Paradise paper chase: when is a leak a crime?

Over 13 million files, many of them containing confidential and sensitive client information, were leaked from offshore legal service providers and corporate registries in 19 jurisdictions including the Caribbean, Jersey, Guernsey and the Isle of Man. More than half of the documents came from law firm Appleby. As a result, sometimes complex financial structures used by well-known figures and companies, including the Queen (through the Duchy of Lancaster), Lewis Hamilton, Arsenal and Everton football clubs and Apple and Nike, were exposed to scrutiny and widespread comment.

The files were obtained by German newspaper Süddeutsche Zeitung and reported by the International Network of Investigative Journalists (ICIJ). The ICIJ is represented in the UK by the Guardian and BBC’s Panorama, which recently ran this as a two-part story/exposé. Süddeutsche Zeitung was also the publication initially contacted by an anonymous source with encrypted internal documents from the legal firm Mossack Fonseca in last year’s Panama Papers.)

Most media sources have referred to the leak as just that, but others prefer to describe it as a hack. In a statement published on the firm’s website, Appleby claims it was the victim of “a serious criminal act by an intruder who deployed the tactics of a professional hacker”.

The terms leak and hack are not mutually exclusive. According to the Oxford English Dictionary the former is “an improper or deliberate disclosure of information (e.g. for political purposes)” while the latter is “the practice of gaining unauthorised access to a computer, network, etc., esp. remotely”.

Predictably there has been much speculation in recent weeks about the potential wrongdoing of those who create and utilise tax mitigation structures. But what of the potential liability of the leakers/hackers themselves? Here we consider, hypothetically, how leaking confidential data such as that contained in the Panama and Paradise Papers might be treated under current (and future) cyber crime laws in the UK.

According to the Crown Prosecution Service (CPS) hacking is “the unauthorised use of, or access into, computers or networks by exploiting identified security vulnerabilities”.  Hacking is classed as ‘cyber-dependent crime’ which can be committed “only through the use of Information and Communications Technology (ICT) devices, where the devices are both the tool for committing, and the target of, the crime”.

In the UK, the Data Protection Act 1998 regulates how personal information is used by organisations, businesses and the government and identifies eight ‘data protection principles’. Under section 55(1) it is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal data without the consent of the data controller. Appleby has made clear that it did not consent to disclosure. If, as it appears, the leaker(s) acted deliberately (or recklessly) what sanctions would they face under domestic (UK) law?

Companies as well as individuals can be found guilty of a section 55 offence and where this was committed with the “consent or connivance” of a company’s directors, both the company and its individual directors could face punishment.

A defence to a section 55 offence may be available (only to individuals, not companies) where the accused believed his actions were necessary to prevent a crime or that it was in the public interest that the information be disclosed. If it is established that some of the parties to the recently-disclosed tax schemes were acting criminally or unlawfully, then such defences might become potentially available.

Leakers/hackers could also find themselves in the crosshairs of the Computer Misuse Act 1990 (CMA), the UK’s main legislation on cyber attacks. The term ‘computer’ is not defined in the act but Lord Hoffman in DPP v McKeown and DPP v Jones defined computer as ‘a device for storing, processing and retrieving information’. Both a smartphone and tablet would meet this definition and therefore could play a role in a CMA offence.

Section 1 deals with unauthorised access to computer material, or ‘access without right’. The Act distinguishes between (i) unauthorised access and (ii) permitted access for unauthorised purposes. Where a user has permission to access a system, but uses the data for a purpose that is not authorised, he may be guilty of the second limb of the offence.

One common scenario is where an employee is permitted to access certain files but not to share them externally. In this respect, an employee guilty of misuse might avoid sanction under the CMA, but still face substantial fines under the DPA. The external hacker might avoid conviction under the DPA by pleading a public interest defence, but this is not possible under the CMA which carries a maximum prison term of one year, a fine of up to £500,000 or both.

In 2016 there were 19 DPA prosecutions, the vast majority being under section 55. The fines imposed ranged from £150 to £7,500. There were also 262 convictions under the CMA between 1990 and 2013.

As well as the defences mentioned above, whistle-blower protection is available under the Public Interest Disclosure Act 1998 and covers certain disclosures of wrongdoing made by employees, contractors, agency staff, police officers and NHS workers. Section 10 of the Contempt of Court Act 1981 provides protection for journalists and their sources unless disclosure is held to be necessary in the interests of justice, national security or the prevention of crime.

We have considered the above issues from an English law perspective and for this law to apply there would need to be a sufficient connection between the perpetrators, their actions and this jurisdiction. This has not yet been entirely established in relation to the Paradise Papers.

In the Panama Papers’ exposé the source/hacker John Doe set several conditions before handing over the documents to Süddeutsche Zeitung’s Bastian Obermayer and Frederik Obermaier.  These included anonymity, communicating only over encrypted files and “no meeting ever”. Obermayer has said that the source acted because he thought that the law firm Mossack Fonseca was behaving unethically. Obermayer also commented he believed the source was at serious risk “because there are so many people involved who are not only powerful, but who also don’t hold back to use that power.”

Are such leaks or hacks to be regarded as a force for good or as a proliferating and disturbing extension of criminality? There is no unassailable answer to this question. The law will play its part eventually but often how these headline-grabbing events are judged by the “court of public opinion” will depend more on personal politics and moral values than on detached legal analysis.

This article was written by Clive Ince, Partner, Dispute Resolution, and Morgan Wolfe, Trainee Solicitor.

This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.