Case shows why lawyers must encrypt e-communications
December 09, 2020
Here is a recent Daily Record column. My past Daily Record articles can be accessed here.
*****
Case shows why lawyers must encrypt e-communications
Whenever your firm’s employees work remotely during the pandemic (and beyond), electronic communications will increase out of necessity. If those communications aren’t encrypted, you run the risk of inadvertently disclosing confidential client data. That’s why it’s imperative that your firm takes steps to encrypt online communications if it isn’t already doing so. Whether you decide to encrypt emails on a case-by-case basis or use the secure online communications portals that are often built into law practice management software, one way or another, your firm needs to ensure that it’s protecting all confidential electronic communications.
Doing so will not only safeguard confidential information, it may also shield your firm from liability in the event that a cyber-scam that results in a loss to your client. Case in point: Otto v. Caltrow Law, PLLC, No. 19-0361. In this case, the Supreme Court of Appeals of West Virginia considered whether a law firm was liable for a cyber-scam that resulted in a $266,000 loss to its client when funds for a real estate transaction were mistakenly wired to scammers.
In this case, an unidentified scammer impersonated the Otto’s real estate agent in an email conversation and as a result, the Ottos, who were clients of the Caltrow firm, wired the scammer $266,069.22. This money was never recovered.
The Caltrow firm used encrypted email to communicate with the Otto’s realtor regarding wiring instructions, and never communicated directly with the Ottos. The realtor, the real estate broker, and the Ottos, however, subsequently discussed the wiring instructions via unencrypted email. It was that unencrypted email chain that the scammers hacked into. They then subsequently spoofed the real estate agent in emails sent to the Ottos regarding the purported new wiring instructions. As a result of those spoofed emails, the Ottos wired the money to the scammer’s bank account.
The Ottos subsequently filed suit against the real estate broker, the realtor, and the Caltrow firm in an attempt to recover their losses. They later settled with the broker and realtor, and then amended their claims against the Caltrow firm and alleged that the firm breached duties owed to them as follows:
- Prior to wiring any funds, [Petitioners] should have been personally contacted by [Respondent], or, at a minimum, [Petitioners] should have been advised and alerted by [Respondent] to call her office and confirm the instructions.
- b) Although [Respondent] appeared to have used an encrypted email, [Respondent], knowing full well that wiring instructions were to be communicated via email, should have taken any precautions to determine if [the realtor's] . . . and the [Petitioners’] emails were encrypted and otherwise secured.
- c) [Respondent] should have informed the [Petitioners] as to the prevalence of wire fraud schemes, and that if an email seemed suspicious, they should take no action until they confirmed, by independent means, that the communication was legitimate.
The Court disagreed with their assertions. First, the Court determined that when the firm encrypted the email regarding the wire instructions, it exercised reasonable care by taking steps to protect that information: “The contents of that email were highly sensitive and Respondent reasonably expected the information to remain confidential by use of encryption technology. Indeed, Petitioners concede that Respondent was not responsible for the hack because they pled in their amended complaint that ‘the money was diverted when the hacker was able to intervene in email correspondences between' (the realtor) and Coldwell.”
Next the Court turned to the Otto’s assertion that the firm failed to warn them about the risks associated with potential phishing and spoofing email schemes. The Court likewise dismissed that claim, concluding that the plaintiffs failed to provide sufficient evidence to support their allegation that the firm breached the applicable standard of care owed to the plaintiffs under West Virginia law.
In other words, the firm’s use of encrypted email is what saved the day in this case and precluded liability. What steps does your firm take to ensure that confidential client data is sufficiently protected from prying eyes? Does your firm have secure communication protocols, such as online communication portals, in place? If not, what better time to implement them than now, as you plan for a successful 2021? Not only is it the ethical thing to do, it’s the smart thing to do - so what are you waiting for?
Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].