Who bears the loss when a “business email compromise” (BEC) cyberattack succeeds, and a payment meant for a counterparty reaches a hacker instead? Emerging case law points to liability for the party that was better able to prevent the fraud.
What Is BEC?
Let’s say Bob Buyer owes Sam Seller $1 million dollars for a million widgets. Bob usually pays Sam by wire to Account A. But Harry Hacker secretly breaks into Sam’s systems. Harry sends Bob an email that appears to come from Sam, instructing Bob to wire funds to Account B—Harry’s account.
This happens, a lot. The FBI estimates BEC attacks caused over $26 billion in losses from 2016-19. Covid-19 has criminals like the Nigerian group SilverTerrier stepping up their BEC attacks, hoping to catch companies with their guard down due to remote working.
Parties strive, of course:
- to prevent BEC through anti-phishing training;
- to recapture funds while they are still en route to the hacker, such as by asking the FBI to activate its Financial Fraud Kill Chain; and
- to recoup losses through insurance, where BEC-related claims are way up.
Who Bears the Loss?
But where prevention, recapture, and insurance fail, parties are left to dispute the loss. Bob argues: “I’ve paid; it’s not my fault Sam was hacked and the funds went astray.” Sam retorts: “Bob has my widgets, and I don’t have a penny—Bob’s in breach.”
In the few situations like Sam v. Bob that have progressed to a court decision, courts are suggesting the loss be borne by the party that could have most easily prevented it. Law and economics fans will notice a resemblance to the “least cost avoider” principle from negligence law, which assigns liability to the party that could have most cheaply avoided the harm.
In Arrow Truck Sales Inc. v. Top Quality Truck & Equipment Inc., Arrow unknowingly paid a hacker after receiving one invoice from the hacker and one from its actual counterparty, Top Quality. Arrow did not inquire before paying the hacker.
Arrow sued, claiming it was not obligated to pay again because the loss stemmed from Top Quality’s lack of reasonable security. Top Quality brought a breach of contract counterclaim against Arrow for failure to pay.
The judge in this case of first impression borrowed the U.C.C.’s “imposter rule,” which provides that a party whose failure to exercise ordinary care substantially contributes to a loss will be liable. Rejecting Arrow’s contention that it “was not [its] business to question the information” in the invoice, the court held:
[The payor] should have exercised reasonable care after receiving conflicting e-mails containing conflicting wire instructions by calling [the payee] to confirm or verify the correct wire instructions.
The U.S. Court of Appeals for the Sixth Circuit took a similar approach in Beau Townsend Ford Lincoln Inc. v. Don Hinds Ford Inc. The trial court, finding that a contract existed between the parties and that the defendant-buyer’s payment had gone to the hacker, granted summary judgment on a breach of contract claim against the defendant.
The Sixth Circuit reversed and remanded, holding that the determining factor is “whether either [party’s] failure to exercise ordinary care contributed to the hacker’s success,” which may result in apportioning the loss by comparative fault. The parties ultimately settled.
In Tillage Commodities Fund LP v. SS&C Tech. Inc., a service provider to a fund sent millions out of the fund’s accounts based on fraudulent instructions. The fleeced fund’s breach of contract claim, based on a gross negligence standard, survived a motion to dismiss, as the court held that “plaintiff has sufficiently alleged that defendant…failed to comply with basic cybersecurity precautions and actively disregarded its own policies as well as obvious red flags. This is especially true in light of defendant’s awareness that the transfers…would result in near depletion of plaintiff’s account.”
The provider and the fund then settled, with the provider eventually prevailing in a coverage dispute with its insurer.
Courts outside the U.S. have also focused on who could have most easily avoided the loss:
- The Supreme Court of British Columbia recently held in Opus Consulting Group Ltd. v. Ardenton Capital Corporation that it was a question of fact whether a BEC loss should rest with the plaintiff who was hacked, or the defendant who paid the hacker. With facts involving receipt of conflicting legitimate and fraudulent invoices, the court held that the “question of whether [the payee] is responsible for not protecting its email system…or whether [the payor] is responsible for complying with a questionable second set of wire transfer instructions…qualifies as a serious question to be tried.”
- An Ontario trial court assigned liability to the payor in the BEC case St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd. Under this court’s approach, a payor who complies with fraudulent wiring instructions is liable absent an agreement shifting liability, or negligence, willful misconduct, or dishonesty by the party who was hacked.
- And here’s one to file, perhaps, under “who thought this was a good idea?” A company in Scotland fired, then sued, its employee who had inadvertently processed a hacker’s instructions. A Scottish court held for the employee, stating that the loss “was not the natural consequence” of the employee’s alleged breach of duty.
If the “least cost avoider” approach takes hold, it seems plausible that payors will have a tough time of it. Courts could well reason that it is generally easier for a payor to spot and reject a fraudulent instruction than it is for the payee to avoid being hacked in the first place.
Still, there will always be room for both sides to argue the facts of a given case—and there is plenty of room yet for the law to mature.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Jeremy Feigelson is a litigation partner, co-chair of the Data Strategy & Security practice, and a member of the Intellectual Property and Media Group at Debevoise & Plimpton LLP.
Taryn Elliott is an associate in the Litigation Department at Debevoise & Plimpton LLP.