find the latest legal job
Legal Counsel
Category: Corporate and Commercial Law | Location: North Sydney NSW 2060
· 18 month fixed term contract · 3-5 years PQE with TMT exposure
View details
Solicitor - Insurance and Health
Category: Insurance and Superannuation Law | Location: Newcastle NSW 2300
· Dynamic organisation · Outstanding career opportunity
View details
Solicitors Barrister and Registered Migration Agents
Category: Generalists - In House | Location: North Sydney NSW 2060
· We are an established multi-disciplinary practice located in North Sydney. ·
View details
Commercial/Projects Lawyer (4+ PAE)
Category: Corporate and Commercial Law | Location: Sydney CBD, Inner West & Eastern Suburbs Sydney NSW
· Fantastic, supportive working environment · Wide variety of work, direct client contact
View details
In-house Property Lawyer - 2-4 year PQE | Dynamic High Impact Role
Category: Generalists - In House | Location: Melbourne VIC 3004
· Large multi-disciplinary in-house team
View details
Mitigating your own Mossack Fonseca

Mitigating your own Mossack Fonseca

Promoted by

THE APRIL 2016 data breach at law firm Mossack Fonseca, which led to the publication of client information in documents known as the Panama Papers, has put the spotlight on data security in law firms. Robert Cox discusses how business managers and IT teams can work together to assess risks and determine whether IT recommendations should be undertaken.

How did the data breach occur?
The Panama Papers contained 40 years of history, and included:
- 4.8 million emails
- 2.2 million PDFs
- 1.1 million images
- 320,000 documents

How the information was leaked will probably never be known. However, what has been reported is the following:
1. Aspects of the Mossack Fonseca email system had not been updated since 2009. The version of the system in use had known security holes, which have been subsequently fixed byMicrosoft.
2. Emails sent from Mossack Fonseca to their clients were not encrypted. It is possible that intermediaries could have read the contents of the emails.
3. The Mossack Fonseca Client Information Portal was last updated in 2013 and had at least 25 known security holes. These security holes made it possible for someone to access all of the data in the client information portal.

The possibility of an employee being involved in the data breach should also not be discounted, although Mossack Fonseca has publicly indicated that it was not “an inside job”.

What could have been done to prevent the breach occurring?
If the source of the data breach was one of the above issues, at first glance prevention would seem quite simple. Ensuring that each product was running the latest software would have been enough to prevent the problem.

But the reality is never that simple, is it? Mossack Fonseca’s IT system is likely to involve many hundreds of physical devices including servers, networks, PCs, laptops and mobile phones. Each device would run software from many different vendors. And each one of these systems requires ongoing software updates and configuring – a significant ongoing investment.
Some firms take the chance that cyber security events won’t occur and run their systems without incident. Others take a more cautious view and treat the cost of this ongoing investment as an insurancepremium.
A simplified risk assessment processes can and should be used to assess whether an IT recommendation (eg, upgrading a server, implementing new security procedures or technology) should be accepted. You need to weigh up the cost and benefits of the recommendation against other priorities for yourorganisation.

Three steps for assessing IT recommendations
The process that I use is as follows:
1. determine the cost of the ‘insurance premium’, meaning the di erence between the cost of doing nothing and what is being recommended;
2. summarise the potential events that are being mitigated; and
3. determine the nominal value on the cost to the business if the events occur (this assessment needs to be completed by the Partners, business owners or management team). In this context the impact on an organisation’s reputation needs to be included.

Once this information is available, a short meeting between the IT and management teams will quickly be able to determine if a recommendation is an obvious go, an obvious no-go or a genuine 50/50 decision.
This process has deliberately avoided nominating the probability of the event occurring. This is because IT specialists find it impossible to quantify a risk beyond broad high, medium, and low categories. However, IT specialists do find it easy to compare two events and nominate which is more likely – this information can then be used to assist in determining whether a recommendation should be accepted.

Robert Cox helps law firms solve their IT problems as a director at Innessco. Email This email address is being protected from spambots. You need JavaScript enabled to view it.

Like this story? Read more:

QLS condemns actions of disgraced lawyer as ‘stain on the profession’

NSW proposes big justice reforms to target risk of reoffending

The legal budget breakdown 2017

Promoted content
Recommended by Spike Native Network
more from lawyers weekly
Chain
Jul 21 2017
Podcast: Combating modern slavery
In this episode of The Lawyers Weekly Show, Tom Lodewyke is joined by Veronica Rios, the executive m...
Businessmen and women
Jul 20 2017
Women outnumber men in legal profession
A report has found that women outnumbered men in the Australian legal profession in 2016 for the fir...
Leadership, manager, boss, leader, team members
Jul 20 2017
Do we have a leadership crisis in law?
Do you work for a ‘pacesetter’, the partner who rewrites perfectly fine reports, has little posi...
APPOINTMENTS
Allens managing partner Richard Spurio, image courtesy Allens' website
Jun 21 2017
Promo season at Allens
A group of lawyers at Allens have received promotions across its PNG and Australian offices. ...
May 11 2017
Partner exits for in-house role
A Victorian lawyer has left the partnership of a national firm to start a new gig with state governm...
Esteban Gomez
May 11 2017
National firm recruits ‘major asset’
A national law firm has announced it has appointed a new corporate partner who brings over 15 years'...
opinion
Nicole Rich
May 16 2017
Access to justice for young transgender Australians
Reform is looming for the process that young transgender Australians and their families must current...
Geoff Roberson
May 11 2017
The lighter side of the law: when law and comedy collide
On the face of it, there doesn’t seem to be much that is amusing about the law, writes Geoff Rober...
Help
May 10 2017
Advocate’s immunity – without fear or without favour but not both
On 29 March 2017, the High Court handed down its decision in David Kendirjian v Eugene Lepore & ...