D&O and FI Newsletter - Spring 2016
DAC Beachcroft's D&O and FI newsletter features topical issues for our global clients and contacts
Published 25 May 2016
The leak of confidential data from the Panamanian law firm, Mossack Fonseca, in April has highlighted the potential reputational risks that businesses face if they arrange their affairs in off-shore jurisdictions and the general data security risks that all businesses face today.
In the largest ever recorded data leak, an anonymous source forwarded over 11.5 million lawyer-client documents dating from as far back as the 1970s to a German newspaper. The documents were then forwarded to the International Consortium of Investigative Journalists (ICIJ) and thereafter distributed to media centres across the world.
On 3 April 2016, the leak of the so-called "Panama Papers" was first reported in the press alongside the identities of prominent public officials, national leaders, company directors and shareholders, and high net-worth individuals that have used opaque off-shore structures and shell companies to hide their wealth from tax authorities. On May 9, the ICIJ published its "Panama Papers" database, a fully searchable, on-line database containing the identities and financial records of 320,000 off-shore entities, being a small portion of the total given to the journalists by the anonymous source.
Claims relating to the Panama Papers leak have the potential to be very significant and are likely to involve criminal, regulatory and civil actions.
The leak has prompted worldwide regulatory investigations, and banks and financial institutions are already being directly implicated in these investigations.
Whilst Mossack Fonseca is maintaining that it has done nothing illegal (because tax avoidance is not illegal), its possible involvement in the use of off-shore companies to circumvent international trade sanctions in Iran, Syria and North Korea and other illicit activities including money laundering and bribe payments are now being investigated by the US Department of Justice.
In the UK, the Financial Conduct Authority (FCA) has asked 64 financial services firms and banks to disclose details of any accounts handled by Mossack Fonseca and explain what they are doing internally to assess their exposure. The FCA has not yet reached any conclusions from its preliminary analysis but given the allegations of breaches of sanctions, money-laundering offences and other crimes published in the media, the FCA has said that it will be considering whether the banks' anti-money-laundering controls should have raised "red flags".
Mossack Fonseca operated from dozens of offices across the world. Banks, investment houses, accountants, law firms, tax advisers and other professional advisers that played a role in off-shore transactions involving Mossack Fonseca should be prepared to assist with these regulatory investigations, possibly by attending interviews and producing documents for regulatory scrutiny. The costs of these investigations may sound in claims for the recovery of "defence costs" under D&O, professional indemnity, E&O and cyber policies.
Data security experts have noted that Mossack Fonseca was not encrypting its emails and it was using a computer programme with known vulnerabilities and out of date plug-ins. If it is established that the data leak was caused by the firm's failure to implement adequate security measures, then claims by former clients of Mossack Fonseca for breach of confidence, loss of privacy and reputational damage are likely.
The UK tax authority, HMRC, has confirmed it is clamping down on tax avoidance schemes and will impose tougher penalties on off-shore evaders. It is conceivable that clients or former clients of Mossack Fonseca will bring claims if the tax authorities find that the tax structures set up by Mossack Fonseca were illegal or amounted to tax evasion. Allegations of negligent tax advice/planning may not be confined to Mossack Fonseca but may also be directed against any professional involved in setting up the tax structure.
Under English law, the success of such claims would depend on whether former clients could show that, if advised differently, they could and would have invested in a different structure which would not have resulted in additional tax liabilities. Each case will turn on its own facts, but professional advisers and their insurers should consider their possible exposure in respect of such claims.
Claims may potentially extend beyond professional advisers. Company directors who pursued secret, aggressive tax strategies with Mossack Fonseca's assistance may see their company's reputation tarnished by negative media attention and (possibly) an irrecoverable fall in share price. Whilst the use of off-shore tax structures is not "illegal" per se, their use is perceived by many as "unethical" and "immoral", and it could be argued that by using such structures, the directors were not promoting the best interests of the company. We may see action groups pursue derivative claims in the future under the Companies Act 2006, if appropriately funded. These claims may potentially fall for consideration under any applicable D&O policy.
The FCA acting Chief Executive, Tracey McDermott, has reported "a significant amount of business in Panama would be expected to be perfectly legal" and it is, of course, possible that the regulatory investigations will conclude there was no illicit activity and no prosecutions will follow. Irrespective of the legalities of off-shore transactions, however, the negative media attention may cause many to evaluate their association with these structures and they may wish to give careful consideration to the following points going forward:
The Panama data leak raises a very important issue for businesses and particularly professional advisers that hold confidential data. Electronic data is vulnerable to attack by third party hackers who may delete, corrupt or distribute confidential information.
Given that lawyers, accountants and other professional advisers hold highly confidential documents electronically, many will now be concerned about data theft from their own systems and the risk of claims by clients in the event of a similar data hack. Many will question what they can do to minimise their exposure to a similar attack in the future.
Those storing confidential papers in particular should assess their data security measures within their organisation and consider how data is stored and accessed, and by whom. The following precautions may help minimise the risk of a data attack:
The Panama data leak is a wake up for many. It has highlighted the reputational risks of being associated with off-shore structures and highlighted the vulnerabilities of storing confidential data electronically. Professional advisers, in particular, should reflect on the reputational damage they may cause to themselves and to their clients where sensitive information is leaked publicly and ensure their digital security is sufficient to minimise the risk of a security breach in the future.