This article was originally published on Professional Liability Insurance Newsletter, American Bar Association, Fall 2018.
On June 11, 2018, news broke that the local and federal law enforcement officials had arrested 74 people, including nearly 30 in Nigeria, in a “coordinated crackdown on people who convince correspondents to wire them money for fraudulent activities.” The scam? We all know it of course – it’s the old “Nigerian prince needs help transferring his inheritance to the United States” email, the one where your account number, social security number and other personal information are “urgently” required to help assist the prince with getting his money out of the country. Of course, after that information is provided, the victims watch as their money is slowly but surely siphoned off of and out of their accounts never to be recovered or seen again. The prince’s inheritance never does show up in the victim’s electronic coffer.
Legal professionals may scoff at the notion that they could ever be affected by this type of fraud, what has become known as the “man in the email” scam. Who could ever really fall for that, right? Well, as it turns out, variations of this particular scam have begun to weasel their way into sensitive and potentially confidential matters attorneys have with their clients in the legal profession. In fact, recently, certain fact patterns have emerged where clients, rather than attorneys are the ones fooled by the “man in the email” scam, leaving attorneys vulnerable to potential malpractice liability or exposure if they sustained a cyberattack that may have yielded the confidential information used in the scam, or even if they did not. Some debate as to what duty, if any, the attorney has to the client in this situation, remains. However, the evolution of this type of potential malpractice claim has been fascinating to watch.
In one of the first cases to examine these issues, Shore v. Johnson & Bell, Ltd., 16-cv-04363 (N.D.Il. 2016), plaintiffs brought a class action complaint against a Chicago-based law firm alleging that the firm’s computer systems suffered from “critical vulnerabilities in its internet-accessible web services[,]” the result of which was that confidential information provided to the firm by its clients had been exposed and was allegedly at great risk of unauthorized disclosure. In fact, plaintiff claimed that it was “only a matter of time until hackers learn[ed] of these vulnerabilities,” risking harm to their clients’ information, communications, and additional documents on file with the firm. More specifically, plaintiffs alleged that the lack of security surrounding the remote network at the firm made a “man in the email” or, as they characterized it, a “Man in the Middle” attack, a “serious concern.” Plaintiffs further alleged that, while they had expected that the firm would use unspecified industry standard measures to protect their data, and would not have retained the firm or provided their confidential data had they known about the “lax” security protocols and insecure systems at the firm, that they had done so anyway. As a result, their confidential data had allegedly been exposed.
The problem with the allegations in the complaint in the Shore case was fairly evident – it was not clear what, if any, damages had been sustained. This may have been one of the primary drivers behind the fact that the Shore case was diverted to pre-trial arbitration in February of 2017, never to be heard from again. Whereas that case seemed like a preemptive strike against a possible breach (indeed, the duty allegedly breached was one in that the firm “failed to implement industry standard data security measures, resulting in [potential] vulnerabilities and the exposure of [] confidential data”), it was the following case that took this type of claim a step farther, giving potential plaintiffs a clearer template in suing law firms whose data breaches ended up costing them dearly.
In Millard v. Doran, No. 153262/2016 (Sup. Ct. N.Y. Cty.), plaintiffs, a husband and wife, alleged that Doran, their real estate lawyer, was liable for malpractice and breach of fiduciary duty arising out her providing them assistance on a real estate purchase in New York City. According to the complaint, Doran committed malpractice by “permitt[ing]” cyber criminals to hack into her email system and to read and intercept all communications that had apparently been sent to the Millards by Doran. After alerting the unnamed criminals that the Millards were about to transfer large sums of money to the seller as part of the real estate purchase process, the cybercriminals drafted fraudulent emails made to look like they were written and sent to the Millards by Doran herself. In those emails, the Millards were instructed to send funds by wire transfer to a bank account that purportedly belonged to the seller, but which, they later found out, was actually was under the control of the criminals. Id. The story is a familiar one thereafter — following the instructions sent to them, the Millards wired the money (upwards of $2 million) where indicated, i.e., straight into to the criminals’ account. They did not speak with Doran before sending the money. In fact, the scheme was apparently so meticulously plotted that the criminals even sent fraudulent confirmation emails to Doran from the fake account, just to lull both sets of victims into a further sense of comfort that nothing was amiss, despite the urgency of the situation. By the time either client or attorney realized that the email address in question did not, in fact, belong to the seller’s attorney, the $2 million had vanished into thin air. Given that there was an ascertainable and verifiable loss involved, allowing the Plaintiff to allege damages that were beyond the mere speculative damages alleged in the Shore case, the Millard case seemed ripe for adjudication. However, similarly to Shore, the Millard case appears to have been settled shortly after issue was joined with defendant answering the complaint.
Why did these cases not move forward in the litigation process? Could such a malpractice claim be sustained by an aggrieved former client against a law firm or attorney? Unfortunately, these questions have not yet been answered because the aforementioned cases were settled before any substantive activity took place. However, an analysis under applicable law may show why, in fact, plaintiffs have been more likely than not to move towards settlement rather than attempting to prove their malpractice claims.
Under New York law, for example, an action for legal malpractice requires proof of three elements: “(1) that the attorney was negligent; (2) that such negligence was a proximate cause of plaintiff’s losses; and (3) proof of actual damages” Glob. Bus. Inst. v. Rivkin Radler LLP, 958 N.Y.S.2d 41, 42 (1st Dep’t 2012); Brooks v. Lewin, 21 A.D.3d 731, 734 (1st Dep’t 2005), lv. denied, 6 N.Y.3d 713 (N.Y. 2006). There is a clear pattern forming here in terms of allegations, and the similar allegations in each of these lawsuits consequently lead back to one important question. What is the law firm’s duty at this point in dealing with cyber security on the one hand, and protection of confidential client information on the other?
Ethically speaking, an attorney’s responsibilities are now well-defined. Following the ABA Ethics 2020 Commission’s Report and Recommendation, the ABA House of Delegates approved the following changes:
- Paragraph 8 of the Comment to Rule 1.1 now states that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks of technology…”; and
- Rule 1.6 imposed a duty on attorneys to use reasonable means to maintain the confidentiality of information relating to a client’s representation. Pursuant to the 2020 Commission’s Report, subpart (c) to Rule 1.6 was amended to add that:
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
While these changes certainly were welcome, this initial report failed to outline the changes in technology of which attorneys were to keep aware and what constituted “reasonable efforts” attorneys needed to undertake to ensure that their clients’ confidential information was, in fact, safely guarded.
In June of 2017, the ABA Standing Committee on Ethics and Professional Responsibility moved to clarify the report further, publishing its Formal Opinion 477R on “Securing communication of protected client information.” In that opinion, the ABA provided guidance or “suggestions” as to what “reasonable efforts” may mean for attorneys going forward. These suggestions included: (1) attorneys/firms should understand the nature of the potential cyber-threat and make greater efforts to protect confidentiality with “higher risk scenarios”; (2) attorneys/firms should understand how and where communications with clients are stored, with the recommendation that each method of transmission be assessed for its compliance; (3) attorneys/firms should use reasonable electronic security measures to safeguard their clients’ information, with what is “reasonable” varying based on the facts and circumstances of the case; (4) attorneys/firms should protect certain electronic communications at different levels, depending on the sensitivity of the communications; (5) attorneys/firms should establish policies, procedures, and training methods to help other attorneys/non-lawyers with the handling of this type of information; and (6) attorneys/firms should conduct due diligence with respect to their email service providers prior to enlisting their services.
Even though the ABA Opinion creates an arms race of sorts, and fails to show how a sole practitioner can compete against a wealthy white-shoe firm to make these reasonable efforts without bankrupting itself, it is possible that a breach of these suggested “reasonable efforts” could be used by plaintiffs’ lawyers to form the basis of malpractice claims against attorneys in the not-too-distant future.
However, it remains unclear whether, under the factual situation posed by the Millard case, a malpractice claim can actually succeed. Specifically, to prove a claim for professional negligence, the plaintiff must also show that “but for” the attorney’s alleged malpractice, the plaintiff would not have sustained some actual ascertainable damages, such that a failure to establish proximate cause requires dismissal regardless of whether negligence is established. See, e.g., Pellegrino v. Rubenstein, 738 N.Y.S.2d 320 (1st Dep’t 2002); Russo v. Feder, Kaszovitz, Isaacson, Weber, Skala & Bass, LLP, 750 N.Y.S.2d 277 (1st Dep’t 2002). See also Wo Yee Hing Realty Corp. v. Stern, 99 A.D.3d 58, 63 (1st Dep’t 2012) (internal quotation marks omitted) (“[T]he failure to show proximate cause mandates dismissal of a legal malpractice action regardless of whether the attorney was negligent”). In a case like Millard, where it is the client who responds to the fraudulent email and it is the client who wires the money to the fraudulent bank account, all out of the view and approval of his or her attorney, it looks as if it will be nearly impossible to show that the damages incurred were, in fact, caused by the attorneys’ conduct in failing to secure the client’s confidential information. In other words, this conduct may be entirely too attenuated to find that malpractice has been committed by the attorney. Of course, if the client can prove that the information in the fraudulent email was obtained from a hack on the attorney’s email system and/or electronic files, it might help his or her cause, assuming that the other elements can be established. However, that kind of evidence is hard to come by (IP hosts and email service and system providers will need to be subpoenaed) and even harder to utilize to the desired effect (did the information used come from the allegedly hacked counsel, or any of the other attorneys participating in the transaction?) Moreover, the mere fact of hacking, even if it occurs, is not sufficient to show a departure from the standard of practice of attorneys in the jurisdiction. As such, a claim for malpractice arising out of a “man in the email” attack may not be as strong as plaintiffs may have believed it to be when they filed their above-referenced case.
In the end, the legal profession continues to hold its collective breath awaiting a decision on a malpractice claim where it is the client who actually falls victim to the “man in the email” attack, resulting in the client’s wiring of funds, and resulting in damages based thereon. Can an attorney or firm be liable for a malpractice claim for failing to protect a client’s confidential information where they have not actually done anything to cause the damages in question?
In the brave new world of “Nigerian princes” and “m[e]n in the email,” we do not yet know. Unfortunately though, what we do not know as attorneys may someday end up leaving lawyers exposed to malpractice claims.