Professional Liability Blog

Lawyers in the United States Should Pay Attention to the Panama Papers

04/06/2016 | by Sherin and Lodgen


Professional Liability Blog

Lawyers in the United States Should Pay Attention to the Panama Papers

By Sherin and Lodgen on April 6, 2016


The Panamanian law firm that was the source of the “Panama Papers” says it was hacked, exposing its clients’ personal and financial data to the world.

For American lawyers subject to the Rules of Professional Conduct, the problems facing the Panamanian firm Mossack Fonseca should serve as a reminder to take extra care to secure electronic data.  Lawyers have an obligation under Model of Rule Professional Conduct 1.6(c) to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  This data security obligation was added to Massachusetts Rule of Professional Conduct 1.6(c) last year.

In the Panama Papers case, Mossack Fonseca blamed the hack on an “unauthorized breach of our email server.”  That should give American lawyers pause, even if they do not count the prime minister of Iceland, cronies of Vladimir Putin, or members of the Chinese Politburo among their clients.  Massachusetts lawyers should pay attention, and consider what would happen if their clients’ confidential information became publicly available.  Although exposure of such information might not make headlines, it could devastate clients if it fell into wrong hands.

What Constitutes “Reasonable Efforts?”

Rule 1.6(c) does not say what constitutes “reasonable efforts.”  But Comment 18 to the rule says:

[f]actors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

Comment 18 also states that a lawyer does not violate Rule 1.6(c) if someone gains unauthorized access to information, notwithstanding reasonable efforts to prevent the access.

Still, it would be embarrassing, or worse, for any lawyer to explain to his or her client – and, possibly, the Board of Bar Overseers – that confidential documents were exposed because they were held in the lawyer’s Hotmail account, for which the password was “password.”  Even if the password were stronger, lawyers must remember that someone who knows the answers to a security question might be able to gain access to web-based email.  If the question is something like: “Where did you go to high school?” sensitive client information might be at risk to anyone who knows anything about you – or is willing to invest in a little internet sleuthing

The need to protect client information is not lessened if a lawyer’s clients are not public figures.  Adversaries, business competitors and jealous ex-spouses, among others, may be highly interested in a client’s confidential electronic files, to say nothing of identity thieves and fraudsters.

Lawyers and firms should tailor their data security to their clients and their practices.  There are numerous actions lawyers can take to protect their data, but some of the simplest and most non-burdensome steps include the following:

  • Adopt an information security policy that covers all information systems, including e-mail, voicemail, text messages, computers, cellphones, remote access and passwords, among others.
  • Use difficult passwords. A random collection of characters is far stronger than an English-language word.  Letters and numbers can be added or switched to make the password easier to remember; for example, the dog’s name – “skippy” –might become “$k1ppy!” Change passwords regularly.
  • Lawyers who use web-based email should check their security questions, and make sure they are not obvious and well-known to others. All web-based email should also utilize two-step verification.
  • Consider retaining an outside IT expert to make sure your security is as strong as possible.
  • Finally, use common sense, and train your employees to do the same. For example, do not click on suspicious links and attachments, or keep your password written down in an obvious place on your desk.

The upshot is that it is better to consider – and possibly upgrade – your security before a hack, rather than to have to defend it afterwards.