MONTH-IN-BRIEF (Dec 2018)
Cybersecurity
Law Firm Bears Loss for Business Email Compromise
By William R. Denny, Potter Anderson & Corroon LLP
In O’Neill, Bragg & Staffin, P.C. v. Bank of America Corp., No. 18-2109 (E.D. Pa. Nov. 13, 2018), appeal filed (3d Cir. Dec. 12, 2018), the district court dismissed a lawsuit seeking to recover a law firm’s losses following a business email compromise (BEC). The complaint alleged that a computer hacker had created email correspondence appearing to originate from attorney Gary Bragg’s email address, directed to Alvin Staffin, another attorney in the same firm, requesting that the attorney send a wire for $580,000 on behalf of a client to a Bank of China investment account. Staffin contacted Bank of America by telephone and initiated a wire transfer from the firm’s IOLTA account, which contained money held in trust by the firm for multiple clients. Shortly after the wire transfer was confirmed, Staffin called Bragg, whom he believed had made the transfer request, to discuss the transfer. Upon learning that Bragg had not sent the email and that the firm had been victimized by a computer hacker, Staffin contacted Bank of America to request that the transfer be stopped, but it was too late. The law firm sued Bank of America for breach of contract and of various regulations, due to the bank’s failure to stop the fraudulent transaction. However, the court ruled that the contract and regulations were clear that the bank had no obligation to stop the transfer once the payment order was received by the bank. Although the law firm was innocent of wrongdoing, as between it and the bank, it had to bear the loss.
