INDEX NO.

153262/2016

FILED: NEW YORK COUNTY CLERK 04/18/2016 08:43 AM

NYSCEF DOC. NO. 1

RECEIVED NYSCEF: 04/18/2016

SUPREME COURT OF THE STATE OF NEW YORK

COUNTY OF NEW YORK
-------------------------------------------ROBERT MILLARD and BETHANY MILLARD,
Plaintiffs,
- against PATRICIA L. DORAN
Defendant.
--------------------------------------------

x
:
:
:
:
:
:
:
:
:
:
:
x

Index No.:
Date Filed: April 18, 2016
SUMMONS

To the above named Defendant:

YOU ARE HEREBY SUMMONED to answer the complaint in this action and to serve a copy
of your answer, or if the complaint is not served with this summons, to serve a notice of
appearance, on the plaintiffs Attorney within 20 days after the service of this summons,
exclusive of the day of service (or within 30 days after the service is complete if this summons is
not personally delivered to you within the state of New York) and in case of your failure to
appear or answer a judgment will be taken against you by default for the relief demanded in the
complaint.
Dated: April 18, 2016
___________________________
John T. Bandler, Esq.
Bandler Law Firm PLLC
48 Wall Street, Suite 1100
New York, NY, 10005
John@bandlergroup.com
(646) 296-0266
____________________________________________________________________________
Defendant's Address
Patricia L. Doran
740 Glen Cove Ave
Glen Head, NY 11545
1

1 of 16

SUPREME COURT OF THE STATE OF NEW YORK

COUNTY OF NEW YORK
-------------------------------------------ROBERT MILLARD and BETHANY MILLARD,
Plaintiffs,
- against PATRICIA L. DORAN, ESQ.,
Defendant.
--------------------------------------------

x
:
:
:
:
:
:
:
:
:
:
:
x

Index No.:

COMPLAINT
Jury Trial Demanded

Plaintiffs Robert Millard and Bethany Millard, by and through their attorney John T.
Bandler, as and for their complaint against defendant Patricia L. Doran, allege as follows:
1.

Plaintiffs Robert and Bethany Millard (the "Millards") are a married couple, who

reside in Manhattan.
2.

Defendant Patricia L. Doran (Doran) is a real estate attorney, whose office is

located at 740 Glen Cove Ave, Glen Head, New York 11545.
NATURE OF THE CASE
3.

This is a lawsuit for legal malpractice and breach of fiduciary duty. The Plaintiffs

are a married couple who retained the defendant, Patricia L. Doran, Esq., to assist them in
purchasing a cooperative apartment in Manhattan (the Apartment). Doran, who represented
herself as a competent and diligent attorney who practiced exclusively in real estate law,
promised to assist the Millards in all aspects of the purchasing process, specifically including
oversight of the Millards payment of a deposit, and oversight of the closing.
4.

As an attorney, Doran had a fiduciary duty to protect her clients funds, and to
2

2 of 16

insure, as far as reasonably possible, that their purchase would be accomplished without incident.
She had a further duty to protect the integrity of the files she kept on her clients, and the
confidentiality of her communications with her clients.
5.

Doran breached all these duties. Through her negligence, she permitted

cybercriminals to hack into her email system and read and intercept all of her communications,
including those she sent to the Millards. These email communications alerted the cybercriminals
that the Millards were about to transfer large sums of money to the seller as part of the purchase
process for the Apartment. The cybercriminals then drafted fraudulent emails in the name of
Doran, which they sent to the Millards; these emails, which appeared to be written by Doran, and
were sent via Dorans email account, instructed the Millards to send funds by wire transfer to a
bank account that purportedly belonged to the seller, but actually was under the control of the
cybercriminals.
6.

Acting under the misimpression that these emailed instructions came from their

attorney, the Millards wire transferred the money to the account indicated, that is, to the account
controlled by the cybercriminals. After receiving the Millards money, the cybercriminals sent
Doran an email, purporting to be from the sellers attorneys, which stated that the Millards
funds had been properly received. Doran made no attempt to confirm the authenticity of this
email, which she simply forwarded to her clients.
7.

By forwarding the phony confirmation to the Millards, Doran implicitly vouched

for its authenticity. This gave the Millards an unwarranted sense of security, and delayed any
attempt on their part to corroborate the confirmation, that is, to make an independent check that
the wired funds had been received by the seller. The delay had grave consequences, giving the
3

3 of 16

cybercriminals time to resend the Millards money out of the country.

8.

Doran's negligence in failing to protect the integrity of both her email system and

her computer system, and her failure to take the most basic steps to confirm that the funds wired
by her clients actually were received by the sellers attorneys, enabled the cybercriminals to
successfully accomplish their scheme: to hack her email system and to steal and launder
$1,938,000 of the Millards money. Although the greater part of this sum was eventually
recovered (without Dorans help), the Millards have been left with an uncompensated loss of
$196,200, plus punitive damages, attorneys fees, accrued interest, costs, and the expenses of this
enforcement action.
9.

The Millards, through their attorney, repeatedly have requested that Doran

reimburse them for the stolen funds. The failure of these efforts has forced them to bring this
law suit.
FACTS
10.

In the fall of 2015, the Millards orally agreed to purchase a cooperative apartment

in Manhattan (the Apartment). On November 23, 2015 the parties adopted a Deal Sheet,
which set a sales price for the Apartment of $19,380,000, and required payment of a 10% deposit
(that is, $1,938,000).
11.

The Millards retained defendant Doran, who held herself out as a competent and

diligent attorney practicing exclusively in real estate, to advise, assist and represent them in their
purchase. In spite of the size and complexity of the anticipated transaction, and the requirements
of New York law, Doran did not prepare an engagement letter or indeed any other document that
described the duties she would perform. However, in their discussions with Doran, the Millards
4

4 of 16

made clear that they required and expected her to perform all the legal services necessary to
successfully complete the purchase of the Apartment. These services, which are the services
customarily performed by real estate attorneys in connection with the purchase or sale of
property, included: (a) a thorough review of the Deal Sheet, (b) performance of due diligence on
the Apartment and the building in which the Apartment was housed, (c) preparation and review
of a contract of sale, (d) oversight of the Millards payments to the seller (Seller) of a deposit,
(e) performance of all tasks between execution of the contract of sale and closing, (f)
coordination and participation in the closing, and (g) all tasks necessary to successfully conclude
the representation.
The Doran AOL Account
12.

In conducting her law practice, Doran used an email account provided by

America Online (AOL) (the Doran AOL Account). Doran used this account for all her
professional email, including correspondence with the Millards and other clients, and
correspondence with non-client third parties.
13.

AOL email accounts are notoriously vulnerable to hacking by cybercriminals.

This vulnerability derives from a number of substandard features, including poor detection of
suspicious log in attempts, poor security, and poor spam filtering protection, which together
render email accounts easy to unauthorized penetration.
14.

While its basic email system is vulnerable, AOL does offer some protective

devices by which subscribers can improve their cyber-security. Perhaps the most important of
these is two factor authentication, which requires the account holder to not only know the
password (which is possible for hackers and cybercriminals to obtain), but also possess a device
5

5 of 16

such as a cellular phone with which to receive a text messaged code which must be input. This
two factor authentication process makes it more difficult for an unauthorized user to hack into
the system. Doran did not employ two factor identification or, indeed, any other supplementary
device to strengthen the security of her account.
15.

The porousness of Doran's computer system was not confined to her use of an

AOL email account. Investigation has shown that Doran's office computer was poorly
configured and contained intrusive software (malware) that potentially enabled third parties to
access her computer, passwords, and client files. Together these factors -- that is, a poorly
configured computer containing malware, and an email system that hackers found easy to breach
-- meant that Doran offered very little if any protection to the assets and information she held on
behalf of her clients. In short, her system was easy for criminals to hack.
16.

Doran's failure to install basic cybersecurity protection had the predictable result:

the Doran AOL Account was hacked by unauthorized third parties, some of whom almost
certainly were professional cybercriminals. The lack of basic cybersecurity measures or
awareness also meant that this hack was not detected by Doran. These cybercriminals then
learned when and how the Millards intended to pay for the Apartment, knowledge that permitted
them to pose as the sellers attorneys and thereby steal the Millards money.
The Wire Transfer
17.

The deal sheet regarding the proposed sale for the Apartment required the

Millards to make a deposit in the amount of $1,938,000 at the time the contract was signed, and
the remaining balance at the time of closing. Both payments were to be made by the Millards,
from their own bank account, by wire transfer to the account specified by the seller. Instructions
6

6 of 16

on how to effect these wire transfers was to be provided to the Millards by Doran.
18.

To provide the Millards with the necessary payment information, Doran asked the

sellers attorneys to specify the account into which payment was to be made. The sellers
attorneys complied, sending Doran the relevant account and routing numbers, but Doran
misplaced this information. On December 8, 2015, Doran sent an email from the Doran AOL
Account to the sellers attorneys, asking them to resend the necessary instructions.
19.

On information and belief, Doran's December 8, 2015 email request was reviewed

by the cybercriminals who had gained access to the Doran AOL Account. The intruders thus
learned that the Millards were about to transfer a large sum of money to an account whose
identifying information plaintiffs had yet to receive.
20.

Doran evidently did not recognize how vulnerable her AOL Account was to email

hacking and other forms of cybercriminal intrusion. Nor did she recognize the threat posed by
email hacking and social engineering, which increasingly is prevalent and recognized by
professionals who regularly deal with the transfer of funds by wire. (Social engineering is a
term of art describing the process of manipulating people through deceitful techniques, including
the impersonation of others.) Thus, she failed to take even the most rudimentary steps to protect
the Millards from cyberfraud. More specifically, although the purchase of the Apartment
required the Millards to make two wire transfers of large sums of money (one for the deposit at
signing of the contract, and one at closing), Doran never advised the Millards to orally confirm
any wire instructions they might receive from the Doran AOL Account.
21.

On December 10, 2015 (Thursday) at 3:00 p.m., the Millards received an email

ostensibly sent by Doran from the Doran AOL Account. This email informed them that they
7

7 of 16

soon would receive instructions on where to wire transfer the funds necessary for closing on the
Apartment. In fact, this email was not sent by Doran, but by cybercriminals who had hacked into
the Doran AOL Account, and who learned that the Millards were about to make a wire transfer
of a large sum of money.
22.

Later the same day (December 10, 2015), at about 4:24 p.m., the Millards

received a second email, again ostensibly sent by Doran. This email instructed the Millards to
wire the funds to a bank account in the name of BR Top Premier Rates Inc., (hereafter, BR
Top Fraud Account) at TD Bank. The email, which provided additional wiring information,
was not in fact sent by Doran, but by the cybercriminals who had hacked into the Doran AOL
Account.
23.

The two emails the Millards received on December 10th from the Doran AOL

Account had been sent in furtherance of a scheme to steal the Millards money. In fact, the
account to which the Millards were directed to transfer their funds -- BR Top Fraud Account -had no connection at all with the seller of the Apartment or the sellers attorneys.
24.

In sum, upon information and belief, although the fraudulent wiring instructions

came from Dorans email account, Doran herself did not send them. They were sent by the
cybercriminals who had hacked her email account.
25.

Later investigation established that, shortly before the December 10, 2015 email

was sent: (a) person or persons incorporated an entity named BR Top Premier Rates, Inc., and
(b) BR Top Premier Rates, Inc. opened the Br Top Fraud Account at TD Bank.
26.

On information and belief, the person (or persons) who opened BR Top Fraud

Account was a money mule -- an individual who wittingly or unwittingly the cyber-theft of
8

8 of 16

funds, which he or she then launders by passing through accounts at legitimate financial
institutions.
27.

The Millards, who were unaware of the vulnerability of Doran's email system,

and had never been advised to orally confirm the authenticity of any wiring instructions,
followed the instructions contained in the fraudulent December 10th 4:24 p.m. email. Thus, on
December 10, 2015, they forwarded the Doran email to their bank, and instructed their bank to
wire $1,938,000 from their bank account to Br Top Fraud Account at TD Bank, in New York.
28.

On information and belief, the Millards money was received at Br Top Fraud

Account on December 10, 2015. The next day, the money mule(s) who had opened that account
transferred a portion of the funds to China. Specifically, $187,800 was transferred to account
A at the Bank of China in China, and $196,200 was sent to account B at the Bank of Huzou
in China. The funds sent to account A later were recovered; the funds sent to account B have
never been recovered.
The Fraudulent Confirmation
29.

On December 11, 2015 (Friday) at 7:41 a.m., Doran received an email purporting

to be from the email account of the seller's attorneys. This email stated that the funds wired the
previous day by the Millards had been properly received by the seller, adding that the sellers
attorneys would not be available by telephone.
30.

The December 11th 7:41 a.m. email was not in fact sent by the Sellers attorneys,

but rather by the cybercriminals who had stolen the Millards money. The email contained
several red flags that should have suggested, to a real estate attorney, that it might not be
authentic. It misspelled the names of the Sellers attorneys within their displayed email
9

9 of 16

addresses (a red flag, since the Sellers attorneys supposedly were sending the emails), and
contained the suspicious statement that the sending attorney could not be reached by telephone.
In spite of these obvious red flags, Doran made no attempt to contact the Sellers attorneys to
determine if the Millards deposit actually had been received. Instead, at about 8:02 a.m. Doran
forwarded the 7:41 a.m. email to the Millards.
31.

By forwarding the December 11th 7:41 a.m. email to the Millards, Doran

implicitly endorsed the cybercriminals representation that the seller had received the purchase
price for the Apartment. Doran's endorsement gave the Millards a false sense of security that the
deal now was complete; this in turn delayed their discovery that the deal was not complete, and
that their money had been stolen.
32.

As a result of this delay, the cybercriminals gained time, which is a vital factor in

the success of cybercrime. Cybercrime money laundering requires the rapid movement and
layering of funds through various accounts until eventually, somewhere in the world, the
money is withdrawn. In this case, it was not until the afternoon of December 11, 2015 that
suspicious activity was identified -- and it was TD Bank that identified the suspicious activity
and notified the Millards Bank -- which then notified the Millards. By the time the Millards
were informed of this suspicion, the cybercriminals had transferred the stolen money out of the
United States to China ($187,800 to account A, and $196,200 to account B, at separate
banks in China).
33.

As indicted above, at 8:02 a.m. on December 11th, Doran forwarded to the

Millards the fraudulent email that Doran had received from the cybercriminals, posing as the
Sellers attorneys, purporting to confirm that the Millards down payment had been received by
10

10 of 16

the Sellers bank. The Millards emailed Doran back, asking if that meant that the contract of sale
had been executed, that is, if there now was a binding agreement for the purchase/sale of the
Apartment. Doran responded that they were almost there but for some minor remaining issues,
which she listed; none of the listed issues was related to the bank wire. Thus, despite a specific
request from her clients to confirm that the preconditions to a binding contract with the Seller
had now been satisfied, Doran failed to investigate whether the most important such precondition
had been performed: transfer of the deposit to the Sellers attorneys.
34.

On December 11 at about 1:08 p.m., Doran received a fax from the sellers

attorney including the signed contract, but noting that the contract was only effective upon
receipt of the down payment. Thus, the sellers attorney was indicating to Doran that the down
payment had not been received yet. Still, Doran took no steps to confirm the status of the funds.
35.

Later in the afternoon of December 11, 2015, Doran was notified of the fraud by

the Millards, and that her email account had been hacked. Doran failed to take any reasonable
steps to mitigate or contain the compromise, recoup the lost funds, or protect her clients.
Moreover, Doran failed to properly preserve evidence of the crime, and evidence relevant to this
civil case, including but not limited to electronically stored information (ESI). Nor did Doran
take any steps to properly conclude the representation of the Millards as to the purchase of the
Apartment. The Millards were also obligated to retain another attorney to handle the Apartment
purchase.
36.

The Millards were obligated to pay the deposit to the real estate seller, even

though the entire deposit had just been stolen.

37.

Ultimately, and with no assistance from Doran, a portion of the stolen funds was
11

11 of 16

returned to the Plaintiff. To date, $196,200 remains stolen.

38.

Because Doran took no steps to remediate, investigate, or make the Millards

whole, the Millards were obligated to retain an attorney to investigate and seek redress.
39.

The efforts of the Millards attorney to get Doran to make the Millards whole,

have not been successful. Efforts to get Doran to confirm that electronic evidence was properly
preserved have been ignored. Thus this law suit was filed.

CAUSES OF ACTION
First Cause of Action for Legal Malpractice
40.

Plaintiff repeats and realleges each allegation made in paragraphs 1-39 above.

41.

The Defendant, Patricia Doran, presented herself as a specialist in real estate law

who had supervised and conducted many transactions for the sale of real property and
cooperative apartments. On the basis of these assurances, the Millards retained Doran to oversee
their purchase of the Apartment from the Seller.
42.

As the Millards attorney, Doran had the duty to protect those assets, confidential

information and legal interests (the Millards Interests) that were implicated in the transactions
required to purchase the Apartment. Since Dorans intention was to conduct these transactions
electronically (that is, by emails, wire transfers and faxes), rather than through face-to-face
meetings with the Sellers attorneys, she had the further duty to secure her email account and
computer system against intrusion by cybercriminals. As a legal professional who regularly
performed and/or supervised large financial transactions that were conducted electronically,
Doran should have been aware of the danger of cybercrime and imposture.
43.

To represent the Millards competently and protect the Millards (and other clients)
12

12 of 16

from cybercrime and other crime, Doran had a duty to take reasonable and necessary security
precautions, such as the installation of appropriate protective software and the use of two-factor
authentication. Doran had a duty to take measures including but not limited to the following:
a. Reasonable measures to secure Dorans client files, and communications
with clients.
b. Reasonable measures to secure Doran's email account and computer,
including the data contained within them, from unauthorized third parties.
c. Reasonable measures to prevent Dorans email account from being used
by unauthorized third parties.
d. A strict policy of orally confirming instructions for the electronic transfer
of funds belonging to clients. This policy should include advance
notification to clients that funds should not be transferred unless Doran
orally confirmed any emailed instructions.
e. Oral confirmation, following the electronic transfer of funds, to establish
that the funds were actually received by the intended party.
f. The immediate investigation of any incident involving crime or
cybercrime, to determine its cause, its perpetrator, and the possibility of
remedying or mitigating any loss.
g. The preservation of all Electronically Stored Information (ESI).
44.

Further, Doran had a duty to provide a certain standard of representation to the

Millards, which she failed to do, including but not limited to:
a. Providing clients with an engagement letter.
b. Providing competent representation.
c. Acting with reasonable diligence and promptness, and not neglecting
matters.
d. Maintaining confidentiality of information and communications.
e. Preservation of client funds and property.
45.

Doran failed to take any of these precautionary measures. This failure had

disastrous results: cybercriminals were able to hack Dorans email system, and gain access to all
her communications with the Millards. With the information these criminals gained, they were
able to impersonate the Sellers attorneys, and mislead the Millards into wiring their deposit
13

13 of 16

funds to an account controlled by the cybercriminals. Finally, when the cybercriminals emailed
Doran a false confirmation that the deposit had been properly received, Doran ignored obvious
red flags that the confirmation was inauthentic and simply forwarded it to the Millards, thus
lulling the Millards into the erroneous belief that the wire transfer had been successfully
completed. The realization that a crime had been committed therefore was delayed, and precious
time lost before an investigation commenced and an attempt made to recover the Millards funds.
46.

Had Doran taken reasonable and necessary steps to secure her email system and

computer files from unauthorized intrusion, cybercriminals would not have been able to steal the
Millards money. Had Doran recognized the red flags in the cybercriminals falsified
confirmation email, and/or attempted to orally confirm the proper receipt of the Millards deposit
funds, the stolen funds would have been recovered. Doran, however, was oblivious to the threat
of cybercrime, and did nothing to protect the Millards Interests from this form of fraud.
47.

To summarize, Dorans disregard of her duty to protect the Millards Interests

was the direct and proximate cause of the Millards' loss of $196,200 to cybercriminals. Doran is
liable to the Millards in the amount of this loss, plus punitive damages, attorneys fees, accrued
interest, costs, and the expenses of this enforcement action.

Second Cause of Action for Breach of Fiduciary Duty

48.

Plaintiff repeats and realleges each allegation made in paragraphs 1-39, and 40-47

49.

Defendant had a fiduciary duty to protect the Millards Interests. This duty

above.

required her to adopt reasonable and necessary measures to safeguard her email account and
14

14 of 16

computer system against intrusion by cybercriminals.

50.

Doran ignored this duty, and failed to adopt even the most rudimentary safeguards

against unauthorized intrusion. This permitted cybercriminals to hack her email account and
gain access to all Dorans communications with the Millards. As a result of this access, the
cybercriminals were able to impersonate Doran, and trick the Millards into wiring approximately
$2,000,000 into a bank account controlled by the cybercriminals. Then, the cybercriminals were
able to impersonate the Sellers Attorneys and trick Doran into believing the funds were properly
received, and Doran forwarded this impersonating email to the Millards.
51.

Further, Doran had a duty to provide competent representation, act with

reasonable diligence and promptness, maintain confidentiality and preserve her clients funds.
Doran failed to provide this standard of care.
52.

Doran's breach of her fiduciary duty to protect the Millards Interests was the

direct and proximate cause of the Millards loss of $196,200. Doran is liable to the Millards in
the amount of this loss, plus punitive damages, attorneys fees, accrued interest, costs, and the
expenses of this enforcement action.

WHEREFORE, plaintiffs Robert and Bethany Millard demand:

A.

On their First Cause of Action against Patricia Doran a monetary judgment for an

amount to be established at trial but in any event no less than $196,200, plus punitive damages,
attorneys fees, accrued interest, costs, and the expenses of this enforcement action.
B.

On their Second Cause of Action against Patricia Doran a monetary judgment for

an amount to be established at trial but in any event no less than $196,200, plus punitive
15

15 of 16

damages, attorneys fees, accrued interest, costs, and the expenses of this enforcement action.
C.

Such additional and further relief as this Court may deem just and proper.

Dated: New York, New York

April 18, 2016
_________________________________
John T. Bandler, Esq.
Bandler Law Firm PLLC
48 Wall Street, Suite 1100
New York, NY, 10005
John@bandlergroup.com
(646) 296-0266

16

16 of 16