Where it began, where it continues: Celebrating July 4th in Philadelphia
Law Firm Support Staff: Recognizing Their Role in Avoiding Legal Malpractice Claims

Cyber Liability - Trusted Partner or Criminal Hacker: Are you certain you can tell who sent the email?

Shutterstock_519909535The continuing risk to law firms and their lawyers was highlighted once again late last month when the Warminster, Pennsylvania law firm, O’Neill, Bragg & Staffin, P.C.  filed a 55-page complaint against Bank of America Corporation alleging, inter alia, that the Bank breached its contractual obligations to the firm after funds contained in a firm Interest on Lawyer Trust Account (IOLTA account) were transferred to hackers.    

The action arose out of an incident which occurred December 6, 2017.  It is an unfortunate story that we hear too often these days.  

At 4:38 p.m. on Wednesday, December 6, 2017, Attorney Alvin Staffin received an email purportedly from his partner Gary Bragg asking if he was going to be in the office the next day as a client had a wire transfer that needed to be sent on a loan matter.  He advised that $580,000 needed to be wired by the client to the lender’s investment account in Hong Kong.  Over the course of the next 33 minutes, the “partners” exchanged several emails in which Mr. Staffin was provided wire transfer instructions and was advised from which IOLTA sub-account the funds were to be transferred.

The hacker was particularly sophisticated in that it addressed Mr. Staffin by his nickname, indicated familiarity with the matter at issue, provided the appropriate IOLTA sub-account information for the client and appeared to recognize that Mr. Bragg was not in the office at the time of the communications.  

At 5:52 p.m. that evening, Mr. Staffin requested that the Bank transfer $580,000 from the client’s IOLTA sub-account to the Bank of China account identified in the wire instructions provided during the earlier email exchange.  After completing the transfer request, Mr. Staffin telephoned Mr. Bragg.  Mr. Bragg advised him that he did not receive a transfer request from the client and did not send any email to Mr. Staffin make any such transfer.    

Mr. Daffin realized that the Firm’s email had been infiltrated by a hacker and contacted the Bank to notify it of the fraud and to stop the wire transfer.  Unfortunately, the wire transfer was completed and after pursuing the criminal actors, the Firm was only able to recover a small portion of the $580,000 that had been transferred from its clients’ IOLTA sub-accounts.  

The firm filed suit against the Bank in the United States District Court for the Eastern District of Pennsylvania at 2:18-cv-02109 on May 18, 2018.  Specifically, the Firm alleges claims against the Bank for breach of its Escrow Control Account Agreement, Deposit Agreement and Disclosures and Telephone Wire Transfer Agreement;  various violations the Uniform Commercial Code as adopted by Pennsylvania; violation of Federal Reserve Regulations; negligence per se;  and negligence.

The Firm alleges that it had established  an IOLTA account with the Bank’s predecessor-in-interest.  In order to insulate each client’s assets from one another, the Firm segregated each client’s funds into a separate sub-account.  Despite the protections requested by the Firm, when the December 6, 2017 transfer request was made, the Bank transferred the entire $580,000 even though the IOLTA sub-account from which the transfer request was made only contained $1,900.  In order to make up for the overdraft, the Bank transferred the remaining funds from IOLTA sub-accounts set up for other clients.    

The case raises many questions as to why and how the $580,000 wire transfer request was honored by the Bank when the IOLTA sub-account from which the request was made was significantly underfunded at the time of the transfer request.  While those issues will necessarily be addressed in the lawsuit, the December 6, 2017 event itself is another reminder to us that the danger and risk to lawyers in the cyber world are real and constant.  

This issues raised by the unfortunate events of December 6, 2017, for the O’Neill, Bragg & Staffin Firm are particularly sensitive for lawyers and the practice of law.  Protection of client property and a lawyer’s IOLTA account is a necessity.  The Model Rules of Professional Conduct mandate the safekeeping of client property and mishandling of money held for clients has become one of the most common reasons for the imposition of serious discipline against lawyers. 

ABA Model Rule 1.15:  Safekeeping Property requires that a lawyer “hold property of clients or third persons that is in a lawyer’s possession in connection with a representation separate from the lawyer’s own property.”  Rule 1.15 further requires that a lawyer maintain complete records of such account funds.  Id.    

The O’Neill, Bragg & Staffin Firm event reminds us to remain vigilant when it comes to protecting ourselves and our clients from cyber threats.  Always be cautious when communicating through email.  Be on the lookout for things such as:

  • Emails from people that you are not expecting or unusual requests given your relationship with the purported sender;
  • Emails with misspellings, grammatical mistakes or unusual phrasing in the message;
  •  Suspicious emails such as those containing improper wording or unusual requests;
  • Emails seeking sensitive personal or financial information or requesting that you take action such as updating accounts, sending a wire transfer or alerting you about a failed transaction;
  • Emails imposing short or urgent deadlines; or
  • Emails which contain links, files or attachments.  Never click on links, open attachments or download files contained in emails unless it comes from a known, trusted source.

In general, if you receive an email or request in an email that appears out of the ordinary or is in any way unexpected or unusual, take a close look at the details of the email.  Check the display name for misspellings or inconsistencies and confirm the sender before responding.   If you receive a request for confidential or sensitive information or are asked to do something relating to the same, particularly in relation to wire transfers, communicate the old fashioned way.  Pick up the phone and contact the purported sender to confirm the request before providing information or taking action.



This article was prepared by Holly Whalen , Esq. of Cipriani & Werner, P.C.  We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.

For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke USI Affinity today.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)