwar: Threat Inflation in the Information Age”. As an expert on cybersecurity, she recommends firms obtain cyber risk insurance. “When a single cyber attack averages $5.5 million in damage (and often a company shut-down), cyber insurance is worth the expense.”
“Until recently, American companies have been slow to invest in cyber liability insurance,” Burger said. She compared the growth to employment liability insurance, which was introduced in the 1990s, but did not become a mainstream business expense until the mid-2000s. Expect a tipping point for cyber risk insurance in 2016.
If you’re scared of the cost, remember that a quote is free, and your cost should be commensurate with your level of risk.
2. Don’t use email
This might surprise you, but email is not very secure by default. Though it has gotten better. It’s also super easy to forward and bcc. If you’re going to use email to communicate with clients, email encryption is a “must-have tool for lawyers,” according to legal tech expert and blogger Robert Ambrogi.
Virtru is one of the easiest solutions available for encrypting emails and their files. Ambrogi reviewed Virtru, writing, “Like the other encryption apps I previously reviewed, the bottom line on Virtru is that it makes encryption as easy as sending an email.”
Virtru lets firms disable email forwarding and even set email expiration dates, a literal “This message will self-destruct.” One disadvantage to Virtru is that it requires both parties to opt-in.
Still, don’t use email. Communicate with clients through a client portal instead of email. It’s a better way to communicate with clients. Many law practice management software products offer a client portal and most of them are encrypted by default. Besides encryption, communications and files are more secure within a client portal because they are more difficult to forward. Also, as long as credentials aren’t being shared, additional people can’t access them without a firm’s knowledge and permission.
You should also be sure your law firm software offers tiered access. Users should have differing levels of permissions based on their roles.
And make sure your portal uses two-factor authentication, Nicole Black, Director of Business Development and Community Relations at MyCase, warns. That means that a login from a new computer or device requires two forms of identity verification. That can be a phone call, a text message, or an alternate email. Black also advises firms to research vendors thoroughly. MyCase offers two-factor authentication as an optional feature, as does Clio and Time Matters.
3. Ensure your phones are as secure as your computers
Lawyers and other law firm employees are working everywhere. That means their phones are now as connected to sensitive law firm data as their computers are. But are they as secure? A lost phone is less a question of whether and more a question of when. Make sure it isn’t a catastrophe.
Whether you have a BYOD (bring your own device) policy or issue phones to employees, it’s important they are protected with very strong passwords, ideally along with a password management utility. Passwords should be changed regularly, and ideally comprise a random assortment of numbers, capitalized and lowercase letters, and symbols.
Last thoughts on Mossack Fonseca
Maybe this isn’t a story about which super wealthy individuals did everything in their power, both legal and illegal, to avoid taxes, preserve their financial anonymity, and generally preserve their wealth. “After all, that’s what they do, and it should not come as a surprise that they will always do that, especially following last year’s disclosure by the same ICIJ which revealed a list of 100,000 HSBC clients who had been dutifully avoiding the payment of taxes,” ZeroHedge reports.
Maybe, for law firms at least, this is a story about what’s in store from investigators. “In recent years, government investigations have centered on how major banks are used to move, hide, and launder money by the wealthy,” a Fusion explainer states. “But the new Panama Papers trove shows the role of often-overlooked lawyers and incorporation agents in the process.”
Many times Mossack Fonseca has had no clue which nefarious characters were doing what with the companies the firm created – as when Jurgen discovered in 2005, according to internal emails, that he was the registered agent and listed as the director for a company controlled by the Mexican drug lord Rafael Caro Quintero. The co-founder of the Guadalajara Cartel was convicted in Mexico in 1985 for the brutal murder of U.S. DEA agent Enrique “Kiki” Camarena. (Today, Quintero is again considered a fugitive by the US after walking out of prison in 2013 on a technicality).
Here’s the full official response from Mossack Fonseca.
Maybe the ultimate lesson for law firms is that no clue is no excuse.
What does your firm do to protect your data? Let me know in the comments.
Looking for Law Practice Management software? Check out Capterra's list of the best Law Practice Management software solutions.