M georgia gibson henlin threats to security confidentiality by Jambar

The Panama Papers: Threats to the Security and Confidentiality of Client Information

M. Georgia Gibson Henlin, QC

The Panama Papers: Threats to the Security and Confidentiality of Client Information.1 The Context Panama is a republic. It is strategically located in Central America. It is bordered to the north by the Caribbean Sea and the Pacific Ocean, to the west by Costa Rica, and the Southeast by Colombia. Prior to 2016, it was known more for its strategic location mainly because of its international maritime shipping corridor, the Panama Canal. On the 3rd day of April 2016 all of that changed and there is hardly a reference to Panama without reference to the infamous “Panama Papers”. It was thrown into the spotlight as a tax haven and as such all discussions centre around its status or loss of status as a tax haven. This is even though the epi-centre of the “papers” is a law firm, Mossack, Fonseca. Everyone, including lawyers, is curiously silent on the consequences for the attorney-client relationship, especially the duty of confidentiality, of the “leaking” of the “papers” from a law firm. It was surreptitious and it came as a shock and surprise. The curious silence must be considered against the background of the release issued by Mossack Fonseca in the days following. They set out their record of compliance with regulatory agencies local and international “including the Banking Superintendence of Panama and the Intendancy of Non-financial Regulated Services Providers.” This is in addition to observing the requirements of the Foreign Account Tax Compliance Act (FATCA). The statement further reads in part: Recent media reports have portrayed an inaccurate view of the services that we provide and, despite our efforts to correct the record, misrepresented the nature of our work and its role in global financial markets. These reports rely on supposition and stereotypes, and play on the public’s lack of familiarity with the work of firms like ours. The unfortunate irony is that the materials on which these reports are based actually show the high standards we operate under, specifically that: we conduct due diligence on clients at the outset of a potential engagement and on an ongoing basis; 1

we routinely deny services to individuals who are compromised or who fail to provide information we need in order to comply with “know your client” obligations or when we identify other red flags through our due diligence; we routinely resign from client engagements when ongoing due diligence and/or updates to sanctions lists reveals that a party to a company for which we provide services has been either convicted or listed by a sanctioning body; we routinely comply with requests from authorities investigating companies or individuals for whom we are providing services; and we work with established intermediaries, such as investment banks, accountancies and law firms, as part of the regulated global financial system… In providing those services, we follow both the letter and spirit of the law. Because we do, we have not once in nearly 40 years of operation been charged with criminal wrongdoing,.. We’re proud of the work we do, notwithstanding recent and willful attempts by some to mischaracterize it…”

The leak comprises 2.6 TB of data consisting of about 11.5 million documents including correspondence, passports and financial records belonging to the firm’s clients. It included links to world leaders such as the Russian President Vladimir Putin and the President of Iceland’s wife, Dorrit Moussaieff.

It was reported that Lionel Messi and his father were beneficiaries of Megastar

Enterprises, a company formed in 2012 by Mossack Fonseca. The data covered the period from 1970 to 2015. The ultimate source of the information has been variously described as a hack or an inside job. One thing is certain; the leak came from an individual who on the condition of anonymity and immunity from prosecution contacted a German newspaper, Süddeutsche Zeitung to offer the “bounty”. It is alleged that this newspaper found the material overwhelming and solicited the assistance of the International Consortium of Investigative journalists (ICIJ). Accordingly, the story of the papers was widely publicised in approximately 80 countries and some 200 publications. The journalists argued

that it is their duty to disclose the information in the public interest insofar as it evidences crime, vice and corruption including money laundering among the world’s rich and famous and politicians. More recently, it is alleged that Denmark purchased the papers for information on its nationals that evaded taxes using the services provided by Mossack Fonseca: Denmark received information on Danish citizens from the so-called Panama papers after paying almost 6 million kroner (around $900,000) to an anonymous source, the Danish Tax Authority said in a statement Thursday. The tax authority announced earlier this month it would purchase the information to assist its hunt for tax dodgers. Recent estimates showed that fraud, coupled with mismanagement at the Tax Authority, revenue. The next step will be to probe the accords and correspondence and other documents Denmark received from the Panama Papers to identify if the government can raise claims to collect missing tax payments, Jim Sorensen, a director at the Tax Authority, said in the statement.2

Mossack Fonseca issued a statement claiming that the files were obtained through a hack of the company’s email server. This is good reason for lawyers to pay attention. The information might have been at risk. A number of publications have argued that it was. They allege that Mossack Fonseca failed to have regard to the safety of its clients’ information and also failed to respond effectively once it was told that there was a leak: A leaked message to customers would indicate it all started as a typical hack, a preventable one at that. In a letter, dated April 1 and posted on Wikileaks Twitter…profile, the firm told customers that it was investigating an email server hack. Mossack Fonseca did not respond to repeated requests to comment on the breach though director Ramon Fonseca told Reuters the hack was “limited” and complained of “international campaign against privacy,” despite the significant amount of data that was siphoned out of the organization. Now it’s in the media spotlight, Mossack Fonseca is being mocked for alleged poor security practices, as well as facing accusations it facilitated widespread tax avoidance, even where criminal proceeds were involved… Its emails were not encrypted, according to ACLU privacy and encryption expert Christopher

Peter Levering, Bloomberg “Denmark Pays $900,000 for Panama Papers in Hunt for Tax Cheaters”, http://www.bloomberg.com/news/articles/2016-09-29/denmark-pays-900-000-for-panama-papers-inhunt-for-tax-cheaters (Last accessed: October 1, 2016)

4 Soghoian, whilst its websites were peppered with potential weaknesses, ripe for any willing hacker. Forbes discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to internet records, its portal used by customers to access sensitive data was more likely run on a three-year old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Dupral warned of a swathe of attacks on websites based on its code, telling users that anyone running below 7.32 within seven hours of its release should have assumed they’d been hacked. That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided. Whatever weakness was exploited by the leaker, for at least a year, the company didn’t notice the breach, or did not issue a public alert…3

This extract demonstrates that the leak came about because key security tools were not up to date in addition to other vulnerabilities. Still others have suggested that it is an “inside job”. The message is clear, whether it was a hack or an “inside job”, it is fair to say that the firm had vulnerabilities that placed its clients’ information at risk. Those vulnerabilities were exploited and resulted in what is now described as an “epic haul”.4 That “epic haul”, all things considered, was client information. It was prima facie a cybercrime and affected the lawyers’ duty of confidentiality. A Matter of Confidentiality It should now be obvious that the “backstory” to the Panama Papers should also raise red flags about the security of client information. This is because lawyers have a duty or obligation to maintain client confidences. The duty is codified in professional rules of conduct with disciplinary sanctions for

Thomas Fox-Brewster, “From Encrypted Drives To Amazon's Cloud -- The Amazing Flight Of The Panama Papers”,<http://www.forbes.com/sites/thomasbrewster/2016/04/05/panama-papers-amazon-encryptionepic-leak/#9909eee1df59> April 5, 2016 last accessed 15th September 2016. Ibid

breach. However, the rule is older and more fundamental than the fact of codification in rules of professional conduct.5 In Jamaica as at July 2, 2014 the Canon IV(t) provide as follows: An attorney shall not knowingly – i.

reveal a secret or confidence of his client, or

ii.

use a confidence or secret of his client – a. to the client’s disadvantage; or b. to his own advantage; or c. to the advantage of any other person

unless in any case it can be done with the consent of the client after full disclosure. Provided that an Attorney may reveal confidence and secrets in the following circumstances: i. ii. iii. iv. v.

6 7

where it is necessary to establish or collect his fee; to defend himself or his employees or associates against an accusation of wrongful conduct; in accordance with the provisions of the Proceeds of Crime Act and any regulations made under that Act;6 in accordance with the provisions of the Terrorism Prevention Act and any regulations made under that Act;7 or where the attorney is required by law to disclose knowledge of all material facts relating to a serious offence that has been committed.

Encyclopaedia of Forms and Precedents, Confidentiality – Volume 12(3) B Particular Relationships and Situations – Paragraph 28, Lawyers; cf. Canon IV (t), December 29, 1978, Proclamations, Rules and Regulations amended by deleting the proviso to paragraph (t) and inserting this new proviso – July 2, 2014 Proclamations Rules and Regulations The Legal Profession (Canon of Professional Ethics) (Amendment) Amendment Rules, 2014; cf In England & Wales, the professional principles in the Legal Services Act (2007) include a duty to maintain client confidentiality. We also require solicitors and law firms to keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents extracted from This amendment is currently under challenge in the case of Claim No. 2014 HCV 04772 in the Constitutional Court – decision pending Ibid

Confidentiality is a fundamental right. It is inextricably linked to the lawyer’s duty of loyalty to the client and to maintain his secrets. Confidentiality is at the core of, if not the cornerstone of the lawyer client-client relationship. The Panama Papers’ leak is certainly a basis for suggesting that the lawyer’s duty has been complicated by the increased use of technology. The incident exposes a clear and present danger to client information. It would be unwise to ignore the opportunities it presents to create awareness and take preventive measures. One of the early cases that affirms the lawyer’s duty to maintain his clients’ confidences is Taylor v. Blacklow.8 In that case, an attorney was retained for a fee to secure a loan for the Plaintiff. The Plaintiff gave him his titles for that purpose. The attorney discovered that there was a defect in the Plaintiff’s title. He disclosed this to the lender on the basis that as a matter of justice he was required to do so. The client sued the attorney. The justices in finding for the Plaintiff against the Defendant iterated the duty of the attorney to keep his lips sealed. Justice Gaselee opined that “the first duty of an attorney is to keep the secrets of his client. Authority is not wanted to establish that proposition; but, if it were, the passage cited from Cromyn’s Digest is sufficient.”9 Justice Vaughn was equally illuminating on the point and added that the communication as privileged, he expressed his agreement as follows: There can be no doubt that the Defendant had been guilty of a gross breach of a great moral duty; and the law is never better employed than in the enforcing the observance of the moral duties. I think, however, that the contents of these deeds were privileged communication, which the Defendant could not have been compelled to disclose. The law has been laid down too narrowly on that head by the counsel for the Defendant.10

Justice Bosanquet was more forceful and opined similar to Tindal CJ that he did not find it necessary to determine whether the information was privileged. He found that “when the Defendant was

8 9 10

3 Bing. (N. C.) 236 Ibid at 249 Ibid

employed to raise money, it was his duty to keep the secrets of his employer, and, having divulged them, he has violated his duty and subjected himself to an action at law.â&#x20AC;?11 Accordingly, they entered judgment for the Plaintiff against the attorney. The lawyerâ&#x20AC;&#x2122;s duty to maintain confidence has been affirmed in several cases including Prince Jefri Bolkiah v. KPMG(a firm).12 The accounting firm, KPMG provided litigation support services and the issue was whether it could offer new services to an existing client with an interest that is adverse to its former client. The Court equated the duty of the accountant, when performing litigation support services, with that of an Attorney-at-Law. It ruled that the central issue is whether the attorney or firm has confidential information for the former client that is relevant to or connected to the matter for the new client and adverse to the interest of the former client. The duty may arise by contract or in equity.13 The duty is not based on conflict of interest. It is based on: [t]he fiduciary relationship which subsists between solicitor and client comes to an end with the termination of the retainer. Thereafter, the solicitor has no obligation to defend and advance the interests of his former client. The only duty to the former client which survives the termination of the client relationship is a continuing duty to preserve the confidentiality of information imparted during its subsistence.14

The duty is expressed to be without limitation by Lord Millet:15 Whether founded on contract or equity, the duty to preserve confidentiality is unqualified. It is the duty to keep the information confidential, not merely to take all reasonable steps to do so. Moreover, it is not merely a duty not to communicate to a third party. It is a duty not to misuse it, that is to say, without the consent of the former client to make any use of it or to cause any use to be made of it by others otherwise than for his benefit. The former client cannot be protected completely from accidental or inadvertent disclosure. But he is entitled to prevent his former solicitor from exposing him to any avoidable risk;â&#x20AC;Ś

11 12 13 14 15

Ibid 1999 1 All ER 517 Encyclopaedia of Forms & Precedents - Supra Supra Note 9 - Per Lord Millett at 527 b Ibid at 527 f - g

The “epic haul”, “leak”, “hack” or “inside job” is a reason for heightened concern. The breadth of the “haul” is not known in terms of whether it also includes the information of clients who could not accused of any impropriety. It could happen to any firm or sole practice attorney. In fact, it might have happened but there is little or no information from the victim firms.16 In still other cases, the victim firm or attorney does not know. Lawyers as Targets The fact that law firms are targets was recognised in Ontario since 2013. This was in the context of mega breaches globally involving corporations: Historians may well look back and call 2013 “The year of the hacker.” There have been numerous high-profile data breaches involving major corporations and online services: Facebook, Apple, Twitter, Adobe, NASDAQ, The New York Times and LexisNexis to name just a few. Everyone reading this article likely has information stored by at least one, if not several, of these companies. And it does not stop there. Millions of other business entities and individuals have experienced data breaches this year, either directly in their own computer systems, or indirectly where there was a data breach involving information about them that was stored with a third party. Countless others will have lost money after being duped by various online scams.17

The profession was therefore warned about the risks and dangers that cybercrime presented: Law firms and lawyers take notice: Cybercriminals are specifically targeting you because they want your data or the money in your trust account. Law firms are actually very appealing and sought-after targets for cyber criminals for three reasons. Firstly, law firms have large amounts of sensitive and confidential information that can be very valuable. Secondly, law firms tend to have very large sums of money in their bank accounts. Lastly, and not the least, relative to their clients and based on anecdotal information, law firms tend to have weaker security protection in place on their networks and systems.18

16 17 18

Dan Pinnington, “Cybercrime and law firms: The risk and dangers are real” 2013, Cybercrimes and Law Firms (Vol. 12 No. 4) at page 6 supports this view as does all information security practitioners. Ibid Ibid

In addition it was observed that the ease of access of these malicious tools on the internet increases the risks. In addition, as Pinnington19 continues: But make no mistake, while rank amateurs may launch attacks on law firms, industrial espionage on high value targets can involve the most skilled hackers in the world including, potentially, foreign governments. Cyber criminals will use every tool at their disposal to attack law firms. They will send spam and phishing messages. They will try to install malware and create backdoors into your firm’s computers.

In 2011, it was reported that a number of law firms on Bay Street in Toronto were “targeted by hackers”.20 These hackers were traced and found to be operating from China. They were “seeking information on a multibillion dollar commercial transactions.”21 Approximately, five (5) attorneys in Kingston, Jamaica had a similar experience in 2015 except that the tool used was vishing.22 The caller pretended to be the Head of the Fraud Squad in downtown Kingston. He told the attorneys that they were being investigated by the Fraud Squad. He suggested that they were handling large cash transactions. He advised that he was really calling them on the request of a friend who said the lawyers were decent persons. He wanted the attorneys to “name a price” to make the issue go away. In some instances, he kept pressing for specific information in relation to the client’s name for whom the lawyer might be conducting a large transaction. Presumably, the information was requested to further the scheme to extort funds from the client with the information provided by the lawyer. Further, in 2013, attorneys in Jamaica were contacted by bogus clients requesting that they undertake tasks for them. This includes debt collection, divorces and commercial transactions. In one case, an attorney’s account was actually frozen by a local bank because one of the cheques that was paid out to the client turned out to be fraudulent. The fraud was perpetrated after the attorney requested and received by Fedex verifications and a signed retainer letter. The client then

19 20 21 22

Ibid Ibid Ibid Voice phishing: a social engineering tool using pieces information known to the victim.

asked that the retainer be deducted from the payment by the debtor. The initial cheque was US$350,000.00. It was drawn on the “debtor’s” bank account at a prominent bank. The debtor purports to be a prominent telecommunications provider. The cheque looked real and had the colours and logo of the telecommunications provider. The second cheque was US$750,000.00. It was the return of the second cheque that put the attorney’s bank on alert. The unsuspecting attorney brought in the Cybercrimes unit and the fraud department of the bank. The fraudster called again, he was traced to Nigeria. This is even though the retainer letter and verification documents came out of Canada. The telecommunications provider, later confirmed that it was not its cheque. It does not have an account at the bank on which the cheques were drawn. In still another case, the attorney having been pre-warned, refused the client’s repeated request to deduct the retainer from the cheque and send the balance to the client. As expected, having waited the requisite period of the cheque to clear, the cheque bounced. The “client” was reportedly bold, demanding and had all the characteristics of a real client. The only “red flag” was the unwillingness to pay the retainer coupled with the request for payment before the cheque clears the bank in accordance with clearing house rules. He wanted immediate payment on the basis of the attorneys’ relationship with their banker. The lesson here, is if it is too good to be true it probably isn’t. The scam rides on the lure of a large and easily earned contingent fee. In Ontario, there was at least one case in December 2012 where the hackers used malicious software or code known as the Trojan banker to infect law firm’s computers. The fraud was said to be very sophisticated. The firm’s book-keeper was duped into keying in the firm’s account and password on her already infected computer. The fraudster accomplished this by posing as a representative of the firm’s bank.

The fraudsters were able to wire hundreds of thousands of

dollars from the law firm’s trust bank account over the next several days. The funds were sent to offshore accounts – See Table 123 for the details of the fraud. It appears the bookkeeper’s computer was infected when she clicked on a link on a popular news website. Despite being most the current version with all updates, the antivirus software running on her computer did not recognise or stop the infection. After being infected, the bookkeeper’s computer appeared to have difficulties accessing the bank’s website. She got a “This site is down for maintenance” message. This was actually not a page from the bank’s website; rather, it was a fake or “spoofed” page pretending to be the bank’s website. On another screen that appeared on her computer – which also looked like it was the bank’s real website. – she was asked to enter her name and phone number. This spears to have given the fraudsters her contact information, as later that date the bookkeeper received a telephone call from someone, allegedly from the firm’s bank. That caller said she was aware of the login attempts and stated that the site had been down for maintenance. The caller said the site had been fixed and asked the bookkeeper to try logging in again. The bookkeeper did so, entering the primary and secondary login passwords for the account on screens that appeared on her computer. – the passwords were not given to the person on the phone. The second password came from a key fob password generator. This appears to have given the hacker both passwords and access to the firm’s trust account. On each of the following two days there were similar phone calls to the bookkeeper from the woman who allegedly worked for the bank to “follow up on the website access problems.” On each occasion, the bookkeeper tried to log in again and entered the primary and secondary passwords on screens that appeared on her computer. The fraudsters went into the account during or immediately after each of the three phone calls and wired the funds overseas. An amount less than the balance in the account was wired out each time. This was an infrequently used trust account and the firm had never done wire transfers from the account. The bank did not detect these frauds or stop the wires. The people behind this fraud appear to have had an intimate knowledge of how to send wires from a bank account. By the terms of the banking agreements the firm had signed with the bank, the firm was responsible for replacing the funds that were taken out of the firm’s bank account. Lawyers should not underestimate the sophistication of frauds targeting trust accounts. Table 1.

In late 2016, in Jamaica at least one attorney was shocked to learn that hackers replicated that attorney’s email address. The fraudsters thereafter used key words such as “wire”, “cheque” or cash

Dan Pinnington, Cybercrimes and law firms – Volume 2 Issue 4 at page 7 –“ LawPRO claim involving significant theft from firm trust account by Trojan Banker Virus.”

to divert communications from the email address to their mailbox. The client is then contacted and directed to transfer funds into an account that ostensibly belongs to the attorney. The result was that over J$250,000.00 was diverted to an account in the United States of America. The lawyer knew nothing of it until the client was contacted and reminded to make the payment. This is eerily similar to the situation described in the “bogus” lawyer scam alert issued by the Solicitor’s Regulatory Authority in the United Kingdom on the 28th and 30th September 2016.24 The Inside Job It may be thought that the only threats to client information is from outside. However, increasingly including in Jamaica, clients’ information are at risk from insiders including attorneys, other employees and especially IT staff. Statistics actually show that the majority of incidents involving the destruction or loss of data are perpetrated by current, soon to be dismissed or recently dismissed employees. Few, if any, know more about your firm’s systems than your employees; and few, if any, are in a better position to cause major damage…Your cybercrime prevention measures should address these internal dangers as well.25

These situations are not alien to Jamaica are more than prevalent than may be thought. Attorneys in Jamaica have been known to employ social engineering tools to seek information from IT persons on the firm’s network configuration or simply entered unauthorised areas of the firm’s network systems. These persons were dismissed. The activities raise the awareness of the affected attorneys to better secure their systems. It caused them to confidentially share their stories in order to raise awareness by attorneys generally.

24 25

See note 29 below Ibid

Creating Awareness Cyber awareness, is a must if client information is to be protected. That is why it is unwise to squander the opportunity presented by the Panama Papers.

Regulatory authorities in The United

Kingdom and Ontario has recognised that cyber awareness is the key quite apart from any question relating to the Panama Papers. The Solicitor’s Regulatory Authority (SRA) recommends that the process begins within accepting that there are risks. The SRA explains that the risk profile or assessment is important because:26 

Information security breaches can harm clients’ interests, result in financial loss and cause reputational damage.



Cyber security is an increasingly widespread issue. Law firms are targeted because many hold significant amounts of information and client money.



Scams, such as ‘Friday afternoon fraud’ (discussed below), or being tricked into dealing with a bogus law firm are also a risk to law firms.

The trends in the United Kingdom are staggering but reported on the authorities’ websites to create awareness:



A quarter of the firms have reported being targeted by cybercriminals, with nearly one in ten of these attacks resulting in money being stolen.



In the wider economy, around two thirds of large businesses detected a cyber security attack or breach in 2015-16. But the true figure is likely to be higher because not all attacks will have been detected or reported.



Cybercrimes and scams include: o

malware – harmful software including viruses, programs allowing access to data, and ‘ransomware’ programs that encrypt files and demand a ransom in return for a decryption key;

social engineering – where a criminal gains confidential information such a password through building a personal relationship with a solicitor or law firm employee;

http://www.sra.org.uk/risk/outlook/priority-risks/information-security.page [last accessed: October 1, 2016]



Friday afternoon fraud – using details gained from hacking or social engineering to impersonate a bank or client on one side of a property transaction;

CEO fraud – where a criminal impersonates a senior figure at a law firm through hacking their email address or purchasing a very similar email address, in order to impose authority and order money transfers.

Information security is about people and processes just as much as it is about the secure use of technology. Well-informed staff are just as important as keeping antivirus systems up to date when it comes to being cyber secure. Bogus law firms



Some bogus law firms directly target people under the guise of being a genuine law firm or solicitor. Other bogus law firms target genuine law firms with a view to deceiving them into sending money or information.



They are an increasing threat: reports to us about bogus law firms have doubled since 2012 to more than 700 per year.



Almost half of all reports of bogus law firms involve criminals copying the identity of an existing law firm. The remainder usually involve bulk emails from individuals claiming to be solicitors.

These threats and vulnerabilities have not caused any variation or relaxation of the lawyers’ professional duty of confidence. On the contrary, lawyers are expected to adapt to ensure that their professional duty is maintained. Proactivity is therefore required to minimise these various risks. Taking Protective Measures In Ontario, as in Jamaica, the rules of professional conduct incorporates the lawyer’s duty of confidentiality. Section 3.3 provides: 3.3-1 A lawyer at all times shall hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship and shall not divulge any such information unless: a.

expressly or impliedly authorised by the client;

b. required by law or order of a tribunal of competent jurisdiction to do so.

15 c.

required to provide information to the Law Society.

The Law Society of Upper Canada (LSUC) demonstrates its awareness of the risks posed when lawyers use electronic communications. It issues guidelines to assist lawyers in complying with their confidentiality obligations.27 The guidelines are not mandatory but are an important toolkit for lawyers.

They underscore the importance of the lawyers’ continuing compliance with their

confidentiality obligations or privilege. Guideline 5.7 provides: Lawyers using electronic means of communications shall ensure that they comply with the legal requirements of confidentiality or privilege. [Section 3.3 of the Rules of Professional Conduct] When using electronic means to communicate in confidence with clients or to transmit confidential messages regarding a client, a lawyer should



develop and maintain an awareness of how to minimize the risks of disclosure, discovery or interception of such communications;



discuss the inherent security risks associated with each technology with the client and confirm in writing that the client wishes to communicate using that method;



use firewalls and security software to protect at-risk electronic information;



use and advise clients to use encryption software to assist in maintaining confidentiality and privilege;



take appropriate measures to secure confidential information when using cloud-based services;



develop and maintain law office management practices that offer reasonable protection against inadvertent discovery or disclosure of electronically transmitted confidential messages.

Technology Practice Management Guidelines.

Similar preventive or risk management measures were addressed by Pennington in his article on “Protecting yourself from cybercrime dangers.”28 These are:29 a. Avoid the dangers of email. b. Lock down your browser and avoid surfing dangers. c. Avoid infections with antivirus and/or anti-malware software. Lock things up by using passwords properly. d. Address security vulnerabilities by installing operating system and program updates. e. Keep the bad guys out with a firewall on your Internet connection. f. Stump hackers by changing key default settings. g. Lock down and protect your data wherever it is. h. Scrub confidential client information on discarded equipment. i.

Be safe when using remote access and public computers.

Secure your mobile devices to protect the data on them.

k. Harden your wireless and Bluetooth connections and use public Wi-Fi with extreme caution. l.

Be careful about putting your firm’s data in the cloud.

m. Inside people can be the most dangerous. n. Be careful of the dangers of BYOD and family computers. o. A backup could save your practice after a cybercrime incident. p. As they can be used as a point of access to your firm’s systems, it is critical to address the above issues on your personal smartphones and tablets, as well as your home computers and networks.

28 29

Below at note 30 Ibid at Page 11

The hackers are simply looking for a backdoor or loop hole or the Achilles heel. For these reasons, each step must be taken and not overlooked as being too expensive or not likely to prevent harm. In the United Kingdom, the SRA not only provides information and resources on the risks but also how to mitigate them. In one advisory it provides the following to its membership: 



There are proportionate and affordable steps that can help protect information and money: o

The government’s 'cyber essentials' scheme can help make law firms become more cyber secure.

Training staff can help mitigate the risk of social engineering, phishing and vishing.

Informing us, the bank, the police and insurer if a client account is compromised by an attack can help the authorities take appropriate action.

Our report on IT and Innovation includes more detail on what law firms can do to keep information secure. We have also published tailored information small firms, a guide to common scams, up to date scam alerts, and case studies.30 o

Protection from bogus law firms and cybercrime also involves solicitors policing their own identity and confirming the identity of others. Useful actions include:

checking online to spot bogus law firms impersonating you or your law firm 

verifying the details of unfamiliar firms using sources such as:  

SRA Scam Alerts31 about bogus firms contacting the relevant regulator directly to verify a law firm’s identity.

These are separate online resources that provide guidance to lawyers to minimise the risks For example, Unsolicited telephone calls from people claiming to be from "R C Solicitors"30 September 2016 – Members of the public have received unsolicited telephone calls from people claiming to be from "R C Solicitors"; cf Documents misusing the name of Philip Ross & Co - 28 September 2016 – A member of the public has received documents falsely claiming to be from Philip Ross & Co relating to an unclaimed inheritance; cf Emails have been sent which claim to be from "Laura Walton" at "Michael Lewin Solicitors"; cf. 28 September 2016 – The SRA has been informed that emails have been sent which claim to be from "Laura Walton" at "Michael Lewin Solicitors". http://www.sra.org.uk/consumers/scam-alerts/scam-alerts.page - (date accessed: October 2, 2016)

The fixes unlike the hacks are not unique to types of organisations. Law firms can learn from corporations. The problem is that lawyers hardly think of the threats and certainly not the solutions. In Ontario, some guidelines were provided through The Lawyers’ Professional Indemnity Company32 publication: Cybercrime dangers are many, complex and ever-changing. Hardly a day goes by without another news report of a data breach or other cyber-related scam or theft. Cybercriminals have considerable resources and expertise, and can cause significant damage to their targets. Cybercriminals specifically target law firms as law firms regularly have funds in their trust accounts and client data that is often very valuable. LawPRO encourages all law firms to make dedicated and ongoing efforts to identify and understand their potential cybercrime vulnerabilities, and to take steps to reduce their exposure to cyber related dangers…33

In most if not all cases, expert assistance will be required. Expert assistance need not be expensive although it generally is. The support and buy-in of senior management is required in relation to firms. Small and solo practitioners should also consider expert assistance suited to their needs by first assessing the risks profile of their practice instead of focusing on turnkey experts or expensive fixes. The weakest link in relation to these threats is usually staff. This is not because they are bad people. However, there is that human element that can be exploited for information by social engineers for use in their fraudulent schemes and scams. An aware and educated staff will only strengthen the security of the work environment. One key recommended tool in this respect is technology use policies. These policies will circumscribe use and should provide clear guidelines for use and access to the firm’s or attorneys system. Each new employee should be apprised of the terms of use of the system so that the standard of acceptable use is kept. The areas to be covered by a technology use policy should cover the staff’s use of their own device, email as well as the internet including social media sites. It will assist in educating staff to becoming aware of

32 33

Dan Pennington, Cybercrimes and Law Firms (Vol. 2 No. 4) – “Protecting Yourself from Cybercrime Dangers: The steps you need to take.” at Page 10 Ibid

seeming innocent threats that can have a devastating impact on the system. In Ontario there is a recommendation that the policy should include provision that the firm is entitled to monitor electronic communications and internet use to ensure that there is conformity with the firmâ&#x20AC;&#x2122;s technology policy.34 It should also include sanctions for non-compliance.35 The Panama Papers â&#x20AC;&#x153;leakâ&#x20AC;? therefore serves another purpose. It is a wake-up call for lawyers. The lop-sided focus on the rogue element as it relates to the work of the firm is misplaced. This is especially since most of the articles concede that the business of using off shore accounts are legitimate and legal. It is therefore not all about rogue lawyers attempting to assist their client to evade the law or taxes. The incident serves as a timely reminder to lawyers and regulatory authorities to make cyber security an imperative. It is an unforgettable exposure that should put lawyers on inquiry as to the risks associated with an electronic environment. failing to focus on this important warning.

34 35

Ibid at page 11 Ibid

Lawyers will have only themselves to blame for