Law Firm Can't Seek Indemnification for Cyber Hack
It's becoming a common set of facts: In a real estate deal, a law firm received fraudulent wiring instructions that resulted in funds being sent to fraudsters. The client then sued the law firm to recoup the funds.
The twist in this case is that the law firm sued another company for indemnification. The law firm claimed that the other company was hacked and inadvertently disclosed the client's personal information that led to the business email compromise and eventual fraud.
According to allegations in a Virginia District Court, Deutsche Bank National Trust Company engaged the law firm to perform the closing for the real estate transaction. Deutsche also engaged Altisource Portfolio Solutions, Inc. to act on its behalf in effectuating the deal.
In its role, Altisource communicated with the parties to the transaction and facilitated the sale and closing. As part of its duties, Altisource communicated with the law firm and conveyed the payoff instructions for the closing.
In a Third-Party Complaint against Altisource, the law firm alleged that prior to closing the real estate transaction, a hacker obtained access to Altisource's confidential email communications containing the financial information of Altisource's customers, like Deutsche. From this breach, the hacker learned of the upcoming funds transfer between the buyer of the real estate and Deutsche. With this knowledge, the hacker "mimicked" the email address Altisource used and provided fraudulent wiring instructions to the law firm.
The law firm received funds from the buyer and, complying with the fraudulent wiring instructions, wired the money to a bank account that belonged to fraudsters.
Deutsche sued the law firm for negligence and breach of contract. The law firm then sued Altisource.
This is a bit confusing because the law firm was seeking equitable indemnification and contribution from Altisource. Claims for equitable indemnification and contribution are typically brought only as claims derivative of another party's claim. This means that, to prevail, the law firm must first establish Altisource's legal duty to Deutsche. The Court could then hold Altisource derivatively liable for any liability the law firm may incur from the Deutsche Complaint (I know, legal mumbo jumbo).
In a nutshell, the law firm could prevail if it showed that Altisource was liable to Deutsche.
Duty - What Duty?
Altisource filed a motion to dismiss the law firm's Third-Party Complaint. The question for the Court was whether Altisource owed a duty to Deutsche to safeguard the private information. The law firm alleged that Altisource breached the following five duties it owed to Deutsche:
(1) a duty to Deutsche to use reasonable care in securing the confidential and financial information flowing through Altisource email accounts and servers;
(2) a duty to Deutsche to use reasonable care in the conduct of its business, including maintaining close communication with the law firm regarding the closing and related payoff instructions;
(3) a duty to prevent hackers from pirating Deutsche's financial information and business transactions;
(4) a duty to discover and remedy breaches of its information systems security before breaches resulted in Deutsche's financial loss; and,
(5) a duty to quickly notify vendors and businesses with which Deutsche conducts business (like the law firm) about breaches of its cybersecurity affecting its communications with those vendors and businesses.
No Duty to Safeguard Private Information
The Virginia Court noted that the law firm was attempting to invoke a developing area of law: whether or how to impose liability on a party whose potentially negligent conduct flows from a data breach.
The Court noted that there is a split amongst the states as to whether a party may proceed on a negligence claim against an entity who suffered a data breach.
The Court found that Virginia law does not recognize a common law duty to protect an individual's private information from an electronic data breach. Consequently, the Court could not conclude that Altisource owed a duty to Deutsche to safeguard private information.
Because the law firm failed to establish the existence of a common law duty that Altisource owed to Deutsche, a necessary element to support the law firm's claims, the Court granted the motion to dismiss.
. . . . But, the Court granted leave for the law firm to amend its Third-Party Complaint (if it so desires) in an attempt to assert a viable claim against Altisource. . . Hence, more to follow.
The Court's opinion is at Deutsche Bank National Trust Company as Trustee for Home Equity Mortgage Loan Asset-Backed Trust Series Inabs 2006-A, 2019 WL 1440280, at *1 (E.D. Va., 2019)
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP