Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Is a Lawyer Ethically Required to Replace Hacked Client Funds? It Depends.

November 24, 2015

On October 23, the North Carolina State Bar answered that question with an "it depends" ethics opinion which is well summarized by Bloomberg BNA. If the lawyer has taken reasonable information security measures, the lawyer has no ethical duty to replace client monies stolen from a trust account when a hacker breaks into a network. Bear in mind that the opinion is not addressing a lawyer's legal liability in such situations.

However, lawyers do have to restore client funds if they failed to take reasonable steps that could have prevented the theft. It adds that lawyers must help clients in several ways when a theft occurs.

As explained in North Carolina Formal Ethics Op. 2011-7 (2012), safety measures for online banking include strong password policies and procedures, the use of encryption and security software, hiring a technology expert for advice and making sure relevant firm members and staffers are trained on and abiding by the security procedures.

The lawyer whose network was hacked may be professionally obligated to replace the funds if she didn't use reasonable care in trust accounting and staff supervision and that failure was a proximate cause of the theft.

In another scenario, a hacker gets a lawyer to send him funds the lawyer has received for a real estate closing by hacking the e-mail of one of the parties to the real estate transaction and then using a spoofed e-mail address to send the lawyer instructions for wiring funds owed in the deal.

The lawyer doesn't notice that the e-mail address has one different letter, and she follows the instructions in the e-mail to wire the money without calling first to see why the e-mail instructs her to wire the money instead of mailing a check as previously arranged.

Under these circumstances, the opinion says the lawyer has a professional responsibility to replace the funds because she did not follow reasonable security measures to verify the disbursement change by calling the sender at the phone number listed in the lawyer's file or confirming the seller's e-mail address.

In yet another scenario, a third party unaffiliated with a lawyer creates counterfeit checks identical to the lawyer's trust account checks, makes checks payable to himself, and cashes them. The opinion advises that the lawyer is not ethically required to replace the stolen funds if she substantially complied with the ethics rules on trust accounting and staff supervision but was nevertheless victimized by the third-party theft.

However, the lawyer must promptly investigate and take steps to prevent further thefts and “must seek out every available option to remedy the situation,” including researching the law to determine whether the bank is liable; communicating with the bank about its liability and whether it has insurance to cover the loss; considering whether to close the affected trust account and transfer funds to a new account; and working with law enforcement to recover the funds.

The opinion says that with regard to all these situations, the lawyer owes it to the affected clients to take steps that could include the following:

• Notify the clients of the theft and advise them about its consequences for the representation.
• Help the clients identify any source of funds, such as bank liability and insurance, to cover the losses.
• Seek a continuance or otherwise defer the clients' matter if necessary to protect their interests.
• Explain what happened to third parties or opposing parties to the extent necessary to protect the clients' interests.
• Take protective steps if stop payments are issued against outstanding checks.
• Report the theft to the state bar.
 
If this doesn't get lawyers thinking about information security, I don't know what will.