30 Nov 2017

Foreign Journalists Discover Treasure in Bermuda

Author:

As enchanting as the Bermuda sea is, during rough weather, Bermuda’s beguiling reefs have been the source of many lost ships over the past hundreds of years during trans-Atlantic journeys shipping treasures and taxes from the Americas to Europe. However, no one could have anticipated the rough waves that just crashed upon some of the world’s richest and most well-known companies as the true hidden treasure in Bermuda had long been a quietly kept secret by offshore Bermudian lawyers.

This November, hundreds of investigative journalists from around the world, coordinated by the Washington DC-based International Consortium of Investigative Journalists (“ICIJ”), released what is now the second largest treasure trove of “obtained” previously private internal client emails, work product emails and many more very sensitive and potentially embarrassing files (if made public). 4 million in total. The ICIJ claim these obtained documents reveal billions of dollars stashed in offshore accounts of more than 120 politicians and notable world leaders, and more than 100 multinational corporations including Apple, Nike and Allergan.

The discovery by the ICIJ of this un-buried “treasure” exposes far more money than any pirate has ever found off of the shores of Bermuda on any sunken pirate ship.

Why should you care? Because this isn’t the first time this has happened. And won’t be the last. Previously the ICIJ exposed what has been dubbed the Panama Papers. This network of organized journalists has created a resourceful and tech savvy worldwide consortia that is intent on publicizing private client information — whether it be wealth and investment account information or strategic planning correspondence — on their websites, and then using their journalistic skills, to disseminate stories of hidden treasure to the world through their media outlets.

This latest gold mine, dubbed Paradise Papers (yes, Bermuda’s beaches truly are paradise), originated from the offshore law firm Appleby and maps a web of secret wealth that has been stashed around the globe. The unearthed records cover a period of more than six decades through to 2014 of entities that are registered in more than 30 offshore jurisdictions. It includes information from shareholders, directors and other officers connected to offshore companies, foundations and trusts. It also reveals the names of the real owners behind those secret structures.

There is no doubt that the majority of this correspondence would not have been admissible in civil court actions, due to them being protected as attorney-client or attorney work product privileges. It is also likely that the person who provided the ICIJ with its trove of data committed an Internet crime or at the very least violated a corporate non-disclosure agreement.

But to the politicians, notable world leaders and business titans whose information has now been made public does it really matter how the information became public? The legal practitioners and wealth advisors charged with keeping this information secret and private have failed and now the sensitive information is out there. And in today’s environment of massive and immediate dissemination and worldwide publication of exposed confidential information, if one can point to a public release of the information, does that circumvent attorney-client and work product privilege? One might argue (and we will likely see these arguments more often) that in the new era of published leaks, attorney-client privilege is becoming obsolete. (CLICK HERE to see how top tier Florida lawyers and wealth advisors are protecting their clients – recorded Tech Essentials webinars)

With the “Panama Papers”, however the information was obtained, whether by an anonymous “whistleblower” or criminal hack, the person or persons was able to secretly send journalists the massive set of emails and files which were then circulated to more than 400 reporters in secret over more than a year, before a coordinated effort to go public, according to ICIJ. According to Wired Magazine, the leaker and the ICIJ that coordinated the effort took great care to use encryption to mask their correspondence. Ironically, encryption is the one thing the Mossack Fonseca law firm and their clients, it appears, failed to exercise.

This instance, the “Paradise Papers,” the leak occurred at a top tier Bermudian based, and international law firm, Appleby.

Who might these new whistleblowers have been?

Perhaps this was a criminal hacker that gained access to the firm’s IT systems. Or, conceivably, it could have been a disgruntled IT staffer, consultant, or outsourcer that copied the database of files before leaving the firm, and then sold it to a third party. How much could sensitive information like this be worth? $10,000? $100,000? $1 million? Was a ransom offered and not paid? Whatever the price, the reputational damage to the Bermudian law firm Appleby and Panamanian law firm Mossack Fonseca and its clients is far greater.

In these scenarios, it is important to remember that plain text email correspondence can be exposed in route in many ways, and certainly on a company’s mail servers, anyone with access can read these messages at will.

Let’s assume IT staffs are loyal and committed to using best efforts to protect their employees and employers, and as such, they often go the extra step of setting up encryption at the mail gateway – – so everything leaving the firm is encrypted when it hits the Internet. We know, however, that they often cannot control what happens to your message upon receipt at the recipient destination, and often it is out of their control if email archives store messages and attached files each unencrypted and are somehow accessed by an unauthorized person. The “whistleblower” treasure trove, as we may find out from Appleby or Mossack Fonseca, may have been the email archive (in house or outsourced) database containing the unencrypted messages before sent at the mail server (before reaching the Internet) and after received (from senders by the mail server and perhaps decrypted by the mail server).

Whatever the source, the important learning is to consider what one might do when one needs to communicate with one’s client or among staff with sensitive client matters? Tech Essentials suggests trust no one, and use “Outbox-to-Inbox” email encryption rather than “network-level” or “policy-based gateway” encryption, if your information is sensitive to the highest degree.

RMail encryption calls this “Outbox-to-Inbox” email encryption “Executive Mode RPX Encryption” and recommends use for those dealing in merger, acquisition, corporate litigation strategy, private client wealth management, and personal health matters; matters that one would like to shield from their IT staff or the IT staff at the recipient.

RMail® RPX Encryption encrypts the message locally in the sender’s Microsoft Outlook program at the sender’s desktop or device, and ensures encrypted delivery straight through to the recipient’s desktop; securing from the potential of data breaches both within the sender’s in-house or outsourced email system, and external while in transport across the Internet and within the recipient’s email system. This also provides for letting the recipient encrypt replies without having RMail at their end.

With RMail® RPX Encryption, the message and all attachments remain encrypted within the recipient’s email inbox, and are printed and encapsulated inside a PDF file, readable after decrypting in one’s PDF reader (outside of the inbox) and if saved, remain saved in encrypted file format unless the recipient extracts the attachments and chooses to use them as normal files. This end-to-end encryption uses a 256-bit AES encrypted PDF wrapper to keep one’s message and any attachments private from start (while sitting in outbox) to finish (even while sitting within their inbox), so only one’s recipient can read them.

There are other ways to achieve a similar effect, using PKI or PGP encryption, but in each of these methods, depending on deployment, the message is decrypted in the recipient’s inbox and remains there as plain text. So, either it’s usually too complicated for average senders and recipients to use or it requires special software at the recipient end which introduces even more complexity.

Would RMail® RPX Encryption have protected Appleby and Mossack Fonseca clients from these mega leaks? Very likely. It certainly should have at least been an option in the client or lawyer toolkit to protect information in this new era of mega leaks.

Tech Essentials invites you to hear how other readers have employed Tech Essentials security, compliance, and productivity tools and tips. Listen to their stories in the Tech Essentials webinar series recordings — click to access here