Panama has long been a crossroads. Even before the construction of the Canal, it had ties to people from many countries. Panama’s connection to the international community has been confirmed again, but this time it is because of a cyber breach that is a doozey.
Most press accounts of the “Panama Papers” focus on the very public figures whose names and machinations are among the reported 11.5 million documents that were breached. Heads of State, heads of industry, and head-turners are caught up in the trove of compromised documents. It won’t be long before the blizzard of litigation will begin. How would you like to be the Mossack Fonseca Managing Partner or, for that matter, its insurers?
Shortly after the story broke, I received a call from Roger Marks, a lawyer-turned-insurance broker and a true insurance coverage savant. We had a lively discussion about the recent AmLaw breaches and then turned to Mossack Fonseca. Here are some of the questions we kicked around that might be considered by other law firms:
- How did this happen? The Mossack Fonseca firm, founded in Panama, has 34 offices globally. It makes one wonder how quality control was ensured across such a broad global footprint and, equally, how steps were taken to integrate IT platforms and to protect against breaches (internal or external). And while neither of us has conducted an inquiry to assess it, one might infer poor cyber hygiene. The firm has ancillary businesses, and one wonders whether the computing systems of these businesses are intertwined (especially the document digitization and storage company)?
- Was there a breach of Duty? Because the Mossack Fonseca breach touches so many jurisdictions, there will be an interesting debate as to what the standard of care is for maintaining client confidentiality in the cyber realm. This is emerging as a significant issue in the US; what measures are sufficient to satisfy the standard of care and where is the line? The standard of care may well be different in international jurisdictions, and the choice of law briefs will be flying around the globe on this one.
Also, in the U.S. at least, has an ethics violation occurred? Lawyers are required to protect client confidentiality zealously, and this duty extends to the use of technology.
- What about injury/damages? In the U.S., mere breach of personal or other protected confidential information may not be sufficient to confer standing to bring a third-party claim for damages. As this breach arises out of an attorney/client relationship, it raises a question whether the disclosure of otherwise legal attorney/client activities, such as the establishment of corporate entities (including the identities of the actual clients), that results solely in “reputational harm” to clients would be sufficient to sustain a damages claim. Also, how might such a claim be quantified? The answers may differ by jurisdiction. And it would have profound economic consequences.
- Is there insurance coverage? Professional Liability policies in the US and other countries might respond to third-party claims for damages. However, if the firm acted in a criminal or fraudulent manner (e.g. conspired with clients to defraud others), there would be the possibility that the matter would be excluded though there could be “innocent insured” coverage for those not connected to or aware of a fraud. If there are criminal or regulatory proceedings, it depends upon the policy whether such matters are covered, and if so, typically for defense only (not liability) – and then only if there is not an adjudication of malfeasance.
The cost of forensics to investigate the breach might be covered depending upon the policy (some have extensions of coverage). However, any costs to repair damaged IT systems or the loss of clients due to negative publicity (Reputational Harm to the firm) would not be covered.
Stand-alone cyber coverage is available — though many AmLaw 100 firms do not have it — and would cover the aforementioned “loss” as well as other first-party elements of loss. It would also include pre-determined experts (i.e. Breach Counsel, Forensic Experts, Public Relations Experts, etc) who could hit the ground running once awareness of the breach occurs.
The Panama Papers will no doubt be remembered for the scandals they revealed; the fallout is already occurring. But legal consumers and providers might be wise to focus on some of the liability, ethics, and insurance issues the breach raises.