Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
By William Allison and Francesca Muscutt at DAC Beachcroft in London
The hack of confidential data from the Panamanian law firm, Mossack Fonseca, in April has brought down world leaders and corporate executives and cast costly reputational risk upon individuals and companies around the globe. To many, it is merely a curiosity, a tale about questionable deals in far-flung places. But there are important lessons in reputation management, appropriate tax planning and data security for all organizations, not just those that arrange their affairs in off-shore jurisdictions.
In the largest, ever recorded data leak, an anonymous source forwarded to a German newspaper over 11.5 million lawyer-client documents dating from as far back as the 1970s. The documents were then forwarded to the International Consortium of Investigative Journalists and thereafter distributed to media centers across the world.
The Panama data contains the identities of prominent public officials, national leaders, company directors and shareholders, and high net-worth individuals who have used opaque off-shore structures and shell companies to hide their wealth and in some instances to avoid paying tax. Many have received adverse media attention since news of the data leak first broke on April 3.
Claims relating to the Panama data leak have the potential to be very significant and are likely to involve criminal, regulatory and civil actions.
The Panama data leak has prompted worldwide regulatory investigations, and banks and financial institutions are already being directly implicated in these investigations.
While Mossack Fonseca is maintaining that it has done nothing illegal (because tax avoidance is not illegal), its possible involvement in the use of off-shore companies to circumvent international trade sanctions in Iran, Syria and North Korea and other illicit activities including money laundering and bribe payments are now being investigated by the U.S. Department of Justice.
In the UK, the Financial Conduct Authority (FCA) has asked 64 financial services firms and banks to disclose details of any accounts handled by Mossack Fonseca and explain what they are doing internally to assess their exposure. The FCA has not yet reached any conclusions from its preliminary analysis but given the allegations of breaches of sanctions, money-laundering offences and other crimes published in the media, the FCA has said that it will be considering whether the banks’ anti-money-laundering controls should have raised “red flags.”
Banks, investment houses, accountants, law firms, tax advisers and other professional advisers who played a role in off-shore transactions involving Mossack Fonseca should be prepared to assist with these regulatory investigations, possibly by attending interviews and producing documents for regulatory scrutiny. The costs of these investigations may sound in claims for the recovery of “defense costs” under D&O, professional indemnity, E&O and cyber policies.
Data security experts have noted that Mossack Fonseca was not encrypting its emails, and it was using a computer program with known vulnerabilities and out-of-date plug-ins. If it is established that the data leak was caused by the firm’s failure to implement adequate security measures, then claims by former clients of Mossack Fonseca for breach of confidence, loss of privacy and reputational damage are likely.
The UK tax authority, HMRC, has confirmed it is clamping down on tax avoidance schemes and will impose tougher penalties on off-shore evaders. It is conceivable that clients or former clients of Mossack Fonseca will bring claims if the tax authorities find that the tax structures set up by Mossack Fonseca were illegal or amounted to tax evasion. Allegations of negligent tax advice/planning may not be confined to Mossack Fonseca but may also be directed against any professional involved in setting up the tax structure.
Under English law, the success of such claims would depend on whether former clients could show that, if advised differently, they could and would have invested in a different structure which would not have resulted in additional tax liabilities. Each case will turn on its own facts, but professional advisers and their insurers should consider their possible exposure in respect of such claims.
Claims may potentially extend beyond professional advisers. Company directors who pursued secret, aggressive tax strategies with Mossack Fonseca’s assistance may see their company’s reputation tarnished by negative media attention and (possibly) an irrecoverable fall in share price. While the use of off-shore tax structures is not “illegal” per se, their use is perceived by many as “unethical” and “immoral,” and it could be argued that by using such structures, the directors were not promoting the best interests of the company. We may see action groups pursue derivative claims in the future under the Companies Act 2006, if appropriately funded. These claims may potentially fall for consideration under any applicable D&O policy.
FCA acting Chief Executive Tracey McDermott has reported “a significant amount of business in Panama would be expected to be ‘perfectly legal’” and it is, of course, possible that the regulatory investigations will conclude there was no illicit activity and no prosecutions will follow. Irrespective of the legalities of off-shore transactions, however, the negative media attention may cause many to evaluate their association with these structures and they may wish to give careful consideration to the following points going forward:
The Panama data leak raises a very important issue for businesses and particularly professional advisers who hold confidential data. Electronic data is vulnerable to attack by third-party hackers who may delete, corrupt or distribute confidential information.
Given that lawyers, accountants and other professional advisers hold highly confidential documents electronically, many will now be concerned about data theft from their own systems and the risk of claims by clients in the event of a similar data hack. Many will question what they can do to minimize their exposure to a similar attack in the future.
Those storing confidential papers, in particular, should assess their data security measures within their organization and consider how data is stored and accessed, and by whom. The following precautions may help minimize the risk of a data attack:
The Panama data leak is a wake up for many. It has highlighted the reputational risks of being associated with off-shore structures and highlighted the vulnerabilities of storing confidential data electronically. Professional advisers, in particular, should reflect on the reputational damage they may cause to themselves and to their clients where sensitive information is leaked publicly and ensure their digital security is sufficient to minimize the risk of a security breach in the future.