Business Email Compromise – A Slightly Different Version
While this column is directed at lawyers, it applies equally well to anyone sending or receiving confidential communications via email and expecting those communications to actually be confidential.
We think of business email compromise as one of those spear phishing emails that pretend to come from the boss telling you to wire money to China for a secret deal; well here is a different version with a couple of twists and turns.
In this case, it was a lawyer’s email that was hacked AND the lawyer knew that someone was going after his email. He had just prevailed in a case and the other side was due to pay $63,000 to his client, through him.
He sent opposing counsel the wiring instructions via email, even though he know that his email was under attack. He had even discussed the attack with his client, but he did not tell the opposing counsel.
As you probably guessed, the hacker sent another email to the other attorney with new wiring instructions which needless to say, did not send the money to the prevailing attorney’s client.
There are a number of twists to this settlement – weird ones – you can read the article below if you are interested, but one twist was that the prevailing side was supposed dismiss their case in two days, but the other side didn’t have to pay for 15 days, so fundamentally, the dismissal was not conditioned on the prevailing party getting their money.
Both sides went to court – one side to get the losing side to pay another $63k; the other side to get the prevailing side to dismiss their suit without getting paid.
The court said that the side that paid had behaved reasonably. That side said that the replacement email even used the typical bad grammar that the prevailing attorney use.
Another interesting aspect of this case is that the prevailing counsel claimed that he had no obligation to tell the opposing counsel that his email had been hacked. The court and counsel could not find any cases that said that counsel had an obligation to inform the other side of the breach.
The court decided that, in the absence of law or precedent, common sense prevails (which is interesting in itself) and said that the losing side did not have to pay again and the prevailing side had to dismiss their suit.
For attorneys, it is important to understand what their obligations might be with regard to protecting email between themselves and their client.
The American Bar Association issued a formal opinion in 2011 titled “Duty to Protect the Confidentiality of E-mail Communication with One’s Client” . ABA opinions don’t carry the force of law, but still I would think that if there was a problem, using an ABA formal ethics opinion might carry some weight either in court or in front of the ethics committee, should a client choose to go there. The summary of the opinion is this:
“A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may
gain access. In the context of representing an employee, this obligation arises, at the very least, when the lawyer knows or reasonably should know that the client is likely to send or receive substantive client lawyer communications via e-mail or other electronic means, using a business device or system under
circumstances where there is a significant risk that the communications will be read by the employer or another third party.”
It seems like you can break this opinion in half. The first half says that if the attorney thinks there is significant risk of a third party intercepting emails between the client and attorney, the attorney must warn the client of the risk of using that email.
The second part is related to the first – if the client is an employee of a company and the company has the ability to monitor employee email or routinely does monitor employee emails – including ones to the employee’s attorney, that qualifies as a significant risk and the attorney should warn the client. The opinion goes on to say that this is only one example of a situation where the emails may be intercepted.
The opinion is tied to ABA model ethics rule 1.6(a) which requires a lawyer to refrain from revealing information relating to his or her client. Comment 16 to that rule says that a lawyer must act competently to safeguard the client’s information and Comment 17 to that rule says that a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.
Back in 1999 the ABA issued opinion 99-413 that said that lawyers could, in general, use email to communicate with clients without violating rule 1.6, but they need to make sure that it was okay with the client.
It is important to remember that the 1999 opinion is 17 years old – pre-Snowden, pre Sony email breach and pre- most of the modern day cyber breaches that we see every day.
This new opinion does not define the terms SUBSTANTIVE, SIGNIFICANT, REASONABLY, ORDINARILY or COMPETENT, which is certainly annoying. It works both for and against the attorney. An attorney could argue that they are competent, that the risk wasn’t significant or substantive, but just as easily, the client could argue the other side.
Given the large number of email breaches that we have seen in the last few years, it could certainly be claimed that it is REASONABLE that there is a SIGNIFICANT risk in the eyes of a COMPETENT attorney that email may be compromised and both model ethics clause 1.6 and opinion 11-459 are more recent than the 1999 opinion. A client could certainly claim if the 1999 opinion was used as a defense, that while that opinion might have been valid in 1999, it likely isn’t today.
Until the legislatures, courts or ABA opine more definitively on the subject, it might be wise for attorneys – and other business professionals handling confidential information – to err on the side of caution and NOT use unencrypted email for confidential communications.
We recommend the use of Absio Dispatch; the low end version of which is free and the enterprise version of which is very reasonably priced. (full disclosure: I am one of the founders of Absio and have a stake in the company).
Information for this post came from The Lawyerist.
The ABA Formal Opinion 11-459 can be found here.