Tag Archives: Appleby Law Firm

Trouble in Paradise

A couple of weeks ago I wrote about yet another breach at a law firm.  This time the firm was Appleby, a law firm based in Bermuda and home to the rich and famous – especially those that are looking for tax shelters and the similar.  Most of these tax shelters are legal but the optics of using them are terrible.  For many of the rich and famous, they don’t want the NOT rich and famous to know what they are doing.

So imagine what happens to a law firm (or any firm) that caters to those people who is hacked and threatened with disclosure.  They likely have some unhappy soon-to-be-ex-clients.

Well at least some of the 13 million plus hacked documents are now public and it paints an unflattering picture.  Likely legal, but very unflattering.

The hack is being called the Paradise Papers.  In sheer size, it is the number two breach, only surpassed by the Panama papers hack in 2016, which revealed 2.6 terabytes of data.  The Paradise Papers hack revealed 1.4 terabytes of data.

Among what was disclosed is:

  • Millions of Pounds from the Queen of England’s private estate has been invested in a Cayman Islands fund which makes questionable investments.
  • Extensive offshore dealings by Donald Trump’s cabinet members, advisors and donors, including substantial payments from a firm co-owned by Vladimir Putin’s son-in-law to the shipping group of US commerce secretary Wilbur Ross.
  • How Twitter and Facebook received hundreds of millions of dollars in investment that can be traced back to Russia.
  • The tax avoiding Cayman Islands Trust managed by the Canadian Prime Minister Justin Trudeau’s chief moneyman.
  • A previously unknown $450m offshore trust that has sheltered the wealth of Lord Ashcroft.
  • Aggressive tax avoidance by companies like Nike and Apple.

And on and on.

As I said, I assume that most of this is legal, but as people like President Trump and Prime Minister Theresa May have been talking about closing tax loopholes, the optics of this could not happen at a worse time.

According to reports, this does not appear to be state sponsored; just a hacker out to do a little “social justice”.

The message is that any business that stores sensitive information (and apparently the information stolen goes back 70 years) probably ought to look at how you are protecting it and improve that security – unless you want to be the next P papers – Pentagon Papers, Panama Papers, Paradise Papers ……..

I assume that there will be a large exodus of clients from this firm.

Information for this post came from The Guardian.

 

Facebooktwitterredditlinkedinmailby feather

Another International Law Firm Hacked

You might think that after the Panama Papers breach in which the law firm of Mossack Fonseca was hacked and 11 million documents exposed – including ones that forced the prime minister of Iceland to resign and the prime minister of Pakistan to be removed from office – that law firms around the world would have stepped up their cyber security efforts.

I am sure that some have improved their security while others have made minor efforts to improve it, but it is not working.  Until clients of these same law firms start conducting frequent cyber security audits of those firms, it is unlikely that significant changes will be made in the industry.

Remember that security and convenience oppose each other and security costs money.  If their clients are not demanding that they spend money on security, they likely will spend that money elsewhere.

So what is this week’s news?

The Bermuda based law firm Appleby, with 10 offices around the world and around 470 staffers admitted this week that they had been hacked.   The hack, they said, occurred last year.  That hack was not disclosed at the time and legally they were probably not required to do so. The only reason they are talking about it now is that the international investigative journalist group ICIJ was given at least some of the documents and has been pouring through them and asking embarrassing questions.

Apparently, clients of the firm include the rich and the famous, especially in Britain, possibly including some Royals.  While the firm says that try to do things lawfully, “no one is perfect”.  Whether what the two prime ministers who were exposed in the Panama Papers breach were doing things legally or not, the court of public opinion didn’t think what they were doing was appropriate.

When members of the rich and the famous get exposed doing things that may be legal or may be shady or may be perceived as illegal by the masses, that is not good for their public image.

The apparent threat that these documents are now going to be published probably scared the poop out some of the firm’s clients, which forced them to admit the breach.

This brings us to an important point.  In the United States (and the firm has no offices in the U.S.; their offices are mostly in tax havens), companies that are hacked are required to disclose that fact ONLY UNDER SOME, LIMITED, CIRCUMSTANCES.  If personally identifiable health care information is breached, if payment card information is breached and if non-public personal information as defined in the various state’s laws is breached, for example – then, assuming the data wasn’t encrypted, etc. etc. – the companies have to fess up to the breach.

If, however, if the breach did not expose that kind of information  – say it exposed your company’s not yet filed patent applications or information regarding a merger or information regarding an off-shore business transaction – then maybe that information does not have to be disclosed – either publicly or even to the client.

For U.S. based law firms, the American Bar Association has created model ethics clauses for states to adopt – some have been adopted and  others not – that says that attorneys should try to protect client information, but the wording is a bit loose.

As a client of a law firm, your CONTRACT with that firm can certainly be a tight as the two parties agree for it to be (assuming the terms are legal, of course).  You, as a client of a law firm, for example, can say that if you want me as a customer then if you suffer a breach and my information is exposed, then you must notify me within, say 72 hours.  That would put the onus on the law firm.  For small clients that is a difficult issue to force.  For larger clients, it is less difficult.  That doesn’t mean that lawyers, as good negotiators, won’t try to make the terms more favorable to them and you can’t blame them for wanting to do that.  Still, you have a say in the matter and you can always choose to find another firm.  There are lots of law firms in the country.

While there are probably thousands of clients of the Appleby law firm that are currently holding their breath, this, along with the multiple other law firms that have been hacked, should act as a wake-up call to clients to push their law firms to improve security.

I would think that most reputable law firms REALLY don’t want to have their client’s information compromised, independent of ethics rules or client contracts, but security is both inconvenient and expensive.

However, so is being hacked,  as is having your name dragged through the mud and losing clients.

Since many of the largest breaches in the U.S. are the result of vendors being hacked (think Target or Office of Personnel Management, for example), we work with clients to create a vendor cyber risk management program to tighten up the parameters of their vendor contracts and cyber security programs.

Stay tuned; there is likely to be more fallout from this breach.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather