Safeguarding Client Funds From Hackers
What happens when a cybersecurity event implicates a firm's trust account? Are lawyers liable when a computer hacker steals client funds that the lawyers were safeguarding?
October 18, 2017 at 10:55 AM
18 minute read
Law firms and attorneys have been targets of email scams since the dawn of the digital age. Many hackers devise these scams in order to gain access to law firm bank accounts, including escrow accounts.
In the past, attacks on attorney trust accounts consisted of counterfeit bank checks and forged trust account checks. But trust account thefts have become much more sophisticated than these analog scams. Current scams may involve elaborate electronic missives that invade law firm computer systems and lock in on passwords for access codes and account numbers. When these thefts of firm bank accounts are successful, the attorneys and law firms may be left to make up the difference.
What happens when a cybersecurity event implicates a firm's trust account? Are lawyers liable when a computer hacker steals client funds that the lawyers were safeguarding?
The State Bar of California addressed a related issue in the context of employee theft. In In re Malek-Yonan, 97-O-14777, several members of a firm's non-attorney office staff stole approximately $1.7 million from the client trust account, using their apparent authority as employees. While the attorney had no knowledge of the theft and attempted to reimburse all clients, the Review Department of the State Bar Court of California disciplined the attorney for gross negligence in failing to have adequate office procedures and to provide supervision for staff—which ultimately lead to the theft of client funds.
Most state bar associations, including California's, have not yet addressed whether an attorney is liable when a third party, rather than an employee, steals client funds. Recently, however, the North Carolina State Bar addressed several inquiries regarding the professional responsibility of an attorney when a third party has stolen funds from the attorney's trust account. See N.C. State Bar, 2015 Formal Ethics Opinion 6, “Lawyer's Professional Responsibility When Third Party Steals Funds from Trust Account.”
The North Carolina Ethics Committee noted that the attorney generally will not be professionally responsible for replacing funds stolen from the trust account—so long as the attorney was otherwise managing the trust account in compliance with the applicable Rules of Professional Conduct. The committee noted, though, that the result might be different if the attorney failed to follow the Rules of Professional Conduct on trust accounting and supervision of staff, and then that failure proximately caused the theft. In such a situation, the North Carolina committee concluded that the attorney might be responsible for reimbursing the trust account.
The North Carolina opinion begs the question of what exactly the Rules of Professional Conduct require for supervising and protecting client escrow funds, especially when the technology space is changing so rapidly.
First, Rule 4-100 of the California Rules of Professional Conduct sets forth the minimum standards for preserving client funds and property. In essence, the rule requires attorneys to maintain a separate designated account for client funds and maintain sufficient records to keep track of how much money is held for each client at all times.
Section (C) of Rule 4-100, which refers to specific standards from the Board of Governors of the State Bar, provides those specific minimum records—such as a client ledger and account journal—that are mandatory for a firm's trust account. This section also requires that an attorney reconcile the trust account every month and maintain a written journal of transactions for a five-year period.
Additionally, law firms and attorneys who engage in online banking may consider educating their staff and partners about security risks and protections in place to prevent third-party theft. Many law firms combat theft by employing strong password policies, using encryption and security software, hiring an information technology consultant, and training both attorney and non-attorney staff members.
That training could involve instruction on how attorneys and staff can spot or detect high risk emails. Bogus emails, for example, can imitate legitimate emails in an attempt to learn usernames and passwords. And emails can invade systems as if the sender was an authenticated user. Seeing what these emails look like, how they operate, and the risks they pose can be helpful for both attorneys and staff to actually see.
Sometimes, even with great care and efforts at prevention, client funds can still be misappropriated. In such an event, there are certain steps the law firm and attorneys can consider.
Upon discovering that client funds may have been compromised, the law firm may consider retaining outside counsel specializing in cybersecurity and law firm defense issues. The early moments after a hacking incident will feel chaotic: there are a number of fires that need to be put out and a growing number of issues that will need immediate resolution. Hiring experienced specialty counsel can help handle these mounting issues while also preserving and maintaining privilege.
Because time is of the essence, a prompt investigation can help determine the exact cause of the stolen funds and identify steps to prevent any possible further thefts, including, for example, whether it is appropriate to close the trust account and transfer the funds to a new account.
Identifying notification obligations under federal and state laws is important. In many situations, Internet-related hacking is a crime. California was the first state to enact a data breach notice law in 2003, requiring a business to notify any California resident when unencrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person. See Cal. Civ. Code §§1798.29(a),1798.82(a). Law firms, like other businesses, may therefore have a duty to report cyber hacking. In this regard, law firms need to determine whether and to what extent authorities should be involved in the matter.
Additionally, firms can help clients identify any source of funds, such as bank liability and insurance, to cover their losses. And the firm itself also may be obligated to give notice of the breach and loss to its insurer.
Though cybersecurity becomes more difficult as methods of hacking progress, being mindful of client trust accounts and following these early steps in the event of a breach will help minimize the exposure for both the law firm and its clients.
Shari L. Klevens is a partner at Dentons US and serves on the firm's US Board of Directors. She represents and advises lawyers and insurers on complex claims, is co-chair of Dentons' global insurance sector team, and is co-author of “California Legal Malpractice Law” (2014). Alanna Clair is a senior managing associate at Dentons US and focuses on professional liability defense. Shari and Alanna are co-authors of “The Lawyer's Handbook: Ethics Compliance and Claim Avoidance.”
Law firms and attorneys have been targets of email scams since the dawn of the digital age. Many hackers devise these scams in order to gain access to law firm bank accounts, including escrow accounts.
In the past, attacks on attorney trust accounts consisted of counterfeit bank checks and forged trust account checks. But trust account thefts have become much more sophisticated than these analog scams. Current scams may involve elaborate electronic missives that invade law firm computer systems and lock in on passwords for access codes and account numbers. When these thefts of firm bank accounts are successful, the attorneys and law firms may be left to make up the difference.
What happens when a cybersecurity event implicates a firm's trust account? Are lawyers liable when a computer hacker steals client funds that the lawyers were safeguarding?
The State Bar of California addressed a related issue in the context of employee theft. In In re Malek-Yonan, 97-O-14777, several members of a firm's non-attorney office staff stole approximately $1.7 million from the client trust account, using their apparent authority as employees. While the attorney had no knowledge of the theft and attempted to reimburse all clients, the Review Department of the State Bar Court of California disciplined the attorney for gross negligence in failing to have adequate office procedures and to provide supervision for staff—which ultimately lead to the theft of client funds.
Most state bar associations, including California's, have not yet addressed whether an attorney is liable when a third party, rather than an employee, steals client funds. Recently, however, the North Carolina State Bar addressed several inquiries regarding the professional responsibility of an attorney when a third party has stolen funds from the attorney's trust account. See N.C. State Bar, 2015 Formal Ethics Opinion 6, “Lawyer's Professional Responsibility When Third Party Steals Funds from Trust Account.”
The North Carolina Ethics Committee noted that the attorney generally will not be professionally responsible for replacing funds stolen from the trust account—so long as the attorney was otherwise managing the trust account in compliance with the applicable Rules of Professional Conduct. The committee noted, though, that the result might be different if the attorney failed to follow the Rules of Professional Conduct on trust accounting and supervision of staff, and then that failure proximately caused the theft. In such a situation, the North Carolina committee concluded that the attorney might be responsible for reimbursing the trust account.
The North Carolina opinion begs the question of what exactly the Rules of Professional Conduct require for supervising and protecting client escrow funds, especially when the technology space is changing so rapidly.
First, Rule 4-100 of the California Rules of Professional Conduct sets forth the minimum standards for preserving client funds and property. In essence, the rule requires attorneys to maintain a separate designated account for client funds and maintain sufficient records to keep track of how much money is held for each client at all times.
Section (C) of Rule 4-100, which refers to specific standards from the Board of Governors of the State Bar, provides those specific minimum records—such as a client ledger and account journal—that are mandatory for a firm's trust account. This section also requires that an attorney reconcile the trust account every month and maintain a written journal of transactions for a five-year period.
Additionally, law firms and attorneys who engage in online banking may consider educating their staff and partners about security risks and protections in place to prevent third-party theft. Many law firms combat theft by employing strong password policies, using encryption and security software, hiring an information technology consultant, and training both attorney and non-attorney staff members.
That training could involve instruction on how attorneys and staff can spot or detect high risk emails. Bogus emails, for example, can imitate legitimate emails in an attempt to learn usernames and passwords. And emails can invade systems as if the sender was an authenticated user. Seeing what these emails look like, how they operate, and the risks they pose can be helpful for both attorneys and staff to actually see.
Sometimes, even with great care and efforts at prevention, client funds can still be misappropriated. In such an event, there are certain steps the law firm and attorneys can consider.
Upon discovering that client funds may have been compromised, the law firm may consider retaining outside counsel specializing in cybersecurity and law firm defense issues. The early moments after a hacking incident will feel chaotic: there are a number of fires that need to be put out and a growing number of issues that will need immediate resolution. Hiring experienced specialty counsel can help handle these mounting issues while also preserving and maintaining privilege.
Because time is of the essence, a prompt investigation can help determine the exact cause of the stolen funds and identify steps to prevent any possible further thefts, including, for example, whether it is appropriate to close the trust account and transfer the funds to a new account.
Identifying notification obligations under federal and state laws is important. In many situations, Internet-related hacking is a crime. California was the first state to enact a data breach notice law in 2003, requiring a business to notify any California resident when unencrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person. See Cal. Civ. Code §§1798.29(a),1798.82(a). Law firms, like other businesses, may therefore have a duty to report cyber hacking. In this regard, law firms need to determine whether and to what extent authorities should be involved in the matter.
Additionally, firms can help clients identify any source of funds, such as bank liability and insurance, to cover their losses. And the firm itself also may be obligated to give notice of the breach and loss to its insurer.
Though cybersecurity becomes more difficult as methods of hacking progress, being mindful of client trust accounts and following these early steps in the event of a breach will help minimize the exposure for both the law firm and its clients.
Shari L. Klevens is a partner at
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFaegre Drinker Adds Three Former Federal Prosecutors From Greenberg Traurig
4 minute readAnapol Weiss Acquires Boutique Led by Star Litigator Alexandra Walsh
5 minute readPierson Ferdinand Lures Veteran M&A Specialist From Sheppard Mullin in Silicon Valley
4 minute readTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250