 |
 |
| Ian Christopher McCaleb and Eric Lebson authored this piece. | |
The world at the beginning of April seemed to have been turned on its collective ear by the suddenly exposed 40-year trove of internal materials belonging to the Panama City-based law firm Mossack Fonseca, revelations nestled within the so-called Panama Papers. The churn of recrimination, of course, will remain quite audible for some time to come, and there are many noteworthy angles to the story of how so many people and organizations — not all of them spectacularly wealthy — made use of the law firm to shelter their assets and avoid their home countries’ tax authorities.
News organizations and commentators the world over have been reporting or fulminating on the matter since the story first broke on April 3, with the International Consortium of Investigative Journalists overseeing and coordinating a herculean parsing processes from their Washington, D.C. headquarters.
The ICIJ has managed the efforts of nearly 400 journalists employed by approximately 100 news organizations and spread across 70 countries. For the better part of the last year or more, this union of reporters and editors has been pecking away at the fruits of what has been described as the largest data compromise in history, with nearly 12 million financial records to be sorted through about who moved what assets, how they did it and where those assets went.
And no one knew a thing about what they were up to.
There are several ironies here, some of which have been deconstructed via the mainstream press. The core elements of the entire saga, however, are security, secrecy and trust. Mossack Fonseca’s clients fervently believed they could completely trust the law firm with their most closely held financial — and sometimes very personal — secrets.
For whatever reason, an outside breach — or more likely, an internal law firm operative turned “ethical hacker” — has managed to pull away the veneer of Mossack Fonseca’s trustworthiness, with four decades of confidences now spilling out for the entire world to deconstruct.
Mossack Fonseca didn’t necessarily engage in world-class data protection or in comparable operational security. It doesn’t matter if the person who obtained the material from the law firm hacked his or her way in from the outside, or simply made off with the data from within. Mossack Fonseca was powerfully negligent in regard to its internal security regimes.
To the Business Intelligence practitioner, there is no greater client-safety-driven recommendation to be made, most especially in the midst of a client red-teaming engagement or an intense due diligence process, than insisting that all operations involving the most sensitive personal, corporate and financial information be as locked down as possible. Access permissions, for example, should be granted only to those who need to see specific data on a government-standard “need to know” basis. Firewalls, security measures and monitoring processes must always be state-of-the-art.
From our perspective, it makes preventative sense for us to recommend fail-safe methods to our clients, through partnering arrangements with data security and forensics providers. It’s also advisable for companies entrusting information that has existential risk implications to conduct their own due diligence on their law firm and how it handles such material, from the simple use of shredders, to the vetting of employees, to the compartmentalization and audit procedures that are in place within their networks. Mitigation and recovery are especially important following a catastrophic breach, but Business Intelligence regimes can also help identify weaknesses before they are exploited from the inside or the outside.
The existential threat to an organization like Mossack Fonseca is utterly incalculable at this point. Worse, all of this was most likely very preventable.
The grandest contrast of the Panama Papers situation becomes material when one considers how thoroughly embarrassed Mossack Fonseca has been in regard to its own security efforts, and how stealthily the ICIJ managed a top-secret information exploitation effort, an effort that spanned multiple countries, with hundreds of individual participants. Not a word — or even the slightest hint — of this operation leaked until the investigative journalism consortium was ready to make its own revelations on its own terms.
How did they do it? There’s some limited information available online about their communications and encryption efforts, much of it available via journalism industry blogs and trades, though we should all be assured that they aren’t disclosing much of anything substantive regarding how they kept it all under wraps.
Nor should they. An organization like the ICIJ is a consistent target for hackers and digital invaders of all sorts — to include foreign intelligence services. The methods employed by the ICIJ to ensure secrecy and unimpeded workflow are surely worthy of admiration and study from a variety of perspectives.
There’s a right way to secure confidentiality, and a wrong way to promise or assure the same.
There will be many takeaways from the Panama Papers saga over the next weeks and months, but from a security standpoint, look to the nascent, hungry, and self-aware organizations like the ICIJs of the world. Complacency and self-assurance, most specifically in regard to the most delicate operational security, is not to be trusted in this ever-evolving worldwide digital landscape.
* * *
Ian Christopher McCaleb and Eric Lebson are Business Intelligence practitioners at LEVICK. They can be reached at [email protected] and [email protected].
There’s a fine line between newsjacking and taking advantage, aka ambulance chasing. Our job as PR professionals is to tread it carefully.
PR firms need to be mindful of ways their work product may be protected by the attorney-client privilege whenever working with a client’s internal legal team or its external legal counsel.
Manuel Rocha, former US ambassador and intenational business advisor to LLYC, plans to plead guilty to charges that he was a secret agent for Cuba.
CEO mentoring is an often-overlooked aspect of why CEOs are able to make good decisions, and sometimes make bad ones—all of which intersects with the role and duties of a board. 
How organizations can anticipate, prepare and respond to crises in an increasingly complex world where a convergent landscape of global challenges, threats and risks seem to arrive at an unrelenting pace.
Have a comment? Send it to 
No comments have been submitted for this story yet.