Liability for Hacked Emails?

Professionals depend on third-party email services to operate their business.  As a result, professionals may assume that the vendor is safeguarding their electronic information and therefore the professional is not exposed. False. Consider an attorney sued recently for malpractice arising from an e-mail hacking scam.

A New York real estate attorney‘s e-mail account was hacked recently. The attorney was hired to represent wealthy clients in the purchase of a multi-million dollar condo.  When the hackers gained access to the attorney’s email account, they identified the attorney’s clients as targets for a wire fraud scam.  The hackers e-mailed the attorney posing as attorneys for the sellers of the condominium.  The attorney forwarded these emails to her clients, who were tricked into wiring nearly $2 million to the hackers.

The clients learned they were defrauded the following day from their bank, but by that time it was too late to recover the funds.  The clients later filed suit against the attorney for malpractice, alleging that she failed to take basic steps to secure her computer and to protect the clients from wire fraud.  The clients alleged that the email service used by the attorney was notoriously vulnerable to hacking, but the attorney nevertheless relied on the email for sensitive communications involving the clients’ purchase of the multi-million dollar condominium.  The clients further alleged that the poor security practices allowed the hackers to impersonate the seller’s attorney, which enabled them to persuade the clients to wire the funds.

Professionals must remain vigilant of cyber security threats.  Simply relying on third-party platforms for email and other electronic communication may not relieve a professional of her duty to keep client information safe.  If the professional ignores red flags, or fails to take basic safety precautions, she may be held liable if a client becomes the victim of a scam.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


  1. grannybunny

    Is there any email system 100% secure from hacking? Since many government — as well as private-sector — systems have been hacked, it does not appear that an unhackable system exists.

  2. Clare

    I think that attorney did a lot more wrong than allowing her email hacked. And any attorney or client on the other side who took wire instructions via unsecured email should have significant liability. There are definitely more secure options for transmitting confidential data!

  3. I’ve always wondered about this…if the email account was compromised due to a failure to implement security controls on the part of the real estate attorney I can understand the liability, however I would imagine in some of these cases the email/software providers may contain a security “hole” which would allow an outside party to intrude. In such cases a forensic investigation should be able to trace that back and shift liability to the software provider. I am also curious to see how long it is before cyber policies begin the practice of naming additional insureds for purposes such as that just mentioned.

    • Bruce R. Swicker.

      Every TOS that I have ever seen for an email provider, cloud provider, or anything similar generally disclaims liability, so there is nothing to “shift”. Furthermore, how would “additional insured” status have changed anything? A.I. status is inappropriate for this type of coverage; all that it – theoretically – would have provided to the attorney’s clients is coverage for the clients’ own cyber liability. A.I. status in NOT analogous to “loss payee” – something that is frequently misunderstood.

Next ArticleReferral Fees: The Logistics of Fee Sharing