You have all gotten e-mails from people that you have never heard of looking for representation, “to collect a past due bill let me know if your firm can handle” or "Legal representation based on breach of sale contract. I wait to hear from you if your firm can take on my case. Just click this link for more information about the case.” They conclude, “Time is of the essence, look forward to working with another sucker.”
These are just 2 examples of e-mail scams that are being sent to law firms daily. What cyber criminals are coming to realize is that many law firms are holding substantial amounts of money in their trust account and escrow funds for clients. Better yet, many law firms have not taken steps to improve their security from the dark ages. So when a cybercriminal comes knocking, law firms are ill prepared to deal with Phishing e-mails, Social Media, Trojan Horses, or Ransomware attacks. A $1.9 million recent scam was against a law firm that resulted in a malpractice claim where the firm was still using an AOL account to transact legal business, more on that another day.
Back in the days of using an abacas law firms had to worry about three major types of frauds: counterfeit bank checks, forged trust account checks, and desperate or dishonest attorneys and staff with access to the accounts. While these frauds are still happening, the World Wide Web with checks and balances has opened up the entire world to a law firms funds.
Sophisticated cyber thieves use elaborate electronic means to invade law firm computer systems and locking in on passwords, access codes and account numbers for escrow accounts. When you are left to only play defense, eventually no matter how good the defense is, the cyber thieves will eventually score a touchdown leaving the attorneys and law firms to deal with the consequences.
In one example, a virus “tricked” the law firm’s bookkeeper into giving the trust account’s password to the cyber criminals, allowing them essentially full access to their trust account, including the ability to go in, monitor it, and wire money to foreign countries shortly after deposits were made. This particular scam netted a large 6 figure amount from the firm’s trust account.
In our recent blog posts, we blogged about the Friday Afternoon Fraud. This is where on a Friday Afternoon wrong wiring instructions are given by the cybercriminal. By Monday, the cyber thieves trail is cold and the money is long gone. The blog also mentions basic steps to help prevent this.
Many state bars have not directly addressed this issue, but the North Carolina bar did in 2015.
It concluded that lawyers who have taken reasonable security measures to safeguard their computer network aren’t ethically obligated to replace client funds if hackers steal client money. Using an AOL account likely does not likely count as “good” security measures.
The ABA stated:
§ Lawyers who don’t take reasonable precautions may have an ethical responsibility to replace stolen client funds if the failure is the proximate cause of trust account theft.
§ Lawyers may also have a responsibility to replace stolen client funds in a different scenario involving a hacked email and a lack of reasonable care. In that hypothetical, a hacker gains information about a real estate transaction by hacking the email of the lawyer or other parties such as the realtor or the seller. The hacker then creates a “spoof” email address that is similar to that of the realtor or seller. The spoof email instructs the lawyer to wire funds to an identified account, despite previous instructions to mail the check. The lawyer wires the money without first contacting the seller by telephone. The lawyer has an ethical responsibility to replace the funds, the opinion says, because the lawyer failed to take reasonable security measures such as contacting the seller or confirming the seller’s email address. The lawyer could be reimbursed if the bank is found to be legally responsible or insurance covers the stolen funds.
§ Under all circumstances involving third-party theft of client funds, the lawyer owes duties to clients whose money was stolen, including notifying the clients of the theft and helping them identify ways to cover the losses, the opinion says.
What to do:
If client funds are missing from a law firm trust account, the attorney needs to immediately investigate the cause. If the funds are truly stolen immediately take steps to prevent any possible further thefts, including for example, if appropriate, to close the trust account and transfer the funds to a new account. Also the firm needs to determine what notifications to provide to the involved financial institution.
Time is of the essence. An unaddressed breach expands until detection, causing greater exposure and more scrutiny regarding the firm's oversight of client funds. Again, doing this under the watchful eye of outside counsel enables the firm to take more immediate and direct action with less risk of waiving important privileges and immunities that create admissions against interest for purposes of legal malpractice claims or bar grievances.
Notification obligations under federal and state laws are important to adhere to. In many situations, law firms, like other businesses, have a duty to report the crimes. In this regard, law firms also need to determine whether and to what extent authorities should be involved in such a matter. Data breaches and cybercrimes need to be reported to the FBI and/or local authorities.
The attorney has a duty to notify clients of the theft and to advise the clients of any consequences for representation. This may involve delaying certain legal proceedings and also informing, to the extent as possible, 3rd parties involved with the legal issue.
The attorney need to help the clients by identifying any sources such as bank liability, cyber insurance, crime insurance and attorney malpractice insurance to cover losses. This includes providing timely notice to all insurers. While you may not be ethically bound to replace client funds, you may be liable for losses your clients suffered. This may involve the cost of credit monitoring if identity theft is involved.