ARTICLE
10 March 2025

Is An Attorney Liable In A Cybersecurity Incident Resulting In A Loss To A Non-Client?

WE
Wilson Elser Moskowitz Edelman & Dicker LLP

Contributor

More than 800 attorneys strong, Wilson Elser serves clients of all sizes across multiple industries. It maintains 38 domestic offices, another in London and enjoys more extensive international reach as a founding member of Legalign Global.  The firm is currently ranked 56th in the National Law Journal’s NLJ 500.
Cybersecurity threats to law firms are on the rise. Data breach lawsuits have been trending upwards and show no signs of slowing down.
United States Technology

Cybersecurity threats to law firms are on the rise. Data breach lawsuits have been trending upwards and show no signs of slowing down. Considering the highly sensitive information they handle, it may come as no surprise that law firms are prime targets for cyberattacks. However, what is surprising is how these attacks can give rise to lawsuits and grievance complaints from non-clients against attorneys.

Typically, a non-client cannot sue an attorney for professional negligence or malpractice because the attorney's legal duties are restricted to their client (i.e., lack of privity). The lack of privity defense is used to protect attorneys, but cyber threats are wreaking havoc on this protection. This is especially true in "wire transfer" scams, where an email account is hacked by a cyber scammer who intercepts email communications involving a transfer of funds (litigation settlement, real estate purchase, corporate transaction) and provides fraudulent wiring instructions. We have seen a rise in claims for contribution made by the non-client against the attorney, who failed to call and confirm the accuracy of the wire instructions.

Despite the growing number of such claims, there is an absence of case law dealing with privity as a defense. This likely occurs for two reasons. First, "duty" is not a required element of a contribution claim, which makes privity irrelevant. Second, such cases are likely being settled due to the lack of any viable defense for failing to verbally confirm instructions before sending a wire. Worse yet, many malpractice policies now exclude claims for wire fraud, leaving attorneys who haven't procured a cyber policy exposed to liability and left without insurance coverage to deal with the damages.

Nevertheless, the historical protection of privity is not entirely gone. In fact, New York courts are protecting lawyers when a non-client brings a legal malpractice claim against the attorney involved, but not the party responsible for verifying the wiring instructions. As detailed in the recent cases below, these claims are being dismissed for lack of privity.

In Contour Mortgage Corp. v. Reverse Mortgage Solutions, Inc. et al., 605335/2022 (Sup. Ct. Nassau Cty. May 21, 2024), the attorneys representing the purchaser's mortgage lender emailed all parties to obtain the final payoff letter just prior to the closing. The seller's attorney emailed the real payoff instructions to the lender's attorney. However, on the day of the closing, a fraudulent email was sent impersonating the seller's attorney, which contained fake payoff instructions. The lender's attorney failed to verbally confirm the wire instructions before sending the wire, and over $350,000 was wired to the cyber scammer. The non-client lender brought a legal malpractice action against the seller's attorney, alleging that the firm breached the standard of care when it provided false, erroneous, and fraudulent information in the payoff letter. The Court granted the defendant seller's attorney's motion to dismiss, holding that no privity existed between the parties. The Court held that the seller's attorney was not retained by and had no relationship with the purchaser's mortgage lender. Therefore, any claim for legal malpractice was "meritless." The court emphasized that the seller's attorney "was not the entity responsible for wiring or confirming receipt of any funds at all."

In First American Title Insurance Company v. Liberty Land Abstract Inc. et al., 600326-22 (Sup. Ct. Nassau Cty. July 25, 2022), the title insurance company's title agent agreed to serve as the title closer, settlement agent, and escrow agent in connection with a real estate transaction. At the closing, the seller's attorney provided the title agent with a payoff statement for the seller's mortgage. The title agent made a phone call to verify the information in the payoff letter but called the number on the false wire instruction instead of independently verifying the number before calling. Relying on the false instruction, the title agent issued a wire for over $422,000 to the cyber scammer. The purchaser filed a claim under its policy on the basis that the seller's mortgage was not paid off. The non-client title insurance company then brought a lawsuit against the seller's attorney, alleging common law indemnification, negligence, and professional malpractice. The court granted the seller's attorney's motion to dismiss, holding that the seller's attorney did not share a special or near-privity relationship with the title agent or the title insurance company, which would have otherwise given rise to an obligation or duty. Additionally, the court noted that the complaint contained no information alleging that the seller's attorney represented that they would "verify the accuracy of that payoff statement."

CONCLUSION

Attorneys who fail to confirm wire instructions properly may find themselves defending claims for contribution brought by non-clients. These claims are not likely to be afforded the protection of a lack of privity. Attorneys without a cyber policy may face these exposures without the benefit of an insured defense and indemnity. Attorneys should take care to always properly vet wire instructions – each and every time they send a wire. More importantly, attorneys must closely examine their insurance policies to determine whether they may be left out in the cold without coverage for these novel yet increasingly rampant claims.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More