Back in July of 2011, we warned of a then popular e-mail/fraudulent check scheme whereby lawyers would receive e-mails from alleged potential foreign clients looking to collect debts from customers. Those scammers convinced the unsuspecting lawyers to deposit fraudulent “settlement checks” into client accounts and wire the “clients’ share” to foreign accounts after the bogus checks cleared. When the frauds were eventually uncovered by the banks, the lawyers were left with liability to the banks for the fraudulent check and wire transfers.2 Since then, newer, more complex electronic scams have surfaced whereby hackers intercept e-mails between lawyers and clients that contain wire transfer instructions. After intercepting such an e-mail, the hacker changes the instructions in the e-mail to wire money to his own untraceable account. The hacker forwards his bogus wiring instructions to the unsuspecting recipient, all while “masking” his identity as the sender and making it appear to the recipient as if the instruction came from the correct sender, whether lawyer or client.
This and other even more sophisticated electronic scams are becoming more prevalent. Given the confidential and valuable information passed between clients and their lawyers due to the attorney-client privilege, lawyers’ and law firms’ computer and e-mail accounts have become favorite targets. Whether an attorney transfers or stores confidential client information using password-protected corporate e-mail systems, “cloud computing,”4 third-party off-site network administrator vendors, third-party hosted e-discovery management platforms, or a variety of other electronic data transfer or data storage solutions available through the Internet, the attorney inevitably faces an inherent risk that confidential client information will be susceptible to theft by a hacker or by an unscrupulous third-party employee. In the absence of reasonable, preventative, and precautionary measures, the lawyer also risks losses for the firm and its clients associated with such a theft.
Understanding how and why lawyers and law firms may be exposed to cybercrime is the first step in prevention. Because of the ever increasing capabilities of cloud computing and, with it, the proliferation of everyday use of mobile devices—such as smartphones, tablets, and laptops—lawyers and law firms put sensitive client material at risk simply by falling asleep on the train home or finishing a brief on the redeye. A misplaced smartphone or briefcase can result in serious consequences if a device ends up in the wrong hands. In addition, mobile devices and both cloud-based and in-firm corporate networks and email systems are susceptible to electronic hacking where a hacker will illegally gain access to electronic information using a variety of more sophisticated methods. Law firms and lawyers present a particularly appealing target for hackers because the mandatory confidentiality of the attorney-client relationship creates a virtual treasure trove of sensitive client information—such as social security numbers, medical information, trade secrets, wire transfer instructions, privileged litigation communications and strategy, and internal corporate strategies—much of which can be very valuable to an array of criminal enterprises.
In conclusion, attorneys can and should take the necessary precautions to minimize the likelihood of cyber-security breaches, not only to give their clients peace of mind, but also to better shield themselves from third-party and first-party liabilities if a theft of information or other security breach actually occurs.
Joe is a shareholder of Johnson & Bell, Ltd., and the chairman of the business litigation/transaction group and co-chair of the employment group. He appreciates Johnson & Bell associate, Brian C. Langs, for his assistance in the drafting of this article.
For the full article, see Joseph R. Marconi and Victor J. Pioli, Lawyers are Increasingly the Targets of Email/Fraudulent Check Schemes, ISBA Mutual Insurance Company Liability Minute, (July 13, 2011 12:46 PM), http://www.isbamutual.com/liability-minute/lawyers-are-increasingly-the-targets-of-emailfraud.
For more detailed information and recommendations regarding protecting your firm and your clients from e-mail interception and other types of check and wire transfer fraud, see Ronald Trubiana, Title Agents and Lawyers: Be Wary and Protect Yourselves, THE TRUSTED ADVISOR, October 2010, http://www.atgf.com/tools-publications/trusted-adviser/check-and-wire-transfer-fraud-growth-industry (last visited July 25, 2014); ALTA Best Practices Frequently Asked Questions: Best Practices #3: Email Encryption, ATTORNEYS’ TITLE GUARANTY FUND, http://www.atgf.com/tools-publications/alta-best-practices-frequently-asked-questions (last vistied July 25, 2014); Ronald Trubiana, Update from ATG Administration: Five Ways to Reduce Exposure to Wire Fraud, THE TRUSTED ADVISOR, April 2010, http://www.atgf.com/tools-publications/trusted-adviser/five-ways-reduce-exposure-wire-fraud (last visited July 25, 2014).
“Cloud computing” can include receiving and sending e-mails on a smartphone or tablet; using a web-based email platform like Gmail, Yahoo! or Microsoft Outlook Web Access; or using products like Google Docs, Microsoft Office 365, Dropbox, SharePoint intranets/extranets, and Citrix Desktop as a Service (“DaaS”). As Formal Opinion 2011-200 of the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility aptly remarks, “cloud computing is merely a fancy way of saying stuff’s not on your computer.”
See Ill. State Bar Ass’n Adv. Op. Prof’l. Conduct Nos. 96-10, 10-01; see also State Bar Ariz. Ethics Op. 09-04; N.Y. State Bar Ass’n Ethics Adv. Op. 842; Mass. Bar Ass’n Ethics Op.12-03; Pa. Bar Ass’n Form. Op. 2011-200 (all discussing substantially similar versions of subsection (a) of IRCP 1.6, entitled “Confidentiality of Information,” and its applicability to a lawyer’s ethical duty to protect electronically stored or transferred confidential client information).
Much of the content below making particular suggestions for precautionary actions by law firms was taken from two excellent articles: Seth L. Laver, Understanding and Protecting Against Cyber Risk, FOR THE DEFENSE (DRI’s Monthly Magazine), July 2012 at 46–49 and Rene L. Siemens and David L. Beck, Cyber Insurance—Mitigating Loss from Cyber Attacks, PERSPECTIVES ON INSURANCE RECOVERY NEWSLETTER, Summer 2012, http://www.pillsburylaw.com/publications/cyber-insurancemitigating-loss-from-cyber-attacks (last visited July 8, 2014). Both articles are recommended readings that provide detailed discussion of many of the issues raised in this article.