Cyber crime trust account deficiency obligation
14 March 2018
The Society, having obtained the advice of senior counsel concerning practitioner’s obligations in respect to trust account deficiencies that are the result of the disbursement of trust funds in accordance with fraudulent instructions (cyber crime), has arrived at this position:
- A law practice holding trust monies in its trust account must only disburse the funds in accordance with the instructions of the person for whom the law practice holds the funds.
- If a law practice disburses funds other than in accordance with the instructions then the law practice has, in breach of trust, misapplied trust funds and is under an obligation to restore the trust funds.
- The person who created the fraudulent instructions had no actual or apparent authority to give those instructions. That the fraudulent instructions appeared to have come from somebody with authority does not mean the instructions were sent with authority (an imposter does not derive authority by virtue of a successful impersonation). Nor does the use of an external email system cloak the imposter with apparent authority.
- Therefore, the law practice has disbursed funds other than in accordance with the instructions of the person for whom the law practice holds the funds and is obliged to restore the fund.
The obligation to restore the funds will arise regardless of whether there has been an offence under section 259 of the Legal Profession Act 2007 (LPA).
It does not necessarily follow that a legal practitioner who is principal or employee of the law practice will have contravened section 259 of the LPA and committed an offence by causing a payment from trust funds in reliance upon the fraudulent instructions. A significant issue with respect to any allegation of an offence by the legal practitioner would be whether the legal practitioner has a reasonable excuse for the purposes of section 259 of the LPA.
It is likely that genuine and reasonable reliance by a legal practitioner upon fraudulent instructions would be a reasonable excuse for the legal practitioner having caused a deficiency for the purpose of s259 of the LPA. But that would only mean that the practitioner would escape criminal liability. A practitioner is obliged to restore the deficiency.
Further guidance can be obtained from the Society’s cybersecurity webpage including a first response checklist for law firms subject to a cyber-incident.