Act fast if hackers compromise client escrow funds

There is seemingly no limit to the lengths scam artists will go to victimize unsuspecting attorneys. Indeed, as you read this article, somewhere a scam artist is devising a new scheme to induce attorneys to grant access to client escrow funds.

A common trick is for the scam artist to pose as a potential client with a surefire case that promises significant fees, with an elaborate story meant to convey legitimacy. Such scams are a far cry from past attacks on attorney trust accounts, which typically involved frauds such as counterfeit bank checks, forged trust account checks, and desperate or dishonest attorneys and staff with access to the accounts.

Today, attacks on escrow accounts are more sophisticated and can involve complex cyberattacks that may allow a third party to gain access to the firm's computer systems and obtain passwords, access codes and account numbers for escrow accounts.

In many states, an attorney's potential liability when a hacker steals client funds is an open question. State bar associations generally will not hesitate to hold an attorney liable where the loss of client funds results from an attorney's failure to adequately supervise other employees. In Matter of Ozekhome, the California State Bar disciplined an attorney for placing "blind trust" in a paralegal with respect to the handling of a client's settlement checks. 12-0-12013 (Cal. Bar Ct. May 18, 2015).

Similar principles may nonetheless apply where the funds are stolen by a third party, as opposed to an attorney's employee, especially if the attorney is careless with cybersecurity. As stated in Ozekhome, "an attorney has a personal and non-delegable obligation of reasonable care to comply with the critically important rules of safekeeping and disposition of client funds."

This key question, therefore, is what steps attorneys can take to fulfill their obligation to exercise reasonable care in protecting client escrow funds from attacks by third parties. Although the nature of attacks may be impossible to predict, lessons from prior attacks provide guidance as to how attorneys may protect client funds.

Ensure Compliance

First, attorneys should take care to ensure compliance with all rules governing client trust fund accounts. The California Rules of Professional Conduct address an attorney's obligations with respect to client trust funds in Rule 4-100.

Pursuant to this rule, an attorney who receives or holds funds for the benefit of clients must place those funds in a bank account labeled "Trust Account" or "Client's Funds Account" and, with very limited exceptions, cannot commingle the funds with other funds. In addition, the funds and other client property must be identified and placed in a safe deposit box or other place of safekeeping as soon as practicable upon receipt.

Rule 4-100 also requires that an attorney maintain complete records regarding all client property in the possession of the attorney and account for such property to the client. These records must be preserved for at least five years after the distribution of the property.

In addition, the Discussion provided in connection with Rule 3-110 specifies that an attorney's duty of competence "include[s] the duty to supervise the work of subordinate attorney and non-attorney employees or agents." Thus, an attorney would appear to have an obligation to ensure that any non-attorney administrative staff with access to client trust accounts similarly act ethically with regard to client funds.

The duty to supervise may include educating colleagues and staff regarding the proper handling of client property. In light of the risks of hacking, this can include training regarding how to detect high-risk emails that could compromise a law firm's computer system.

Responding Quickly

If the worst-case scenario happens and client funds are misappropriated, an attorney should consider taking certain steps, regardless of whether the attorney will ultimately be held responsible for reimbursing the trust account.

The first step upon discovering that client funds may have been compromised is usually to hire attorneys who specialize in cybersecurity and law firm defense issues. The initial moments after a hacking incident may feel chaotic as there will be a number of issues to address both with the client and with respect to the security of the law firm's data and other accounts. Hiring counsel with experience in such situations will help provide order while also preserving and maintaining privileges.

Because of the risks to a client's funds and confidential information, any perception that a law firm is not taking adequate steps after a hacking incident may damage the firm's reputation. Hiring outside counsel can reflect extra due diligence by the law firm in addressing a problem and in fulfilling the law firm's ethical and legal obligations, and thus can be helpful for purposes of defending against any subsequent legal malpractice claims or bar grievances.

Time is of the essence. An unaddressed breach inevitably expands until detection, causing greater exposure and more scrutiny regarding the firm's oversight of client funds.

Identifying notification obligations under federal and state laws is also critically important to determine whether the law firm has a duty to report the breach and, if so, to whom.

In addition, an attorney should notify the clients of the theft and advise the clients of any consequences that theft may have for the representation. The attorney can also help the clients identify any source of funds, such as bank liability and insurance, to cover their losses.

In light of the increased risks posed by sophisticated hackers, attorneys who believe that they will never be hacked are living in the past and can create unnecessary risks for their clients and for their law practice. It is important that attorneys understand their obligations and take quick action to mitigate the damage when a hacking incident that impacts client funds is suspected.