Tell Opposing Counsel If You're Hacked, Before Hackers Take All Your Money
It's one thing to have your LinkedIn or Dropbox account compromised by hackers. It's another to have hackers break into your email account, impersonate your typo-filled writing, then convince opposing counsel to send a $63,000 settlement payment to the hacker's offshore bank account.
Unfortunately, that's just what happened to one Virginia attorney. The lesson: if you know your email has been compromised, clue in opposing counsel, or you could be responsible for whatever loss follows.
Virginia Is for Hackers
The sad tale of the hacked email begins with a simple settlement agreement. One Amangoua Bile brought an employment discrimination suit against Denny's, which was settled for $65,000. She was represented by Uduak Ubom of the Ubom Law Group, while Denny's had two attorneys at LeClairRyan on its side.
At some point during the litigation, Ubom's Yahoo email account was compromised. When it came time to pay the settlement, hackers emailed the attorneys at LeClairRyan from Ubom's email, telling them to send the settlement payment to a Barclay's account in London. They did, minus $2,000 that was paid with a physical check.
Two days later, Ubom called the attorneys about the settlement and discovered that it had been stolen. LeClairRyan wasn't able to claw back the transfer.
A New Rule for Hacked Attorneys
The parties soon found themselves in court, arguing over whether the settlement agreement could now be enforced. In an order recently highlighted by the Legal Profession Blog, the U.S. District Court for the Eastern District of Virginia said yes, rejecting Ubom's argument that opposing counsel should have contacted him before making the transfer.
That's because Ubom wasn't without notice that the settlement had been targeted by hackers, yet he did nothing to inform opposing counsel. Just a few days before the settlement was stolen, Ubom received an email from Bile, his client, telling him to transfer the cash to the same Barclay's account. When he spoke to the client, he found out the email wasn't genuine. And then he just deleted it, without saying anything to the court or opposing counsel.
And while there was no authority stating that Ubom had to inform opposing counsel, the court was happy to create some. Ubom and Bile failed to exercise "ordinary care," the court found, and now Bile "must bear the loss associated with the malicious third party behavior."
The court concludes:
As technology evolves and fraudulent schemes evolve with it, the Court has no compunction in firmly stating a rule that: where an attorney has actual knowledge that a malicious third party is targeting one of his cases with fraudulent intent, the attorney must either alert opposing counsel or must bear the losses to which his failure substantially contributed.
Have an open position at your law firm? Post the job for free on Indeed, or search local candidate resumes.
Related Resources:
- My Realtor's Email Was Hacked and I'm Out $2M: Exec's Suit (New York Post)
- Top 5 Things Lawyers Need to Know About Email Security (FindLaw's Technologist)
- Stop Using Email, Attorneys in Britain Are Told (FindLaw's Technologist)
- Is Your Email Secure Enough for Client Communications? (FindLaw's Technologist)
FindLaw has an affiliate relationship with Indeed, earning a small amount of money each time someone uses Indeed's services via FindLaw. FindLaw receives no compensation in exchange for editorial coverage.