Real estate attorneys are prime targets for data breaches, but do they have a duty to prevent/avoid a breach? A Florida company is asking a court to find that attorneys are responsible for maintaining proper cybersecurity in email communications.
In 2016, a Seller of real property entered into a contract with a Buyer for property in Clearwater Beach, Florida. The Seller's real estate agent referred an Attorney to perform the closing services for the purchase. The agreed upon sales amount was $1 million.
The Seller and Buyer were to split the fee for the Attorney's services.
The Attorney sent the Buyer wire instructions for the initial deposit of $10,000. The wire instructions stated that "[b]efore wiring funds, first you must speak with one of the individuals listed below of this firm by telephone to confirm you have our authentic wire instructions, the wire amount and other important information." The Buyer successfully wired the initial deposit to the Attorney.
Later, the Buyer received an email from the Attorney's email service that appeared to be from the Attorney's office with wiring instructions for the closing amount of $974,633.44 to hold in escrow. Attached to the email was a settlement statement containing all pertinent details regarding the Buyer's real estate transaction. The email contained information that only the Attorney would possess. The wire instructions were on the Attorney's letterhead with the Attorney's contact information. A critical point was that the second email did not include instructions that the Buyer first contact the Attorney before wiring the funds.
The Buyer wired the full amount to the bank account identified in the second wiring instructions.
On the day of the closing, the Attorney requested that the Buyer wire the remaining funds. Like a scene from a movie, the Buyer told the Attorney he already wired the funds and showed the Attorney the email with the wiring instructions.
The attorney contacted the FBI. The $974,663.44 was gone . . . .
Known Risk - Duh!
For years, real estate attorneys have been warned about increasing amounts of fraud and email scams.
The National Association of Realtors recommends the following language on emails:
IMPORTANT NOTICE: Never trust wiring instructions sent via email. Cyber criminals are hacking email accounts and sending emails with fake wiring instructions. These emails are convincing and sophisticated. Always independently confirm wiring instructions in person or via a telephone call to a trusted and verified phone number. Never wire money without double-checking that the wiring instructions are correct.
The Florida Association of Realtors has a Wire Fraud Prevention Notice Form. The form strongly recommends that:
Buyer, Seller, and their respective attorneys and others working on a transaction, refrain from placing any sensitive personal and financial information in an email, directly or through an email attachment.
Legal Malpractice
The Buyer sued the Attorney and alleged that the Attorney had a duty to enact adequate security protocols to secure email accounts. This alleged duty includes:
- Using email security that requires additional forms of authentication,
- Using digital, encrypted signatures for messages,
- Using encrypted communications, and
- Frequently changing passwords.
According to the complaint, the Attorney failed to take any of these measures. The Buyer claims that if the Attorney had implemented these safeguards, the Attorney's email account would not have been compromised and used to commit the fraud.
My 2 centsAs with any lawsuit, these are just allegations and the Attorney will probably put forth a strong defense. Possible defenses include, attorneys do not have a duty to implement these security precautions and the Buyer probably should have called the Attorney to confirm the wiring instructions before sending the money.
It seems obvious that the fraudsters knew when to send the email and had information that only the Attorney should have known. This means the fraudsters were observing the Attorney's transactions and were waiting for the right time to spring the trap. Another alternative is that this was an "inside job," but that theory seems far-fetched.
In two of my previous blogs, Computer fraud insurance in the cyber age and Cyberclaims and litigation against insurance professionals, I discussed that insurance companies are denying coverage when losses arise from spoofing or phishing scams because the losses did not result from a hacking event. I also mentioned that I believe these companies are the victims of a true hack, but the hackers are only observing the victim's network activity to determine when, where, who, and how to perform the scam. If my theory is correct, the Attorney's email or network was hacked.
The Attorney probably has an errors and omissions policy, and hopefully a cyber policy that should provide a defense for this litigation. If not, the Attorney will incur significant attorneys' fees and litigation costs, and may even be held liable for the $1 million.