find the latest legal job
Corporate and Commercial Partner
Category: Corporate and Commercial Law | Location: Adelaide SA 5000
· Full time · Join a leading Adelaide commercial law firm
View details
In-house Legal Counsel & Commercial Lawyers
Category: Corporate and Commercial Law | Location: All Sydney NSW
· Providing lawyers with flexibility and control over when they work, how they work and who they work for.
View details
In-house Legal Counsel & Commercial Lawyers
Category: Corporate and Commercial Law | Location: All Melbourne VIC
· Providing lawyers with flexibility and control over when they work, how they work and who they work for.
View details
Legal Inhouse / Lawyer / Company Secretary
Category: Other | Location: Brisbane QLD 4000
· Fantastic Company · Potential to be Part Time / Flexible Work Pattern
View details
Part Time Risk & Compliance Officer
Category: Other | Location: Brisbane QLD 4000
· Brisbane City · Flexible Part Time Hours
View details
Mitigating your own Mossack Fonseca

Mitigating your own Mossack Fonseca

Promoted by

THE APRIL 2016 data breach at law firm Mossack Fonseca, which led to the publication of client information in documents known as the Panama Papers, has put the spotlight on data security in law firms. Robert Cox discusses how business managers and IT teams can work together to assess risks and determine whether IT recommendations should be undertaken.

How did the data breach occur?
The Panama Papers contained 40 years of history, and included:
- 4.8 million emails
- 2.2 million PDFs
- 1.1 million images
- 320,000 documents

How the information was leaked will probably never be known. However, what has been reported is the following:
1. Aspects of the Mossack Fonseca email system had not been updated since 2009. The version of the system in use had known security holes, which have been subsequently fixed byMicrosoft.
2. Emails sent from Mossack Fonseca to their clients were not encrypted. It is possible that intermediaries could have read the contents of the emails.
3. The Mossack Fonseca Client Information Portal was last updated in 2013 and had at least 25 known security holes. These security holes made it possible for someone to access all of the data in the client information portal.

The possibility of an employee being involved in the data breach should also not be discounted, although Mossack Fonseca has publicly indicated that it was not “an inside job”.

What could have been done to prevent the breach occurring?
If the source of the data breach was one of the above issues, at first glance prevention would seem quite simple. Ensuring that each product was running the latest software would have been enough to prevent the problem.

But the reality is never that simple, is it? Mossack Fonseca’s IT system is likely to involve many hundreds of physical devices including servers, networks, PCs, laptops and mobile phones. Each device would run software from many different vendors. And each one of these systems requires ongoing software updates and configuring – a significant ongoing investment.
Some firms take the chance that cyber security events won’t occur and run their systems without incident. Others take a more cautious view and treat the cost of this ongoing investment as an insurancepremium.
A simplified risk assessment processes can and should be used to assess whether an IT recommendation (eg, upgrading a server, implementing new security procedures or technology) should be accepted. You need to weigh up the cost and benefits of the recommendation against other priorities for yourorganisation.

Three steps for assessing IT recommendations
The process that I use is as follows:
1. determine the cost of the ‘insurance premium’, meaning the di erence between the cost of doing nothing and what is being recommended;
2. summarise the potential events that are being mitigated; and
3. determine the nominal value on the cost to the business if the events occur (this assessment needs to be completed by the Partners, business owners or management team). In this context the impact on an organisation’s reputation needs to be included.

Once this information is available, a short meeting between the IT and management teams will quickly be able to determine if a recommendation is an obvious go, an obvious no-go or a genuine 50/50 decision.
This process has deliberately avoided nominating the probability of the event occurring. This is because IT specialists find it impossible to quantify a risk beyond broad high, medium, and low categories. However, IT specialists do find it easy to compare two events and nominate which is more likely – this information can then be used to assist in determining whether a recommendation should be accepted.

Robert Cox helps law firms solve their IT problems as a director at Innessco. Email This email address is being protected from spambots. You need JavaScript enabled to view it.

Like this story? Read more:

QLS condemns actions of disgraced lawyer as ‘stain on the profession’

NSW proposes big justice reforms to target risk of reoffending

The legal budget breakdown 2017

Mitigating your own Mossack Fonseca
lawyersweekly logo
Promoted content
Recommended by Spike Native Network
more from lawyers weekly
Nov 23 2017
Education a passion for YL president
Promoted by University of Melbourne. Melbourne Law Masters student Phoebe Blank is successfully j...
Crowd
Nov 23 2017
Anti-radicalisation programs playing ‘second fiddle’ to terrorism laws
Several academics have questioned the balance between Australia’s counterterrorism legislation and...
 William Ah Ket
Nov 23 2017
‘Bamboo ceiling’ thought piece wins inaugural law prize
A paper that explores the idea of affirmative action to achieve greater diversity among members of A...
APPOINTMENTS
Allens managing partner Richard Spurio, image courtesy Allens' website
Jun 21 2017
Promo season at Allens
A group of lawyers at Allens have received promotions across its PNG and Australian offices. ...
May 11 2017
Partner exits for in-house role
A Victorian lawyer has left the partnership of a national firm to start a new gig with state governm...
Esteban Gomez
May 11 2017
National firm recruits ‘major asset’
A national law firm has announced it has appointed a new corporate partner who brings over 15 years'...
opinion
Nicole Rich
May 16 2017
Access to justice for young transgender Australians
Reform is looming for the process that young transgender Australians and their families must current...
Geoff Roberson
May 11 2017
The lighter side of the law: when law and comedy collide
On the face of it, there doesn’t seem to be much that is amusing about the law, writes Geoff Rober...
Help
May 10 2017
Advocate’s immunity – without fear or without favour but not both
On 29 March 2017, the High Court handed down its decision in David Kendirjian v Eugene Lepore & ...