By Nell Gluckman, From The Am Law Daily

Mossack Fonseca, the Panamanian law firm whose internal documents fueled a year-long investigation into offshore hidden wealth by more than 100 news organizations, is unlikely to get out of this hole without some help.

But the firm, which boasts over 500 staff in offices as far flung as Samoa and Seychelles, still hasn’t hired outside legal counsel, a spokeswoman said this week. Its founder, Jürgen Mossack, says the firm is the victim of an illegal hack and has done nothing wrong, and he has filed a complaint with Panama’s attorney general.

Mossack Fonseca is under fire for helping hundreds of public officials, business leaders and celebrities set up companies in jurisdictions that offer less stringent tax laws and high levels of secrecy. So far, 11.5 million documents leaked to the German newspaper Süeddeutsche Zeitung and the International Consortium of Investigative Journalists have shown that the firm has worked with associates of Russian President Vladimir Putin, dozens of people and companies that have been blacklisted by the U.S. government, and world leaders who have claimed to be corruption reformers, according to the ICIJ.

It remains to be seen what kind of legal fallout awaits Mossack Fonseca. In part, that’s because the nature of the breach is unprecedented in its subject matter, its political implications and its particularly international scope. It’s also unusual because the victim of the breach has become a villain in the eyes of much of the public.

But there are also similarities with past breaches. Like other high profile hacks, Mossack Fonseca will require a large, coordinated effort by outside counsel to handle the various types of litigation and regulatory scrutiny that may be coming down the pike, cybersecurity lawyers said.

If the leak was indeed the result of a cyber attack, the firm will need to hire a forensic team to investigate the breach and should hire a data security counsel to supervise that process, said Shook, Hardy & Bacon partner Alfred Saikali, who specializes in data breach investigations.

Should Mossack Fonseca retain an outside firm to coordinate a forensic probe, some of its findings, such as the potential identity of the attacker or whether lax security contributed to the breach, would fall under attorney-client privilege rules and would not be discoverable in the event of a client lawsuit, cyber security lawyers said.

Saikali explained that there may be obligations to notify third parties, such as the relevant regulators and the clients and business partners whose information was affected.

Ropes & Gray’s Douglas Meal, who coordinated responses to the Sony PlayStation Network hack in 2011 and the massive Target Corp. data breach in 2013, explained that Mossack Fonseca would have different notification obligations depending on whether personal information or business information was leaked. If business information got out, the notification obligation could kick in if there was a contractual obligation to protect the data, he said.

Bar associations may also inquire about whether the firm was complying with confidentiality obligations by protecting its clients’ information, Saikali said. That same question may be raised by the firm’s clients, who could potentially bring civil lawsuits alleging that the firm did not safeguard their personal information.

“Whether the firm needs to hire a white-collar or criminal defense lawyer depends on whether they may have engaged in criminal activity,” added Saikali, noting that he did not know whether the firm had violated any laws.

Ropes & Gray’s Meal didn’t think the negative press around Mossack Fonseca would make it difficult for the firm to hire outside counsel.

“My opinion is that good lawyers are prepared to represent clients even if their client may not be popular,” he said.

Below is a selection of past data breaches, along with the law firms that helped the companies handle the aftermath.

• When insurance giant Anthem Inc. was breached last year by hackers, affecting about 80 million customers, the company turned to one of its preexisting law firms. “I must have gotten 100 emails from various law firms telling me they were experts in the area,” Anthem general counsel Thomas Zielinski told Bloomberg Big Law Business. “You don’t have time to vet it, you know, so we were fortunate we had a big firm, Hogan Lovells.”

• In late 2014, hackers broke into computer systems at Sony Pictures Entertainment and posted the internal documents online. Sony hired Boies, Schiller & Flexner’s David Boies to oppose the media’s willingness to republish the material and brought on Paul, Weiss, Rifkind, Wharton & Garrison to conduct an internal investigation.

• When a hack at JPMorgan Chase & Co. compromised the accounts of more than 80 million customers in 2014, the bank turned to Wilmer Cutler Pickering Hale and Dorr and Hunton & Williams, according to The New York Times. Federal prosecutors in Manhattan accused three men last year of running a hacking scheme that targeted multiple companies, including JPMorgan.

• When Home Depot was breached in 2014, the company turned to Hogan Lovells to coordinate a response. Ropes & Gray and Shook, Hardy & Bacon also assisted during the aftermath of that attack, which resulted in a $19.5 million settlement for 50 million consumers.

• Ropes & Gray advised Target Corp. when it was was hit by a data breach in 2013. Customers whose information had been compromised won a $10 million settlement after a class action lawsuit.

For more on this story go to: http://www.americanlawyer.com/id=1202754548585/Who-Will-Represent-the-Firm-Behind-the-Panama-Papers#ixzz45WgWaw2n