[BreachExchange] If Your Email Account Is Hacked, You Should Probably Tell Opposing Counsel

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 1 19:16:20 EDT 2016


https://lawyerist.com/126649/email-account-hacked-probably-
tell-opposing-counsel/

A few years ago, there was an ABA ethics opinion that told lawyers that if
they thought their email had been hacked, they needed to warn their client
about the risks of sending or receiving email. That seemed like a bit of a
theoretical worry, but it turns out that that even something like a
run-of-the-mill employment discrimination case can lead to an actual court
case and an actual loss of money, rather than chin-stroking ethics
hypotheticals.

The Legal Profession Blog highlighted a recent decision from the United
States District Court for the Eastern District of Virginia enforcing a
settlement order in a case where a hacker absconded with the funds that the
plaintiff received as a settlement. The takeaway: If your email has been
hacked and you’re expecting a settlement check, make sure you tell opposing
counsel to check directly with you about any emails from you.

A Virginia lawyer didn’t do that, and the hacker used his email account to
direct the settlement funds to an offshore bank account. The money was
gone, and his client insisted that the settlement be enforced, which would
mean the opposing party paid twice. The court said he had nobody to blame
but himself because he knew he had been hacked but didn’t tell opposing
counsel.

In sorting out the case, the court looked at whether opposing counsel
behaved reasonably in sending the money in the first case. This was
necessary because the defense was that somehow opposing counsel should have
known the email was shady. But the hacked email bore all signs of being
legitimate and believable:

It came from the Virginia lawyer’s regular email address.
It used a salutation that was a familiar, shortened version of opposing
counsel’s name.
It referred to the history of the settlement payment discussions
The parties had communicated by email before.

And perhaps the best and most hilarious reason: “The content of the email
was consistent with [the Virginia lawyer’s] error-prone typography.”

It’s difficult to imagine that nearly any attorney wouldn’t fall for this
and reasonably believe they were following the instructions of opposing
counsel.

There wasn’t any case law on point about in the jurisdiction, particularly
over the narrow issue of whether one attorney was obliged to inform the
other that their email might be hacked. The court found that common sense
means an attorney has to do so.

"The parties have cited no decision articulating that an attorney has an
obligation to notify opposing counsel when the attorney has actual
knowledge that a third party has gained access to information that should
be confidential, such as the terms of a settlement agreement, or the
attorney has knowledge that the funds to be paid pursuant to a settlement
agreement have been the target of an attempted fraud. Nor has the Court
located such authority. However, the principle is an eminently sensible
one. […]"

The sensible principle is this: If opposing counsel had informed the lawyer
that the email was compromised, the lawyer wouldn’t have followed the
payment instructions in the email (or, if they did, they would be behaving
recklessly). Because of that, the court ruled that opposing counsel behaved
reasonably, and the lawyer’s client had to bear the loss. Presumably, the
lawyer bore some of that loss as well.

The usual caveats apply: this is one case from one jurisdiction. That said,
it does echo the ABA ethics opinion, and it does ring true and fair: why
should the party that reasonably believed they were sending the money to
the right place be on the hook to pay twice? Next time you’re certain that
some complicated technology thing will never apply to you, remember this
case and think again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160901/fe8ffbb9/attachment.html>


More information about the BreachExchange mailing list