The leak of confidential data from the Panamanian law firm, Mossack Fonseca, two weeks ago has highlighted the potential reputational risks that businesses face if they arrange their affairs in off-shore jurisdictions and the general data security risks that all businesses face today.
In the largest ever recorded data leak, an anonymous source forwarded over 11.5 million lawyer-client documents dating from as far back as the 1970s to a German newspaper. The documents were then forwarded to the International Consortium of Investigative Journalists and thereafter distributed to media centres across the world.
The Panama data contains the identities of prominent public officials, national leaders, company directors and shareholders, and high net-worth individuals that have used opaque off-shore structures and shell companies to hide their wealth and in some instances to avoid paying tax. Many have received adverse media attention since news of the data leak first broke on 3 April 2016.
Possible claims following the Leak
Claims relating to the Panama data leak have the potential to be very significant and are likely to involve criminal, regulatory and civil actions.
The Panama data leak has prompted worldwide regulatory investigations, and banks and financial institutions are already being directly implicated in these investigations.
Whilst Mossack Fonseca is maintaining that it has done nothing illegal (because tax avoidance is not illegal), its possible involvement in the use of off-shore companies to circumvent international trade sanctions in Iran, Syria and North Korea and other illicit activities including money laundering and bribe payments are now being investigated by the US Department of Justice.
In the UK, the Financial Conduct Authority has asked 64 financial services firms and banks to disclose details of any accounts handled by Mossack Fonseca and explain what they are doing internally to assess their exposure. The FCA has not yet reached any conclusions from its preliminary analysis but given the allegations of breaches of sanctions, money-laundering offences and other crimes published in the media, the FCA has said that it will be considering whether the banks' anti-money-laundering controls should have raised "red flags".
Banks, investment houses, accountants, law firms, tax advisers and other professional advisers that played a role in off-shore transactions involving Mossack Fonseca should be prepared to assist with these regulatory investigations, possibly by attending interviews and producing documents for regulatory scrutiny. The costs of these investigations may sound in claims for the recovery of "defence costs" under D&O, professional indemnity, E&O and cyber policies.
Data security experts have noted that Mossack Fonseca was not encrypting its emails and it was using a computer programme with known vulnerabilities and out of date plug-ins. If it is established that the data leak was caused by the firm's failure to implement adequate security measures, then claims by former clients of Mossack Fonseca for breach of confidence, loss of privacy and reputational damage are likely.
The UK tax authority, HMRC, has confirmed it is clamping down on tax avoidance schemes and will impose tougher penalties on off-shore evaders. It is conceivable that clients or former clients of Mossack Fonseca will bring claims if the tax authorities find that the tax structures set up by Mossack Fonseca were illegal or amounted to tax evasion. Allegations of negligent tax advice/planning may not be confined to Mossack Fonseca but may also be directed against any professional involved in setting up the tax structure.
Under English law, the success of such claims would depend on whether former clients could show that, if advised differently, they could and would have invested in a different structure which would not have resulted in additional tax liabilities. Each case will turn on its own facts, but professional advisers and their insurers should consider their possible exposure in respect of such claims.
Claims may potentially extend beyond professional advisers. Company directors who pursued secret, aggressive tax strategies with Mossack Fonseca's assistance may see their company's reputation tarnished by negative media attention and (possibly) an irrecoverable fall in share price. Whilst the use of off-shore tax structures is not "illegal" per se, their use is perceived by many as "unethical" and "immoral", and it could be argued that by using such structures, the directors were not promoting the best interests of the company. We may see action groups pursue derivative claims in the future under the Companies Act 2006, if appropriately funded. These claims may potentially fall for consideration under any applicable D&O policy.
Evaluation of Tax Planning Practices
The FCA acting Chief Executive, Tracey McDermott, has reported "a significant amount of business in Panama would be expected to be 'perfectly legal'" and it is, of course, possible that the regulatory investigations will conclude there was no illicit activity and no prosecutions will follow. Irrespective of the legalities of off-shore transactions, however, the negative media attention may cause many to evaluate their association with these structures and they may wish to give careful consideration to the following points going forward:
- the reputational risks to banks, financial institutions, professionals and corporations of being associated with secrecy havens;
- the importance of reviewing relationships with law firms and financial advisors in off-shore jurisdictions that deal with opaque structures;
- the importance of enhanced due diligence regimes when dealing with off-shore transactions to show that banks, in particular, have properly considered money-laundering, breaches of trade sanctions and other possible corruption; and
- the risk that off-shore activities will be scrutinised by the regulators, if there are concerns of possible complicity in financial crimes.
Protection against data leaks
The Panama data leak raises a very important issue for businesses and particularly professional advisers that hold confidential data. Electronic data is vulnerable to attack by third party hackers who may delete, corrupt or distribute confidential information.
Given that lawyers, accountants and other professional advisers hold highly confidential documents electronically, many will now be concerned about data theft from their own systems and the risk of claims by clients in the event of a similar data hack. Many will question what they can do to minimise their exposure to a similar attack in the future.
Those storing confidential papers in particular should assess their data security measures within their organisation and consider how data is stored and accessed, and by whom. The following precautions may help minimise the risk of a data attack:
- Ensure there is appropriate vetting of employees with access to confidential data;
- Require employees to change passwords frequently;
- Use additional layers of IT security for those accessing data remotely such as home workers;
- Ensure IT is properly managed and overseen by senior IT members responsible for an efficient and modern system (adopting the best security practices available);
- Ensure appropriate IT education is given to staff;
- Restrict those employees/officials who can access the entire internal system;
- Spread data across multiple infrastructures to limit the impact of a leak; and
- Prepare a response plan that will respond in the event the system is attacked.
The Panama data leak is a wake up for many. It has highlighted the reputational risks of being associated with off-shore structures and highlighted the vulnerabilities of storing confidential data electronically. Professional advisers, in particular, should reflect on the reputational damage they may cause to themselves and to their clients where sensitive information is leaked publicly and ensure their digital security is sufficient to minimise the risk of a security breach in the future.