BlogLine

Why picking up the phone isn’t enough – The growing importance of creating and following strict internal rules to avoid cyber and professional liability

4/14/25

By: James G. Bozza and Kevin R. Stone

A Connecticut court recently found a law firm liable for failing to protect its email system following a breach, which led to a fraudster obtaining funds intended to finalize a real estate transaction. The court held the plaintiff was less than fifty percent at fault and was therefore owed damages even though she did not follow warnings provided by the firm’s Cyber Fraud Alert, because “it is hard to criticize Plaintiff for not recognizing the fraudulent email when [the firm] did not.” 

Although it may feel as though we all regularly see that financial institutions and other businesses are victims of cyber attacks, the liability stemming from these security breaches is not limited to the Capital Ones and Targets of the world. Law firms, accounting firms and other professional organizations can also be liable for negligence due to these technological breaches.  

In the March 2025 decision of Ferentini v. Mancini, Provenzano & Futtner, LLC (“MPF”), the court held that MPF owed its client damages for its failure to secure its email system. The client-plaintiff retained MPF to facilitate a real estate transaction. When she engaged the firm, it sent her a Cyber Fraud Alert, which stated the firm would not request funds to be wired via email and that no funds should be wired “without confirming the wire instructions directly with our office by phone.” 

A slew of emails was exchanged between plaintiff and MPF in the coming months. Neither the firm nor plaintiff recognized that an additional email address was added to their email chain – that of a fraudster. In that email chain, MPF requested plaintiff to wire funds via email, exactly opposite of what its Cyber Fraud Alert stated the firm would not do. The fraudster, using an email address appearing to be from the firm, took advantage of the firm’s mistake and cleverly emailed the plaintiff to wire money to the fraudster using MPF’s wording and wiring instructions. Plaintiff complied and lost her money to the fraudster.  

In finding for the plaintiff in her suit against the law firm, the court noted, although she failed to follow the cyber alert that the firm provided, the firm more importantly failed to follow its own rules and requested funds to be transferred via email. 

This case underscores the necessity for professionals to not overlook the importance of cybersecurity. Lawyers, accountants and the like may be liable for negligence resulting from technological security breaches under the same standard as large corporations if they do not create and strictly follow internal rules and guidelines for handling sensitive information.  

The time and money required to create a safe cyber system significantly outweighs the liability that may follow if a breach were to occur. Implementing strong email security protocols, such as multi-factor authentication, encryption, and employee training on phishing detection is essential to safeguarding client funds and maintaining professional responsibility. Firms should also establish and strictly follow verification procedures for any transfer of funds, particularly those initiated via email. 

Our firm’s Data Security & Privacy and Professional Liability practice groups advise clients—both law firms and businesses in other high-risk sectors—on implementing practical, legally defensible safeguards against cyber-enabled fraud. We help clients assess and strengthen their email and payment authorization procedures, respond to fraud incidents, and navigate any resulting legal exposure. If your organization is looking to evaluate its current controls or respond to a recent incident, our team can provide targeted, experience-driven guidance to reduce risk and protect your reputation. 

Contact FMG attorneys Kevin R. Stone and James G. Bozza for additional information. 

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.