Professional Services Firms under threat: data security breaches and compliance risks

United Kingdom

Skip to content

The recent fallout from the “Panama Papers” data leaks have not only thrown the use of offshore tax havens and fiscal transparency back into the spotlight, but also highlighted the threat of data security breaches and associated compliance risks to corporates, including law firms in particular. We have brought together an overview of the main legal issues arising from these leaks, commenting on the risks and implications for: money laundering, asset tracing, circumvention of sanctions, data protection, corporate reputation, professional indemnity and cyber security risks and funds, private equity structuring and tax.

Money laundering

The recent allegations may have potentially wide-ranging and significant ramifications not only for those identified in the leaked documents, but also for anyone else on notice of the issues and risks that have been exposed and who has dealings with the individuals and entities about whom allegations have been made. Where there are allegations concerning efforts to conceal or mislead as to ownership of assets, for whatever reason, there will be greater risk of fraud and money laundering.

Likely top of the list of concerns for those involved in transactions or business arrangements with named parties (or their offshore vehicles), is whether those arrangements expose them to money laundering risks. If so, they will need to consider carefully whether they can safely proceed with those arrangements. Even if they decide that they cannot, it is not necessarily straightforward to extricate oneself from a relationship without potentially triggering a money laundering offence. These risks arise wherever there are suspicions held (however subjectively) that one is dealing in any way with proceeds of crime (i.e. anything that constitutes or represents the benefit from criminal conduct). If the dealing (including simply possessing proceeds of crime) and the suspicions exist at the same time, a money laundering risk exists.

This risk will be real for anyone who has suspicions that their arrangements might involve them in receiving, transferring or holding proceeds of crime or that they have become concerned in an arrangement that facilitates their acquisition, retention or use by someone else. The issue may be critical and urgent where a payment is about to be made or received about which suspicions now exist. The penalties are severe – up to 14 years’ imprisonment and an unlimited fine. The bar for the UK authorities to meet any jurisdictional requirements to investigate and prosecute is very low – if activities in relation to the crime occur in the UK, UK nationals are involved, the monies enter or leave the UK or victims suffer in the UK, this may be sufficient in appropriate cases to allow prosecutors like the SFO to investigate. There is only one clear way out, make a suspicious activity report to the National Crime Agency seeking permission to proceed with the relevant transaction or arrangement, and then wait for their response. For businesses in the regulated sector (i.e. broadly those who deal with client money, offer and manage investments and insurance products and/or advise on investments, tax and property transactions), this isn’t a choice – there are positive obligations to report suspicions of money laundering where the relevant information has been learned in the conduct of the regulated business.

Firms authorised by the PRA or FCA are obliged to carry out regular assessments of the effectiveness of their anti-money laundering systems and controls. Should a data security breach give rise to any such concerns, firms should use this as a trigger to review the effectiveness of existing controls.

In the same way, and whether firms are regulated or not, to the extent that the recent disclosures affect the risks more generally of doing business with particular parties from a bribery and corruption perspective or otherwise, these should be taken into account as part of any due diligence or on-boarding exercise before proceeding to contract with relevant parties. More generally, the recent disclosures in respect of a number of different matters in recent weeks may warrant a specific review or audit of relevant anti-fraud/money laundering/bribery controls to ensure that they remain suitable for the particular risks that the business faces.

Asset tracing

If the disclosure of a party’s interest in offshore entities exposes wrongdoing, this may give rise to new causes of action arising from those arrangements. For example, a party involved in a fraud or breach of fiduciary duty may have used an offshore shell company (in which they held an anonymous interest) for the purposes of facilitating that fraud or breach of duty. The exposure of such arrangements would offer additional remedies against the wrongdoer and possibly any assisting parties. Such remedies may include following, tracing and seeking restitution of any stolen monies, or assets acquired with those funds. In the meantime, there may be claims that the misappropriated monies and assets acquired with them are held on trust for the benefit of the claimants.

Evidence of the transferring of assets to entities in offshore jurisdictions, and ostensibly out of the reach of a potential judgment or award creditor, is likely to support court applications to freeze those assets, quite possibly through the use of worldwide freezing injunctions. This is particularly the case where the intention behind the arrangement is to make it harder to enforce any actual or anticipated judgment or award, or is a precursor to the dissipation of concealed assets. In general, time is of the essence if creditors want to protect their position and a well-coordinated cross-border strategy will be needed to identify, trace and recover the money lost.

Circumvention of Sanctions

The recent allegations have revealed the use of offshore structures to circumvent sanctions. Whilst there has been much coverage recently of the relaxation of the sanctions regime affecting Iran, there remain several thousand persons and entities listed on UK, EU and US sanctions lists. Professional services firms, including law firms, are not exempt from sanctions compliance.

Sanction regimes generally prohibit receiving payments from sanctioned persons, making payments to sanctioned persons and dealing with the economic resources of sanctioned persons. Professional services firms need to ensure that they screen clients and potential clients to confirm that any representation is not in breach of sanctions regimes. Whilst it may be possible to obtain a licence, these can be difficult and time-consuming to obtain. However, firms also need to exercise caution in providing advice that may be regarded as facilitating the circumvention of sanction rules.

Within the UK, sanctions awareness and enforcement has been made a priority by the Chancellor George Osborne. On 31 March 2016, a new dedicated sanctions body, the Office of Financial Sanctions Implementation, was established. As well as advising on compliance, this body is expected to take a more aggressive enforcement approach than hitherto taken by HM Treasury. Further, the government has included provisions in the Policing and Crime Bill to introduce new penalties for breach of sanctions rules, as well as increasing the maximum custodial sentence from two to seven years.

Data protection

A “data leak” (whether following a cyber-attack or otherwise) that involves the disclosure of personal data gives rise to the potential for liability under data protection legislation. However, under the UK data protection regime (which implements the relevant EU Directive), the fact that there has been a security breach does not of itself necessarily result in a breach of the relevant legislation.

The obligation on a “data controller” (the entity that determines the purposes for which and the manner in which the personal data are to be processed) is to ensure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing, having regard to, amongst other things, the state of technological development, the harm that may result following a breach and the nature of the data to be processed. If, having taken appropriate measures, there is still a personal data breach (for example following a sophisticated cyber-attack that could not be realistically prevented) the data controller will not have liability under the legislation for breach of this obligation.

This position will not materially change under the proposed new EU “General Data Protection Regulation” (the “Regulation”), which is anticipated to apply from Spring 2018. However, what will be very different under the new Regulation is the requirement to notify, in certain circumstances, the relevant supervisory authority and data subjects of a personal data breach. Where a notification to the supervisory authority is required, it would need to be done without undue delay, and where feasible, not later than 72 hours after the data controller has become aware of the breach. Where a notification to data subjects is required, it would need to be made without undue delay. In addition, for the first time, “data processors” (entities that process personal data on behalf of data controllers) will also have obligations imposed on them in relation to data security and shall be directly liable under the Regulation for failing to meet them.

Given the level of potential fines under the Regulation (which could be as high as EUR 20 million, or in the case of an undertaking, 4% of the total worldwide annual turnover of the preceding financial year, whichever is the greater), organisations should ensure that they adequately assess the appropriateness of the technical and organisational measures that they have in place to prevent, or mitigate the effects of, a data security breach. Where relevant (and in certain circumstances it is necessary under the Regulation) a data protection impact assessment should be completed which should, amongst other things, identify the risks posed by the processing to be performed and the measures that could be employed to address those risks.

Organisations (whether they be controllers or processors) should also develop policies that set out the procedures that the organisation will follow in the event of a personal data breach, including to take account of the new notification requirements.

Corporate reputation

Both the entity whose security has been breached and any company whose data is leaked, are at risk of reputational damage, particularly where the nature of the data can be used to suggest some form of wrongdoing, whether moral or legal. Similarly, there are risks where the leaked data relates to a key employee, such as the CEO or another member of the board of directors, and where their alleged wrongdoing can be imputed to their employer.

Cyber security incidents can be big news and in order to minimise reputational damage it is important to have a carefully prepared PR strategy. There are certain protections which can be engaged:

The Editors’ Code of Practice which is enforced by the Independent Press Standards Organisation governs output by newspaper, magazine and electronic news publishers, with a few significant exceptions (e.g. the FT and the Guardian). It is stated in the Code that everyone is entitled to “respect for his or her private and family life, home, health and correspondence, including digital communications”. There are exceptions to this rule where the disclosure of leaked information is in the public interest but where there is no crime or serious impropriety involved and the public has not been misled, then there is arguably no public interest. Privacy is an area that the media organisations will be particularly sensitive about because it is an area where there is a realistic prospect of obtaining an injunction.

The press is also under an obligation to take care not to publish inaccurate, misleading or distorted information. In the early moments following a public cyber security breach, there is a risk of information being misconstrued or for reporting to stray into speculation. Any such inaccuracy should be challenged promptly and robustly.

If the press intends to publish any potentially defamatory statement, then it should contact the named party for comment. This is an opportunity for the subject to get as much information as possible about the allegations which are to be published and the evidence upon which they are based. Any statement should be carefully drafted and, if necessary, PR advice should be sought.

Where the publication of allegations of wrongdoing or incompetence occurs which would cause serious harm to an organisation or individual (which requires serious financial loss in the case of a company), it would be open to such affected party to bring proceedings for defamation. However, affected individuals and companies should think carefully about such a public step. There is always a risk that this will give additional coverage to a story, even if ultimately such a claim is successful.

Professional Indemnity cover and Cyber security risks

Law firms and other professional service providers face two major risks in relation to cybercrime which may not be covered by professional indemnity coverage: breach of client confidentiality and structural/financial impact upon a law firm itself.

Unauthorised “leakage” of confidential information by employees, commercial espionage, “phishing” attacks, the use of “malware” and hacking are all risks facing law firms given the nature of confidential information they hold. Where these result in civil claims against the firm by clients or other third parties to whom the firm owes a duty of care and/or prompt an investigation or inquiry, there may be cover under the firm’s professional indemnity cover, subject to its terms and conditions (which commonly exclude cover for fines or penalties).

Firms may also face threats to their own ability to carry out their professional business, for example, due to attacks on their own websites or servers or on those of external providers. As well as some third party losses, first party losses - such as breach response, PR expenses, forensic investigations, business interruption, denial of service, extortion threats, breach of employee confidentiality, and fines and penalties - caused to a law firm may not be covered by its professional indemnity insurance.

Where news of a breach of confidentiality breaks, a firm is in a situation which has legal, regulatory, technical and public relations dimensions and it is vital that a firm (a) plans for this contingency and (b) identifies in advance a specialist internal or, if necessary, external team that can assist. Many cyber insurers provide access to such support as an ingredient of the coverage.

Funds, Private equity structuring and Tax

Industry participants cannot fail to have been aware of increased scrutiny of the use of offshore jurisdictions in recent years. In some cases, investors have expressed preferences to avoid structuring investment vehicles in offshore jurisdictions and some investors will simply not invest in vehicles established in certain offshore jurisdictions because of the perceived reputational risk. However, the position is not as simple as ‘onshore good; offshore bad’ and it is important to emphasise the variety of legitimate reasons to structure funds, holding companies and investment vehicles offshore. These include: regulatory considerations (particularly with respect to the AIFM Directive), structural considerations (range and flexibility of vehicles) and legitimate tax planning (seeking to put indirect investment on a par with direct investment in tax terms). These factors account for the popularity of, for example, Jersey and Guernsey vehicles in both “upstream” fund structures and “downstream” investment holding structures. From a UK perspective, using an offshore vehicle located in a low or no tax jurisdiction to purchase UK property or to hold UK investments remains perfectly legal in and of itself and is understood by the authorities as such (despite recent changes the UK tax system has been for many years and to some extent remains favourable to non-residents principally in order to attract inward investment).

Further, many offshore jurisdictions are subject to high regulatory standards of which they are rightly proud. For example, the Know Your Client anti-money laundering requirements in Guernsey are more stringent than those in many onshore jurisdictions. While no-one would argue against steps being taken to prevent the use of offshore vehicles for illegitimate purposes, such as money laundering, it would be a pity if these purposes and the legitimate reasons to use offshore vehicles were wrongly conflated. Were that to happen, the losers would be investors, including retail investors, pension funds and insurance companies, whose returns would be impacted by the loss of flexibility. Nonetheless, we do foresee that the unrepresentative minority (of offshore jurisdictions and those who use them for illegitimate purposes) risk giving the others a bad name, at least in the short term.

The debate needs to move on from “offshore bad” to “offshore OK, provided it is compliant with international standards on disclosure and enforcement such as those promulgated by the OECD’s common reporting standards”. Offshore jurisdictions which don’t meet these standards may then be perceived as very bad indeed, and we may now see their ilk becoming pariah states in contrast to jurisdictions such as Jersey or Guernsey.

Our contacts in the above areas are:

Money Laundering: Omar Qureshi
Asset Tracing: Guy Pendell, Tim Hardy
Sanctions: Caroline Hobson
Data protection: Emma Burnett
Corporate Reputation: Sue Barty
Professional indemnity and Cyber security: Stephen Tester, Anna Crew
Private Equity and Funds: Cathy Pitt
Tax: Richard Croker