Media reporting on the so-called Panama Papers has focused on the tax affairs of wealthy individuals and international organisations, but the hacking of client files at Panamanian law firm Mossack Fonseca has implications for every business.
The largest leak in history, with some 2.6 terabytes of data involved, the shockwaves of the Panama incident have been felt around the globe, and the hacking is a wake-up call to companies that don't already treat their cyber-security with the same stringency as their legal, regulatory, financial or operational risks.
"This was a major world-wide incident, involving many high profile individuals and global organisations, but the lesson is one that any business should relate to, however small they may be," said corporate legal expert Cameron Green of Ward Gethin Archer Solicitors.
"Protecting company data from attack is not just about keeping client data safe, it's just as much about protecting your reputation, your employees and your future competitive edge, as well as keeping inside the law. And it's not just protection from outside criminals, the risk is just as likely to come from current or previous employees or competitors."
Last year a UK manufacturing company had design blueprints stolen and shared with a competitor. They launched an investigation when the competitor released equipment which was extremely similar to their own, and established that they had been subject to a targeted cyber-attack, and that the stolen blueprints had been sold to Chinese-owned companies. The infiltration was achieved when hackers targeted a job-seeking chief design engineer, who unwittingly downloaded malware through an email, after responding to a fake online recruitment profile designed specifically to trap him.
And Morrisons supermarket is being sued under a group litigation order involving more than 5000 of its employees, after personal and financial details were posted online by a disgruntled ex-employee.
"It's a really big issue for every business, large or small," added Cameron. "Electronic data is a hugely valuable commodity and that value can be encashed when it falls into the wrong hands, so business leaders must make it a top priority."
Company directors need to ensure they are meeting the requirements of the Data Protection Act and the Communications Act in the UK, and those will shortly be joined by the EU Data Protection Regulation and EU Cybersecurity Directive. Alongside, directors have a duty to be informed on any issues that are relevant to the proper running of the company under the Companies Act 2006.
A new London-headquartered National Cyber Security Centre is expected to begin operations in October 2016, bringing all the UK's cyber expertise into one place to address current problems with the digital defences of companies and organisations.
If you require further information on the above issue or any other matter, please contact a member of our team at your nearest office by clicking here.
This article aims to supply general information, but it is not intended to constitute advice. Every effort is made to ensure that the law referred to is correct at the date of publication and to avoid any statement which may mislead. However, no duty of care is assumed to any person and no liability is accepted for any omission or inaccuracy. Always seek our specific advice.
