Panama Papers: Outgoing employees pose risk to firms, remind lawyers

Risk specialists and senior lawyers have advised law firms to reduce the threat of whistleblowing employees in light of the Panama Papers attack last weekend.

More than 11.5 million confidential files detailing tax havens held by the world's elite were leaked from Panamanian law firm Mossack Fonseca and obtained by investigative journalists. With 2.6 terabytes of carefully extracted data retrieved, the attack is widely thought to have come from an unknown whistleblower.

Solicitor and managing director of Digital Law UK Peter Wright, who described the Panama Papers attacks as 'the law firm equivalent of Edward Snowden', said employees serving notice periods were a major risk to firms.

'This could easily be a disaffected employee who has handed in their notice and made it clear they're leaving and then, because these firms require a three-month notice, that person can sit there and have full access to the system and download whatever they want. It's the height of insanity. It opens up a massive, massive security risk.'

Risk expert Frank Maher, a partner at Legal Risk LLP, similarly highlighted the ease at which data can be accessed.

'Lawyers and others taking client documents when leaving a law firm has been a significant problem since long before the days of computers. With mobile devices and the ability to email documents or upload them to cloud services, it has become far easier to do.'

Maher outlined steps that firms could take to minimise the risk, which included locking down USB ports and DVD drives, and using software to monitor and report on unusual data traffic, which, he says, is likely to be the first hint they have that someone is planning to leave.

Employment perspective

'Do you really need to keep the employee in the business for six months when they could cause damage to the business, let alone their effectiveness for such a long period?', commented Stuart Jones, head of employment at Weightmans.

'Post-termination restrictive covenants may protect a firm in relation to what an ex-employee may do after they leave, provided they are properly drafted and appropriate to the employees current duties.'

Jones also raised the issue of whether employees could be placed on gardening leave or terminated with payment in lieu of notice. The partner questioned what data monitoring procedures are in place and whether firms are contractually and lawfully able to assess what departing employees take out of the systems.

'All employees should be made aware of the potential breach of the [Data Protection Act] if they take client-sensitive information, and this should be repeated to employees under notice.'