December 15, 2017

Attorneys Beware — Cybercriminals are After Your Client's Money

Remember the days of sending letters to clients and opposing counsel?  Over the years, this practice has diminished and emails have become the most common type of communication.  Email has become an everyday tool for attorneys to communicate with their clients, opposing counsel and third- parties.  Unfortunately, with the evolution of the internet, electronic data, and computer systems, it has become commonplace to hear about hackers breaching a company's network and gaining access to personal information.  Spam and phishing emails as well as computer viruses are several ways that hackers can breach networks and gain access to email communications.  Cybercriminals also have the ability to intercept unencrypted emails containing client information.

Client funds are now easily transferred by electronic means.  While electronic transfers provide faster access to funds, it also creates an opportunity for cybercriminals to impersonate the parties and fraudulently obtain client funds.  In the past, it was normal to issue checks to clients and other parties.  With traditional checks, there was minimal risk that it would be intercepted or fraudulently endorsed by a third-party.  Even if the settlement draft was lost or fraudulently endorsed, there was still the ability to place a stop payment on the funds.  However, with the increased speed of electronic transfers, the ability to stop payment has become more difficult.

Attorneys and law firms are frequent targets for cybercriminals.  Cybercriminals are targeting and intercepting lawyers' unsecured emails and accessing their network systems in an attempt to obtain financial information about their clients, including upcoming electronic fund transfers.  One method that hackers use to steal funds is to mimic the email addresses of the parties.  Cybercriminals will then fraudulently email the other party requesting that the funds by transferred to the hacker's controlled bank account.  Once the funds have been transferred, the cybercriminal will continue to impersonate the parties by sending deceptive emails in an attempt to cover up the fraudulent transfer in order to delay its discovery.

In May 2017, the American Bar Association (ABA) issued its Formal Opinion 17-477 regarding the current risks of an attorney using email, and the attorney's updated ethical obligation to protect client information.  Formal Opinion 17-477 addressed the evolution of electronic communications and the "reasonable efforts standard" an attorney must undertake to protect client information.  The ABA avoided delineating specific security requirements, but instead adopted a fact-specific approach.  The ABA developed several factors when determining if a law firm has met the "reasonable efforts standard".  These factors are:

  1. The sensitivity of the information;
  2. The likelihood of disclosure if additional safeguards are not employed;
  3. The cost of employing additional safeguards;
  4. The difficulty of implementing the safeguards; and
  5. The extent to which safeguards adversely affect the lawyer's ability to represent clients.

The ABA Model Rules also require an attorney to protect client information.  Under ABA Model Rule 1.6(a), "a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent..."  Section (c) further requires that a lawyer "shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."  In Comment 18 to Rule 1.6, a client can also require its attorney to institute special security measures in addition to the requirements of Rule 1.6.

The case of Celedonio Ornelas v. RVGC Partners, Inc., filed in the Superior Court of California in the County of Los Angeles, demonstrates the serious impact that a cybercriminal can have on a law firm and its clients.  In Celedonio, a class action lawsuit had been settled and the settlement funds were in the process of being transferred to the case administrator.  Defense counsel received fraudulent emails from a cybercriminal impersonating one of the parties.  The cybercriminal's ability to impersonate and send fraudulent emails arose from the interception of information about the upcoming settlement payment.  After learning of the intended transfer, the cybercriminal sent a fraudulent email containing wiring instructions requesting that the settlement funds be wired to a bank account under the cybercriminal's control.  Without verifying the accuracy of the wiring instructions, the funds were wired to the fraudulent bank account.  After the funds had been transferred, the cybercriminal continued to capture and send fraudulent emails impersonating the parties in order to delay the discovery of the crime.

In the case of Millard v. Doran, filed in the Supreme Court of the State of New York in the County of New York, the Millards hired attorney, Patricia L. Doran, to facilitate a real estate settlement.  They claim that attorney Doran was negligent and breached her fiduciary duty by using an unsecured email service and by failing to have proper electronic safety guards in place to protect her computer system.  In the lawsuit, the Millards assert that AOL accounts are notoriously vulnerable to hacking and permit unauthorized access.  Furthermore, the Millards claim that attorney Doran was negligent because she did not have a two-factor identification system in place and failed to have basic cybersecurity protection on her computer.  They further claim that attorney Doran breached her duty by allowing cybercriminals to intercept her emails, obtain access to their information and to impersonate her.  As a result of her negligence, the Millards relied upon the fraudulent instructions contained in the cybercriminal's email and wired the funds to the hacker's bank account.

In conclusion, law firms and attorneys have an ongoing obligation to take reasonable steps and put forth reasonable efforts to protect client information contained in their computer systems, electronic devices and email communications.  Law firms must continuously review and upgrade their email service protocol, the need to encrypt emails, and computer security systems.  While many law firms employ firewalls and anti-virus software, they should also take proactive steps to determine if cybercriminals are trying to access their network systems.  Law firms should also employ a policy requiring sensitive emails to be encrypted and establish a two-factor authentication system.  With many attorneys and staff members traveling, telecommuting and using portable electronic devices such as USB drives, laptops, iPads, and cellular telephones, client information can be easily compromised.  These devices should contain passwords, client information should be encrypted, and a tracking system implemented.  Otherwise, law firms and their clients could be the next target of a cybercriminal.