Law firms should update potential electronic security vulnerabilities

Expect_Us

The Panama Papers scandal should prompt law firms, and other professional services firms, to update their electronic security measures, says Toronto business lawyer Joel Berkovitz.

Panamanian law firm Mossack Fonseca, which specializes in the creation of offshore companies, claims it was the victim of a hacking in the massive leak of its client files — a reported 11.5 million documents covering a 40-year period — turned over to journalists from news outlets around the world.

“This is a bit of a warning signal for Canadian law firms, and other professional entities regarding their electronic security measures,” says Berkovitz, a lawyer with Shibley Righton LLP.

He says the reputational damage done to the firm as a result of the leak could pale in comparison to the financial burden it could face in the years to come.

“This is a huge problem for the law firm because, if they were negligent in their electronic security system, they could be liable to clients for any damage that flows from the material that was leaked. If there are fines or prosecutions as a result, they might look to sue the law firm for damages,” Berkovitz tells AdvocateDaily.com.

Internet security experts recently told Wired magazine that the law firm’s front-end computer systems, such as its webmail and client portal software, were outdated and shot through with security vulnerabilities.

“If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology,” Alan Woodward, a professor of computer science at the U.K.’s Surrey University, told Wired.

Berkovitz says there is a chance prosecutors will try to use the leaked documents even though, had they not been leaked, many would be covered by solicitor-client privilege.

“Solicitor-client privilege generally covers all legitimate communications between clients and their lawyers, and is fiercely guarded by courts,” he says. “Lawyers can’t waive privilege over documents, because the privilege is not theirs to waive, but in cases of inadvertent disclosure the courts sometimes find that that privilege has been lost. If governments try to bring prosecutions based on the leaked documents, expect to see a fierce fight over whether solicitor-client privilege has been lost.”

The Canada Revenue Agency (CRA) has requested access to the documents in order to determine whether any tax rules were broken by holders of the offshore accounts, while the Royal Bank of Canada has defended its role after it emerged it used Mossack Fonseca to create more than 370 foreign corporations for its clients over the course of many years, the CBC reports.

“Right now, there seems to be some limited ties to Canada, but no evidence of any wrongdoing,” Berkovitz says. “Given the vast scope of the documents though, it’s likely more ties to Canada will be discovered as time goes on.”

But, he warns, people shouldn’t look at this as a smoking gun. 

“People are jumping to a lot of conclusions that offshore accounts and holding companies are necessarily evidence of tax evasion or any other illegal activity,” Berkovitz says. “That may be true for some of these entities, but there are all sorts of legitimate tax-planning reasons for using these types of companies. It comes down to the difference between legitimate strategies to minimize your tax obligations versus tax evasion.”

He says the CRA will look at transactions to determine if they comply with s. 245 of the federal Income Tax Act, the General Anti-Avoidance Rule. The rule requires all transactions to be carried out for a bona fide purpose other than to avoid tax.

“A transaction will not offend the Anti-Avoidance Rule as long as the primary purpose of the transaction is not to avoid tax,” Berkovitz says. “If you’re a global company with operations in many countries, there are many legitimate business reasons why you may need to set up a company in Panama or another low-tax jurisdiction.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.