"What Keeps You Awake At Night?” - Security Issues Underscored By BVI Data Leak

Mustafa Hussain Taylor Wessing Partner International Wealth Group 11 April 2013

Mustafa Hussain, partner in the international wealth group at law firm Taylor Wessing, discusses what clients and those serving them should be thinking in light of recent BVI data leak story.

Mustafa Hussain, partner in the international wealth group at law firm Taylor Wessing, discusses what clients and those serving them should be thinking in light of recent BVI data leak story.

The key question for private wealth clients (and therefore the front of mind issue for professional service providers in the wealth industry) is, “What keeps you awake at night?” A wealth management client’s answer will usually comprise a list rather than one pressing issue. But such a list will almost always have confidentiality, security, tax and public profile as key worries. Clients are willing to go to great lengths, incurring time and money, to mitigate these risks; at the same time, clients place a great deal of trust in the professional advisors handling these delicate issues for them. For this reason, it is no surprise that breaking news reporting the leak of millions of confidential files on a broad range of international private companies, investors and trusts to the International Consortium of Investigative Journalists is a client’s worst nightmare come true.

The fallout from the leak is causing shock waves in the wealth management industry but – unfortunately - the worst may be yet to come. At a time when wealth clients are already sensitive to taxes and public perception, not least because of the impact of the economy on their businesses and portfolios, the thought that information may have been procured that brings details of highly confidential and delicate tax and succession planning to a wide audience is very worrying for clients.

The leak of documents is being reported as unprecedented. But it is not the scale of the leak that will worry clients – it is the fact that their most secret data, which may not even be known to members of their own family – has been sought out and disseminated. That is quite a different scenario to an accidental leak or mishap such as a laptop left on a train or a CD with thousands of names dropped in a car. The procurement of the data leads to the, perhaps not unfounded, assumption that it will be used to identify, disclose, publicise and perhaps even prejudice or target the subject clients. For many, these are their nightmares realised. Even if tax planning has been fully legal, public opinion in respect of such planning initiatives by major banks and even media stars such as Jimmy Carr and Gary Barlow has shown that a spotlight brings pressure on issues that clients prefer to keep private. Anonymity is not only a comfort - it is also an effective defence.

Safeguards to implement

This immediately brings to mind (and into question) the security arrangements clients have in place. Security and trust are the pillars that wealth clients rely on to ensure that their worries are laid to rest. Breaches are arguably inevitable, particularly where an investigating party is sufficiently determined and resourced to hack into any target they choose. But there are safeguards clients can put in place.

The best approach to ensuring security is to be practical, prudent and prepared. The emphasis should always be on the prevention of risks materialising. However, when they do arise, sensitive situations need to be dealt with strategically and decisively in order to maximise protection and minimise damage or exposure.

Response times can be absolutely key to controlling outcomes. Yet a startling number of wealthy individuals and families leave security policy aside when effecting the infrastructure of their private affairs, assets and businesses. A reactive approach, such as acting after a breach has already occurred, can often be too late to prevent damage or liability. Undertaking a review of security contracts, controls and systems is both prudent and important. A review need not be a major exercise and can commence simply with a questionnaire or interview to understand what security measures are in place for risks such as:

·         Data leakage: Dealing quickly and effectively with leaks of sensitive information or disparaging content, including restraining employees or contracting parties, taking action against agents or service providers and handling social media exposure (including cloaking, astroturfing, remote wiping and piracy).

·         Audit trails: Understanding the terms and conditions pursuant to which business or personal finances are reviewed, by whom and what information is replicated, passed on to third parties and disclosable to authorities.

·         Data storage and backups: Ensuring that family, personal and business information is securely and safely stored pursuant to legally-binding contracts that are enforceable in a relevant location and with adequate compensation for breach or loss. This includes advice on protecting data, understanding when a client must (or would be better off strategically) release information and reviewing cloud storage.

·         Threats and duress: How to respond to threats of blackmail, violence, extortion or aggressive legal action. What options are available for injunctions, managing exposure and situations where someone affecting a client's business is acting under duress or coercion.

The increasingly cross-border nature of business has meant that taking sound advice and contracting with the best possible service providers for security needs is key to preparing for risk that may materialise anywhere that a wealth client does business at any time. Electronic means of communication have enabled the fastest possible transmission of data around the world – which can be a benefit when clients wish to receive intelligence but could be a hindrance if they have to halt a leak.

Responding to security threats

Clients who are concerned that their confidential information may have been compromised should contact their offshore fiduciary or service provider, consider commissioning a “stress test” of their structure to identify potential vulnerabilities which may arise as a result of leaked information or, if the risk is particularly acute (such as in the context of an ongoing family dispute where the compromised information could be a powerful weapon), consider implementing a restructuring (possibly including using a different provider in a different jurisdiction) so that any leaked information will quickly be out of date.

Any preparation or response should always be measured and proportionate: it will not be feasible economically or practically for clients to prepare for every eventuality, but simple and effective steps include having a robust confidentiality agreement in place, understanding where vulnerabilities lie and paying attention to security provisions in contracts. Clients have grown comfortable with sending sensitive documents through cloud programmes or remote access systems. They use digital signatures without understanding the risk of fraud and hacking and they simply tick to accept terms and conditions without having them reviewed. Standard terms may contain unacceptable limitations on liability or exclusions of remedies that may be key to helping clients maintain security and take action directly. Specialist contracts offer legal provisions aimed at ensuring maximum protection and scope for meaningful action in the event that something goes wrong. For the ultra-profile sensitive, it is also possible to protect a client's profile on the internet and maintain discretion or change visibility, including by removing or diluting content from popular websites such as YouTube or search engines like Google. Such remedial action may sound extreme, but in the wake of a huge leak of data, it may in the best case to help a client sleep at night and at the very least, push confidentiality, security and public profile well down their list of nightmare worries.

Register for WealthBriefing today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes