[BreachExchange] Panama Papers: What Attorneys Can Learn from History’s Largest Data Breach

Tue Jun 21 19:56:35 EDT 2016

http://www.natlawreview.com/article/panama-papers-what-attorneys-can-learn-history-s-largest-data-breach

On April 3, 2016 the public learned that millions of client documents from
the Panamanian law firm and corporate services provider Mossack Fonseca &
Co. (MF) had made their way to an international organization, the
International Consortium of Investigative Journalists (ICIJ), and that the
information would be used to publish potentially damaging stories. In
addition, authorities across the globe, from Japan to Switzerland to the
United States, are reviewing the documents and investigating potential tax
implications, regulatory violations and criminal activity.

Background

It is estimated that since its inception in 1977, MF has incorporated
250,000 businesses, largely in offshore jurisdictions. MF serves a wide
range of clients, including politicians, celebrities and corporations.
Incorporating “anonymous” businesses is entirely legal. There is, however,
a stigma attached to “shell companies,” and several of the public figures
associated with these businesses have already been embarrassed by
exposé-style articles. The ICIJ has promised that additional, highly
compromising articles will be published.

Following the disclosure of the breach, MF stated that it experienced an
“e-mail server breach” at one if its data centers. It also has been
reported that the documents were removed over the course of a year,
beginning in early 2015. This followed a 2014 “whistleblower” data breach
involving MF’s activities in Germany.

The details of how MF’s client data was removed, who removed it and why are
not known and may never be made public. Regardless, the breach raises
important questions that are relevant to any lawyer who uses a computer to
create, store and access attorney-client materials:

After a whistleblower distributed client materials to the German government
in 2014, what additional safeguards were implemented to protect client
files? Does your firm regularly review security procedures? What process
does your firm implement when computers, phones or remote storage devices
are lost, stolen or decommissioned? What process does your firm follow if a
data breach or virus is discovered in your system?

How long should client files remain on accessible servers? More than 11.5
million MF documents dating from 1977 forward were exposed by an “e-mail
server breach.” Many of these documents surely predated MF’s current
computer system. For whatever reason, “historical” documents were stored on
the same servers that handled routine e-mail functions. What is your firm’s
protocol for retaining “historical” documents on “active” servers?

Were notifications issued when non-active files were accessed? MF
apparently had a policy of assuring that all documents for the 250,000
companies that it formed were readily available. But did the “primary”
attorney on those files receive any type of notification when materials
from their assigned clients were accessed? Did the system administrator
receive notification when older files that had not been accessed for a
significant period were suddenly downloaded? Does your firm have electronic
notifications in place when files are accessed? Are sensitive files
restricted to certain users? Are your files password protected?

News articles indicate that the breach was publicly disclosed only because
a journalist contacted a representative of the Russian government who
raised the possibility of a data breach with MF on March 28, 2016. MF
notified their clients on April 1, 2016. ICIJ then issued a press release
about the breach on April 3, 2016. The data breach(es) likely occurred over
the course of several months, starting in 2015. When should the breach(es)
have been discovered and disclosed to MF’s clients? Does your firm
regularly monitor its access logs? Does your firm have a data breach
response plan? Has your firm prepared a letter to advise a client of a
discovered breach? Has your firm prepared a press release if a wider
disclosure is necessary?

Lessons Learned

The MF data breach represents a sea change in the management of client data
by law firms. The bar for safeguarding client data has risen. All attorneys
must now consider the potential pitfalls of maintaining “historical” data
on their servers, the implementation of notifications when files are
accessed and protocols for issuing client disclosures when files are
accessed. It is likely that MF will face considerable litigation over the
undocumented data breach. Attorne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160621/2b307214/attachment.html>