A lot has been and will be written about the 11 million documents leaked from Panamanian law firm Mossack Fonseca, as journalists all over the world comb through a massive amount of information. So far, news accounts have focused on high-profile leaders from Russia, China, Argentina, Pakistan, Ukraine, Syria and Saudi Arabia, among others. The prime minister of Iceland resigned after news broke that his wife had millions of dollars in offshore accounts. And, not surprisingly, rumors are flying about whether this will become a campaign issue for Hillary Clinton. More to come, I’m sure.

The law firm, Mossack Fonseca, posted a statement and FAQ about the situation on its website, addressing what it calls the media’s “inaccurate view of the services we provide.” The statements clarify exactly how the law firm advises its clients and how its activities are regulated. They explain the difference between “tax avoidance” and “tax evasion” and the firm’s responsibility to report unlawful activity to the authorities.mossack fonseca website

“For 40 years, Mossack Fonseca has operated beyond reproach in our home country and other jurisdictions where we have operations,” the statement says.

But, from my perspective, an even bigger issue for the law firm’s long-term survival is how this information was leaked in the first place. A data breach has to be the biggest reputational risk for anyone responsible for safeguarding sensitive client information. No one has yet explained how a German newspaper got its hands on the documents, except that the original source was Mossack Fonseca. Yet, the law firm’s statement contains no apology or expression of concern for the clients whose confidential information is now public.

Relationships with attorneys and other advisors are based on trust. This leak shatters that bond of trust. How will the firm survive such an egregious breach? Other clients whose information has not yet been reported must be looking over their shoulders, wondering if – when? – reporters will be calling, ready to plaster their confidential information across the internet. How could the attorneys at Mossack Fonseca possibly reassure them? If I’m a client, I’m quickly looking for a new attorney.

So who’s the villain – the clients who followed their attorneys’ advice or the law firm? If I was giving crisis communications advice to the individuals or companies whose information is now public, I’d recommend they point the finger back at the law firm. Let Mossack Fonseca explain both how they advised their clients and how their clients’ confidential information was leaked to the media. Sure, they should deny wrongdoing if, in fact, they have done nothing wrong. But since the media’s always looking for a villain, I’d make sure they know exactly where to look.