Have you seen this from someone that no one at the firm has ever heard of?
"Legal representation based on breach of sale contract. I wait to hear from you if your firm take on sure case. Just click this link for more information about the case and the rates we will pay! Kind Regards, Iam ScamArtist."
This is just one of a number of scams that are hitting attorneys every day. Unfortunately, they are the latest in a series of ways that third parties attempt to gain access to law firm accounts, including escrow accounts, with Trojan horses, viral missiles and greenmail attacks.
Traditionally, attacks on attorney trust accounts consisted of three major types of frauds: counterfeit bank checks, forged trust account checks, and desperate or dishonest attorneys and staff with access to the accounts.
In more recent years, the thefts have become much more sophisticated, using elaborate electronic missives to invade law firm computer systems and lock in on passwords, access codes and account numbers for escrow accounts. Inevitably, when these thefts are successful, the attorneys and law firms are often left to make up the difference.
For example, in 2010, a solo practitioner in Florida found that $35,000 was stolen from her firm's trust account by a hacker. Similarly, in December 2013, a Toronto-area law firm suffered from a six-figure loss after a hacker used a computer virus to access the computer of the firm's bookkeeper.
So what happens when a cybersecurity event implicates a firm's trust account? Are lawyers liable when a computer hacker steals client funds?
Most state bar associations have not directly addressed whether an attorney is liable when a third party steals client funds. However, at a July 17, 2015, meeting, the North Carolina State Bar addressed several inquiries regarding the professional responsibility of an attorney when a third party not employed or supervised by the attorney has stolen funds from the attorney's trust account.
The bar noted that the attorney generally will not be professionally responsible for replacing funds stolen from the trust account, so long as the attorney was managing the trust account in compliance with the applicable Rules of Professional Conduct, in that instance, North Carolina Rules of Professional Conduct 1.15-2, 1.15-3 and 5.3.
The bar noted, however, that the result might be different if the attorney failed to follow the Rules of Professional Conduct on trust accounting and supervision of staff, and that failure was ultimately the proximate cause of theft from the trust account. In that instance, the attorney may be responsible for reimbursing the trust account.
Of course, the opinion begs the question of what exactly do the Rules of Professional Conduct require for reasonable steps for supervising and protecting client escrow funds, especially when the world of the Internet is changing so rapidly. There are some lessons that can be learned from situations that have already happened.
First, attorneys should take care to ensure compliance with all rules governing client trust fund accounts. Certain state bar rules of professional conduct govern client trust funds, in particular rule 1.15 and 5.3.
Pursuant to ABA model Rule 1.15, an attorney who receives funds that belong to a client is obligated to safeguard those funds and to preserve the identity of the funds by depositing them into a designated trust account. Those responsibilities include the duty to ensure that the attorney does not use the funds of a particular client to satisfy the obligations of another client.
Rule 1.15 also requires an attorney to keep accurate records of the trust account. Some state bar rules also require the attorney to reconcile the trust account at least quarterly. According to Rule 5.3, an attorney has an obligation to ensure that any nonattorney administrative staff with access to the trust account is aware of the attorney's professional obligations regarding any funds that have been entrusted to the attorney.
An attorney also must properly supervise any nonattorney administrative staff. Thus, an attorney or law practice that manages clients funds via a trust account must use reasonable care to minimize the risks to client funds.
In today's world, that means an attorney who engages in online banking has an affirmative duty to educate colleagues and staff regularly as to the myriad of security risks that may arise as a result of that approach and the protocols and protections in place to protect again third party theft.
Additionally, law firms need strong password policies and procedures, the use of encryption and security software, the hiring of an information technology consultant, and training of both attorney and nonattorney staff members.
As to this latter point, it is critically important that attorneys and staff be trained on how to spot or detect high-risk emails. Emails can contain viruses that shut the system down absent the payment of a ransom.
Emails can imitate legitimate emails to learn usernames and passwords. And emails can invade systems as if the sender was an authenticated user to simply transfer money. Seeing what they look like, how they operate, and the risks they pose are especially important for both attorneys and staff to actually see.
If client funds are misappropriated, regardless of whether an attorney believes that he or she is responsible for reimbursing the trust account, the attorney should take certain steps.
The first step upon discovering that client fund may have been compromised is to hire attorneys who specialize in cybersecurity and law firm defense issues. The first moments after a hacking incident will feel chaotic: there are a number of fires that need to be put out and a growing number of issues that will need immediate resolution. Hiring specialty counsel who has been there before will help while also preserving and maintaining privilege.
Any perception that a law firm is not taking adequate steps after discovery or that it is acting in its own interests will damage the firm's reputation. Hiring outside counsel immediately reflects extra due diligence in addressing a problem and fulfilling the law firm's ethical and legal obligations.
If client funds appear to be missing from a law firm trust account, attorneys should promptly investigate the cause of the stolen funds and take steps to prevent any possible further thefts, including for example, considering whether it is appropriate to close the trust account and transfer the funds to a new account.
Time is of the essence. An unaddressed breach inevitably expands until detection, causing greater exposure and more scrutiny regarding the firm's oversight of client funds. Again, doing this under the watch of outside counsel enables the firm to take more immediate and direct action with less risk of waiving important privileges and immunities that create admissions against interest for purposes of legal malpractice claims or bar grievances.
Identifying notification obligations under federal and state laws is critically important. In many situations, law firms, like other businesses, have a duty to report. In this regard, law firms also need to determine whether and to what extent authorities should be involved in such a matter. Cyberhacking can and should be reported to the FBI or local authorities.
In all situations, an attorney has a duty to notify the clients of the theft and to advise the clients of any consequences for representation. The attorney should also help the clients identify any source of funds, such as bank liability and insurance, to cover their losses. This includes providing timely notice to all insurers promptly.
As published by American Lawyer Media