‘Loose lips sink ships’ is an idiom that found favour on propaganda posters more than 70 years ago. While unguarded discussions in the business community won’t cost lives, a lack of data security in the modern world can sink the reputations of businesses, service providers and even jurisdictions.
For offshore finance centres looking to source and retain business in a competitive world, data security is becoming a hot topic. By their very nature offshore finance centres are often more reliant on email and other electronic communication methods than onshore jurisdictions.
Developments in technology mean that security breaches can see vast amounts of client data being extracted and exported around the world either remotely or using tiny drives, where previously such a breach would be almost impossible.
For offshore service providers’ private wealth clients a data breach revealing information about their net worth or financial planning can be hugely embarrassing, notwithstanding the legality of their personal structures. Once the genie is out of the bottle it is impossible to put it back in, and as a result many offshore jurisdictions are now focused on demonstrating the data security strengths of their offering.
In terms of approaches to this, two lines are being taken. One is the introduction of further legislation around data security with a view to criminalising breaches; the second is a focus on ‘encouraging’ behaviours that minimise the risk of a security breach.
The Virgin Islands’ new Computer Misuse and Cybercrime Act was reviewed repeatedly by the Virgin Islands’ legislature as a result of concern about its scope. It includes an offence regarding the publication of certain categories of information, one of which is information relating to financial services businesses, when obtained unlawfully from a computer.
With a maximum sentence of 20 years and the Act purporting to have extra-territorial effect, this offence has been a much-discussed aspect of the legislation. Of course those following the Edward Snowden case may ask that, since the threat of even heavier penalties cannot stop leaks, why should this? Moreover, a public interest defence was added as a result of significant media comment.
Other jurisdictions will consider that, for now, their existing laws and regulations more than cover this issue by reference to data protection and record maintenance, and therefore they focus on practices rather than regulation.
In Guernsey the financial services regulator has recently published a thematic review of data security practices in one sector of the financial services industry. While no indications have been given about a future legislative agenda at the time of writing, this document clearly raises issues as to what constitutes best practice and points to areas where law firms may wish to direct their attention.
In many ways, data security seems to be viewed as a risk to be dealt with in the same way as the risks of financial crimes. In addition to more technical concepts, suggestions include:
• the designation of a specific data security officer with responsibility for regular board updates;
• checks on outsourced service providers; and
• regular training for staff on the importance of data protection.
All of these are familiar concepts to those accustomed to the methods used in relation to money-laundering risk.
As with managing money laundering risk, data security is an area requiring proper procedures and practices. A law firm can have all the bells and whistles in terms of cybersecurity, but if a staff member opens a door for someone they don’t recognise out of misguided politeness it may all be for naught.
It is clear that we can expect increased focus on issues such as the physical security of offices, appropriate disposal of recyclable papers, use of social media and webmail from office computers and revisions to remote access procedures.
By way of example, as more and more businesses switch from BlackBerry to other smart devices, one might wonder if the security upon which BlackBerry built its reputation is given sufficient consideration. In the battle between utility and security, the former prevails more often than it perhaps should. One might further ask whether unprotected wifi is appropriate in office receptions.
For lawyers operating in and around offshore jurisdictions, changes in legislation and best practice in the area of data security are likely to come thick and fast as technology and approaches evolve. Consideration will also need to be given to managing differing, or worse still conflicting, data security requirements applicable where firms operate in multiple jurisdictions.
Thought will also need to be given to internal approaches to data security. It is not inconceivable that, as part of beauty parades for significant mandates in future, clients will expect firms to be able to detail and demonstrate how they manage data security risk.
We have moved beyond a duty of confidentiality and into a duty to proactively maintain confidentiality in the face of external threats.
With offshore firms holding much of the same data as offshore service providers, their attractiveness as targets for so-called ‘hacktivists’ or other cyber-criminals looking for information cannot be denied and must be positively managed by proper security measures.
It is not impossible to imagine that a major firm could find its reputation destroyed as a result of a data security breach. Over the past few years we’ve seen a number of significant leaks published in the press regarding offshore activity. We’ve also seen at least one instance, in the JK Rowling-Russells saga, of a high-profile client taking on her lawyer for a breach of confidentiality.
It is to be hoped that these lessons are learned and learned well. Data theft is, by its nature, a crime without borders to which all those online are exposed, including the offshore community.
Whether legislation on point has followed into all offshore jurisdictions or not, for offshore firms the need to manage practices and advise clients in relation to the risks unquestionably has. If we are to keep our ships afloat, neither our lips nor our servers can be loose.
Wayne Atkinson is a senior associate at Collas Crill.