The Epiq Angle

Key Lesson from the Panama Papers Data Breach: Keep your Information Custodians Close

April 15, 2016

5 questions to ask any vendor to strengthen your data security controls

In the past five years, approximately 80 percent of top U.S. law firms have been hacked. Statistics reveal that an average of 229 days elapse before a data breach is actually detected. The potential for irreparable harm during that amount of time is enormous.

Key Lesson from the Panama Papers Data Breach: Keep your Information Custodians Close

The Panama Papers scandal has caused global alarm and political upheaval. More than 11.5 million documents from Panamanian law firm Mossack Fonesca’s database are now in the hands of journalists—the result of either a leak from inside or a hack from outside. On April 3, 2016, such journalists in 76 countries began publishing stories divulging hidden wealth, offshore tax havens and illicit activities. The data implicated prominent figures in the Americas, Europe, Africa, Asia and the Middle East.  

On April 12, 2016, organized crime prosecutors raided the Panamanian law firm and its subsidiaries “to obtain documentation linked to the information published in news articles that establish the use of the firm in illicit activities.” What started with batches of stolen documents has turned into an international incident. Mossack Fonesca has and continues to claim no wrongdoing.

What can the Panama Papers incident teach us about safeguarding our own, and more importantly our clients’, information?

The answer is simple: When dealing with sensitive information, you better thoroughly and continuously vet who handles it, as well as their security programs used to protect it. Companies and firms often find it more cost effective to do reactive damage control after a data breach than to proactively modify behaviors (e.g., implement proper controls) before problems occur. This can be especially true when information security and privacy are only a tangential concern of the entity to whom clients entrust their data. Lack of proactive measures exposes clients to risks and potentially irreparable harm. The U.K. government publication Cybersecurity Guidance for Business states that such breaches are likely to lead to “material financial loss through loss of productivity, of intellectual property, reputational damage, recovery costs, investigation time [and] regulatory and legal costs.”

How to mitigate the risks of cyber incidents

How do we mitigate these risks? Create a baseline of security controls that match the classification of the information in question. Due to the technical details of cybersecurity technology, companies and firms have now turned to compliance frameworks to effectively communicate and assess security controls. In short, compliance is now the language used to discuss security. Therefore, do your due diligence and conduct audits; know your chosen security framework, classify your data, and hold other custodians accountable for the continuous operation of the required controls.

Crucial questions to ask your information custodians:

  • Technical Concerns. Do you maintain the basic technologies used to protect the information housed in your systems? These technologies include intrusion detection systems (IDS), intrusion prevention systems (IPS), security incident and event management systems (SEIM), anti-virus technology, are they deployed to all assets in the scope of services? How do you successfully operate, monitor, and update these supporting technologies?
  • Information Security Policies: Do you have and continuously update internal polies on maintaining your information security program? Do you have published and acknowledge acceptable use policies (AUP)?
  • Human Intelligence. Does your custodian have adequate contact with law enforcement such that immediate and effective communication can be established in the event of breach?
  • Personnel Vetting. Does the custodian perform background checks on its personnel and have systems in place to reveal and/or expose improper conflicts, motives or biases?
  • Associate Training. Are associates properly trained on security controls and how to implement them? Can associates articulate the standards? In the training are key topics such as social engineering, phishing methods, the acceptable use policy, and your internal security policies covered thoroughly?

Protecting your most sensitive data is about trust and competence. It can’t be left to chance.

Filed under: data breach