Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Is a Lawyer Ethically Required to Replace Hacked Client Funds? It Depends.
November 24, 2015
On October 23, the North Carolina State Bar answered that question with an "it depends" ethics opinion which is well summarized by Bloomberg BNA. If the lawyer has taken reasonable information security measures, the lawyer has no ethical duty to replace client monies stolen from a trust account when a hacker breaks into a network. Bear in mind that the opinion is not addressing a lawyer's legal liability in such situations.
However, lawyers do have to restore client funds if they failed to take reasonable steps that could have prevented the theft. It adds that lawyers must help clients in several ways when a theft occurs.
As explained in North Carolina Formal Ethics Op. 2011-7 (2012), safety measures for online banking include strong password policies and procedures, the use of encryption and security software, hiring a technology expert for advice and making sure relevant firm members and staffers are trained on and abiding by the security procedures.
The lawyer whose network was hacked may be professionally obligated to replace the funds if she didn't use reasonable care in trust accounting and staff supervision and that failure was a proximate cause of the theft.
In another scenario, a hacker gets a lawyer to send him funds the lawyer has received for a real estate closing by hacking the e-mail of one of the parties to the real estate transaction and then using a spoofed e-mail address to send the lawyer instructions for wiring funds owed in the deal.
The lawyer doesn't notice that the e-mail address has one different letter, and she follows the instructions in the e-mail to wire the money without calling first to see why the e-mail instructs her to wire the money instead of mailing a check as previously arranged.
Under these circumstances, the opinion says the lawyer has a professional responsibility to replace the funds because she did not follow reasonable security measures to verify the disbursement change by calling the sender at the phone number listed in the lawyer's file or confirming the seller's e-mail address.
In yet another scenario, a third party unaffiliated with a lawyer creates counterfeit checks identical to the lawyer's trust account checks, makes checks payable to himself, and cashes them. The opinion advises that the lawyer is not ethically required to replace the stolen funds if she substantially complied with the ethics rules on trust accounting and staff supervision but was nevertheless victimized by the third-party theft.
However, the lawyer must promptly investigate and take steps to prevent further thefts and “must seek out every available option to remedy the situation,” including researching the law to determine whether the bank is liable; communicating with the bank about its liability and whether it has insurance to cover the loss; considering whether to close the affected trust account and transfer funds to a new account; and working with law enforcement to recover the funds.
The opinion says that with regard to all these situations, the lawyer owes it to the affected clients to take steps that could include the following:
E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson