Safeguarding Client Funds From Hackers
What happens when a cybersecurity event implicates a firm's trust account? Are lawyers liable when a computer hacker steals client funds that the lawyers were safeguarding?
October 18, 2017 at 10:55 AM
18 minute read
Law firms and attorneys have been targets of email scams since the dawn of the digital age. Many hackers devise these scams in order to gain access to law firm bank accounts, including escrow accounts.
In the past, attacks on attorney trust accounts consisted of counterfeit bank checks and forged trust account checks. But trust account thefts have become much more sophisticated than these analog scams. Current scams may involve elaborate electronic missives that invade law firm computer systems and lock in on passwords for access codes and account numbers. When these thefts of firm bank accounts are successful, the attorneys and law firms may be left to make up the difference.
What happens when a cybersecurity event implicates a firm's trust account? Are lawyers liable when a computer hacker steals client funds that the lawyers were safeguarding?
The State Bar of California addressed a related issue in the context of employee theft. In In re Malek-Yonan, 97-O-14777, several members of a firm's non-attorney office staff stole approximately $1.7 million from the client trust account, using their apparent authority as employees. While the attorney had no knowledge of the theft and attempted to reimburse all clients, the Review Department of the State Bar Court of California disciplined the attorney for gross negligence in failing to have adequate office procedures and to provide supervision for staff—which ultimately lead to the theft of client funds.
Most state bar associations, including California's, have not yet addressed whether an attorney is liable when a third party, rather than an employee, steals client funds. Recently, however, the North Carolina State Bar addressed several inquiries regarding the professional responsibility of an attorney when a third party has stolen funds from the attorney's trust account. See N.C. State Bar, 2015 Formal Ethics Opinion 6, “Lawyer's Professional Responsibility When Third Party Steals Funds from Trust Account.”
The North Carolina Ethics Committee noted that the attorney generally will not be professionally responsible for replacing funds stolen from the trust account—so long as the attorney was otherwise managing the trust account in compliance with the applicable Rules of Professional Conduct. The committee noted, though, that the result might be different if the attorney failed to follow the Rules of Professional Conduct on trust accounting and supervision of staff, and then that failure proximately caused the theft. In such a situation, the North Carolina committee concluded that the attorney might be responsible for reimbursing the trust account.
The North Carolina opinion begs the question of what exactly the Rules of Professional Conduct require for supervising and protecting client escrow funds, especially when the technology space is changing so rapidly.
First, Rule 4-100 of the California Rules of Professional Conduct sets forth the minimum standards for preserving client funds and property. In essence, the rule requires attorneys to maintain a separate designated account for client funds and maintain sufficient records to keep track of how much money is held for each client at all times.
Section (C) of Rule 4-100, which refers to specific standards from the Board of Governors of the State Bar, provides those specific minimum records—such as a client ledger and account journal—that are mandatory for a firm's trust account. This section also requires that an attorney reconcile the trust account every month and maintain a written journal of transactions for a five-year period.
Additionally, law firms and attorneys who engage in online banking may consider educating their staff and partners about security risks and protections in place to prevent third-party theft. Many law firms combat theft by employing strong password policies, using encryption and security software, hiring an information technology consultant, and training both attorney and non-attorney staff members.
That training could involve instruction on how attorneys and staff can spot or detect high risk emails. Bogus emails, for example, can imitate legitimate emails in an attempt to learn usernames and passwords. And emails can invade systems as if the sender was an authenticated user. Seeing what these emails look like, how they operate, and the risks they pose can be helpful for both attorneys and staff to actually see.
Sometimes, even with great care and efforts at prevention, client funds can still be misappropriated. In such an event, there are certain steps the law firm and attorneys can consider.
Upon discovering that client funds may have been compromised, the law firm may consider retaining outside counsel specializing in cybersecurity and law firm defense issues. The early moments after a hacking incident will feel chaotic: there are a number of fires that need to be put out and a growing number of issues that will need immediate resolution. Hiring experienced specialty counsel can help handle these mounting issues while also preserving and maintaining privilege.
Because time is of the essence, a prompt investigation can help determine the exact cause of the stolen funds and identify steps to prevent any possible further thefts, including, for example, whether it is appropriate to close the trust account and transfer the funds to a new account.
Identifying notification obligations under federal and state laws is important. In many situations, Internet-related hacking is a crime. California was the first state to enact a data breach notice law in 2003, requiring a business to notify any California resident when unencrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person. See Cal. Civ. Code §§1798.29(a),1798.82(a). Law firms, like other businesses, may therefore have a duty to report cyber hacking. In this regard, law firms need to determine whether and to what extent authorities should be involved in the matter.
Additionally, firms can help clients identify any source of funds, such as bank liability and insurance, to cover their losses. And the firm itself also may be obligated to give notice of the breach and loss to its insurer.
Though cybersecurity becomes more difficult as methods of hacking progress, being mindful of client trust accounts and following these early steps in the event of a breach will help minimize the exposure for both the law firm and its clients.
Shari L. Klevens is a partner at Dentons US and serves on the firm's US Board of Directors. She represents and advises lawyers and insurers on complex claims, is co-chair of Dentons' global insurance sector team, and is co-author of “California Legal Malpractice Law” (2014). Alanna Clair is a senior managing associate at Dentons US and focuses on professional liability defense. Shari and Alanna are co-authors of “The Lawyer's Handbook: Ethics Compliance and Claim Avoidance.”
Law firms and attorneys have been targets of email scams since the dawn of the digital age. Many hackers devise these scams in order to gain access to law firm bank accounts, including escrow accounts.
In the past, attacks on attorney trust accounts consisted of counterfeit bank checks and forged trust account checks. But trust account thefts have become much more sophisticated than these analog scams. Current scams may involve elaborate electronic missives that invade law firm computer systems and lock in on passwords for access codes and account numbers. When these thefts of firm bank accounts are successful, the attorneys and law firms may be left to make up the difference.
What happens when a cybersecurity event implicates a firm's trust account? Are lawyers liable when a computer hacker steals client funds that the lawyers were safeguarding?
The State Bar of California addressed a related issue in the context of employee theft. In In re Malek-Yonan, 97-O-14777, several members of a firm's non-attorney office staff stole approximately $1.7 million from the client trust account, using their apparent authority as employees. While the attorney had no knowledge of the theft and attempted to reimburse all clients, the Review Department of the State Bar Court of California disciplined the attorney for gross negligence in failing to have adequate office procedures and to provide supervision for staff—which ultimately lead to the theft of client funds.
Most state bar associations, including California's, have not yet addressed whether an attorney is liable when a third party, rather than an employee, steals client funds. Recently, however, the North Carolina State Bar addressed several inquiries regarding the professional responsibility of an attorney when a third party has stolen funds from the attorney's trust account. See N.C. State Bar, 2015 Formal Ethics Opinion 6, “Lawyer's Professional Responsibility When Third Party Steals Funds from Trust Account.”
The North Carolina Ethics Committee noted that the attorney generally will not be professionally responsible for replacing funds stolen from the trust account—so long as the attorney was otherwise managing the trust account in compliance with the applicable Rules of Professional Conduct. The committee noted, though, that the result might be different if the attorney failed to follow the Rules of Professional Conduct on trust accounting and supervision of staff, and then that failure proximately caused the theft. In such a situation, the North Carolina committee concluded that the attorney might be responsible for reimbursing the trust account.
The North Carolina opinion begs the question of what exactly the Rules of Professional Conduct require for supervising and protecting client escrow funds, especially when the technology space is changing so rapidly.
First, Rule 4-100 of the California Rules of Professional Conduct sets forth the minimum standards for preserving client funds and property. In essence, the rule requires attorneys to maintain a separate designated account for client funds and maintain sufficient records to keep track of how much money is held for each client at all times.
Section (C) of Rule 4-100, which refers to specific standards from the Board of Governors of the State Bar, provides those specific minimum records—such as a client ledger and account journal—that are mandatory for a firm's trust account. This section also requires that an attorney reconcile the trust account every month and maintain a written journal of transactions for a five-year period.
Additionally, law firms and attorneys who engage in online banking may consider educating their staff and partners about security risks and protections in place to prevent third-party theft. Many law firms combat theft by employing strong password policies, using encryption and security software, hiring an information technology consultant, and training both attorney and non-attorney staff members.
That training could involve instruction on how attorneys and staff can spot or detect high risk emails. Bogus emails, for example, can imitate legitimate emails in an attempt to learn usernames and passwords. And emails can invade systems as if the sender was an authenticated user. Seeing what these emails look like, how they operate, and the risks they pose can be helpful for both attorneys and staff to actually see.
Sometimes, even with great care and efforts at prevention, client funds can still be misappropriated. In such an event, there are certain steps the law firm and attorneys can consider.
Upon discovering that client funds may have been compromised, the law firm may consider retaining outside counsel specializing in cybersecurity and law firm defense issues. The early moments after a hacking incident will feel chaotic: there are a number of fires that need to be put out and a growing number of issues that will need immediate resolution. Hiring experienced specialty counsel can help handle these mounting issues while also preserving and maintaining privilege.
Because time is of the essence, a prompt investigation can help determine the exact cause of the stolen funds and identify steps to prevent any possible further thefts, including, for example, whether it is appropriate to close the trust account and transfer the funds to a new account.
Identifying notification obligations under federal and state laws is important. In many situations, Internet-related hacking is a crime. California was the first state to enact a data breach notice law in 2003, requiring a business to notify any California resident when unencrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person. See Cal. Civ. Code §§1798.29(a),1798.82(a). Law firms, like other businesses, may therefore have a duty to report cyber hacking. In this regard, law firms need to determine whether and to what extent authorities should be involved in the matter.
Additionally, firms can help clients identify any source of funds, such as bank liability and insurance, to cover their losses. And the firm itself also may be obligated to give notice of the breach and loss to its insurer.
Though cybersecurity becomes more difficult as methods of hacking progress, being mindful of client trust accounts and following these early steps in the event of a breach will help minimize the exposure for both the law firm and its clients.
Shari L. Klevens is a partner at
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Once the LA Fires Are Extinguished, Expect the Litigation to Unfold for Years
5 minute read
Faegre Drinker Adds Three Former Federal Prosecutors From Greenberg Traurig
4 minute readTrending Stories
- 1ACC CLO Survey Waves Warning Flags for Boards
- 2States Accuse Trump of Thwarting Court's Funding Restoration Order
- 3Microsoft Becomes Latest Tech Company to Face Claims of Stealing Marketing Commissions From Influencers
- 4Coral Gables Attorney Busted for Stalking Lawyer
- 5Trump's DOJ Delays Releasing Jan. 6 FBI Agents List Under Consent Order
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
