Thank you for sharing!

Your article was successfully shared with the contacts you provided.

‘Loose lips sink ships’ is an idiom that found favour on propaganda posters more than 70 years ago. While unguarded discussions in the business community won’t cost lives, a lack of data security in the modern world can sink the reputations of businesses, service providers and even jurisdictions.

For offshore finance centres looking to source and retain business in a competitive world, data security is becoming a hot topic. By their very nature offshore finance centres are often more reliant on email and other electronic communication methods than onshore jurisdictions. 

Developments in technology mean that security breaches can see vast amounts of client data being extracted and exported around the world either remotely or using tiny drives, where previously such a breach would be almost impossible.

For offshore service providers’ private wealth clients a data breach revealing information about their net worth or financial planning can be hugely embarrassing, notwithstanding the legality of their personal structures. Once the genie is out of the bottle it is impossible to put it back in, and as a result many offshore jurisdictions are now focused on demonstrating the data security strengths of their offering.

In terms of approaches to this, two lines are being taken. One is the introduction of further legislation around data security with a view to criminalising breaches; the second is a focus on ‘encouraging’ behaviours that minimise the risk of a security breach.

The Virgin Islands’ new Computer Misuse and Cybercrime Act was reviewed repeatedly by the Virgin Islands’ legislature as a result of concern about its scope. It includes an offence regarding the publication of certain categories of information, one of which is information relating to financial services businesses, when obtained unlawfully from a computer. 

With a maximum sentence of 20 years and the Act purporting to have extra-territorial effect, this offence has been a much-discussed aspect of the legislation. Of course those following the Edward Snowden case may ask that, since the threat of even heavier penalties cannot stop leaks, why should this? Moreover, a public interest defence was added as a result of significant media comment. 

Other jurisdictions will consider that, for now, their existing laws and regulations more than cover this issue by reference to data protection and record maintenance, and therefore they focus on practices rather than regulation.

In Guernsey the financial services regulator has recently published a thematic review of data security practices in one sector of the financial services industry. While no indications have been given about a future legislative agenda at the time of writing, this document clearly raises issues as to what constitutes best practice and points to areas where law firms may wish to direct their attention.

In many ways, data security seems to be viewed as a risk to be dealt with in the same way as the risks of financial crimes. In addition to more technical concepts, suggestions include:

• the designation of a specific data security officer with responsibility for regular board updates; 

• checks on outsourced service providers; and

• regular training for staff on the importance of data protection.

All of these are familiar concepts to those accustomed to the methods used in relation to money-laundering risk. 

As with managing money laundering risk, data security is an area requiring proper procedures and practices. A law firm can have all the bells and whistles in terms of cybersecurity, but if a staff member opens a door for someone they don’t recognise out of misguided politeness it may all be for naught. 

It is clear that we can expect increased focus on issues such as the physical security of offices, appropriate disposal of recyclable papers, use of social media and webmail from office computers and revisions to remote access procedures. 

By way of example, as more and more businesses switch from BlackBerry to other smart devices, one might wonder if the security upon which BlackBerry built its reputation is given sufficient consideration. In the battle between utility and security, the former prevails more often than it perhaps should. One might further ask whether unprotected wifi is appropriate in office receptions.

Security guard

For lawyers operating in and around offshore jurisdictions, changes in legislation and best practice in the area of data security are likely to come thick and fast as technology and approaches evolve. Consideration will also need to be given to managing differing, or worse still conflicting, data security requirements applicable where firms operate in multiple jurisdictions. 

Thought will also need to be given to internal approaches to data security. It is not inconceivable that, as part of beauty parades for significant mandates in future, clients will expect firms to be able to detail and demonstrate how they manage data security risk.

We have moved beyond a duty of confidentiality and into a duty to proactively maintain confidentiality in the face of external threats.

With offshore firms holding much of the same data as offshore service providers, their attractiveness as targets for so-called ‘hacktivists’ or other cyber-criminals looking for information cannot be denied and must be positively managed by proper security measures. 

It is not impossible to imagine that a major firm could find its reputation destroyed as a result of a data security breach. Over the past few years we’ve seen a number of significant leaks published in the press regarding offshore activity. We’ve also seen at least one instance, in the JK Rowling-Russells saga, of a high-profile client taking on her lawyer for a breach of confidentiality.

It is to be hoped that these lessons are learned and learned well. Data theft is, by its nature, a crime without borders to which all those online are exposed, including the offshore community. 

Whether legislation on point has followed into all offshore jurisdictions or not, for offshore firms the need to manage practices and advise clients in relation to the risks unquestionably has. If we are to keep our ships afloat, neither our lips nor our servers can be loose.

Wayne Atkinson is a senior associate at Collas Crill.

This premium content is reserved for
Legal Week Subscribers.
Subscribe today and get 10% off.


  • Trusted insight, news and analysis from the UK and across the globe
  • Connections to senior business lawyers within the leading law firms and legal departments
  • Unique access to ALM's unrivalled, market-leading reporting in the US and Asia and cutting-edge research, including Legal Week's UK Top 50 and Global 100 rankings
  • The Legal Week Daily News Alert, Editor's Highlights, and Breaking News digital newsletters and more, plus a choice of over 70 ALM newsletters
  • Optimized access on all of your devices: desktop, tablet and mobile
  • Complete access to the site's full archive of more than 56,000 articles

Already have an account?

For enterprise-wide or corporate enquiries, please contact Paul Reeves on Preeves@alm.com or call on +44 (0) 203 875 0651


Legal Week Newsletters & Alerts

Sign Up Today and Never Miss Another Story.

As part of your subscription, you can sign up for an unlimited number of a wide range of complimentary newsletters and alerts. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2018 ALM Media Properties, LLC. All Rights Reserved.