Appleby, a multi-national law firm known for its tax planning services, is the latest law firm to suffer a major cyber breach in an event that has been dubbed the “Paradise Papers.”  This breach mirrors the Panama Papers leak from two years ago, which exposed millions of documents from the Mossack Fonseca law firm.

Appleby, like Mossack Fonseca, is known for its high-net-worth clients and its use of offshore entities to assist them in tax planning.  These features likely made Appleby an appealing target for a cyber-attack.  The information contained in the leaked papers has prompted public criticism and calls for legal scrutiny of the firm, its clients, and the banks where the clients keep their money.  The fruits of the cyber breach, 13.4 million leaked documents, were provided to news outlets to maximize the exposure of the information.

The source of the Appleby breach and the methods employed are not yet known.  Nevertheless, the parallels to the breach of Mossack Fonseca should cause all organizations that service high-net-worth individuals to make sure that, in light of their heightened cyber risk, they are taking reasonable steps to protect their clients’ confidential data.  Such firms, to the extent they are not already doing so, should consider implementing at least some of the following measures:

  • Utilizing surveillance and malware detection software.
  • Ensuring that software used by the company is up-to-date and that available patches are implemented as soon as reasonably practical.
  • Reviewing access controls regularly to ensure that they are up to date and that they restrict electronic data users to their necessary business functions.
  • Conducting periodic cybersecurity audits and penetration testing.
  • Requiring multi-factor authentication for remote access into computer systems and for very sensitive internal access points.
  • Requiring rotating complex passwords.
  • Monitoring the activity of authorized users to detect any unauthorized file access, as well as any large-scale downloading, copying or tampering with confidential information.
  • Conducting regular cybersecurity-awareness training.

The Davis Polk Cyber Breach Portal, which will launch early next year, has many resources to help enhance cybersecurity readiness.  The Portal is currently being beta tested by a select group of clients.

We will be providing updates to the cybersecurity aspects of the Paradise Papers here at the Davis Polk Cyber Breach Center.  Updates on other aspects of the Paradise Papers can be found at

The listed lawyers gratefully acknowledge the assistance of law clerk Zachary Shapiro in preparing this post.