Who is liable when scammers compromise business email?
Online scams, where a hacker alters an invoice or payment instruction and the payer sends the money to the hacker's account, are becoming frighteningly common.
Both CERTNZ and NetSafe are reporting significant upticks in business email compromise (BEC) as it is called, particularly with people working from home in Covid-19 lockdown situations where computer systems may not be as secure as they are in the office.
BEC is best illustrated by way of an example: a construction materials company (let's call them Basil's Building Supplies Ltd - the construction industry is a particular target) contracts to sell $200,000 worth of supplies to Janice's Commercial Construction Ltd. Unbeknown to Basil's and Janice's, Basil's email systems have been infiltrated by a hacker, who generally will have been sitting watching email traffic, waiting for a large transaction to eventuate. All emails in and out will have been monitored.
The hacker then alters the payment instruction from Basil's to Janice's, by changing the bank account number in an email or invoice. No one is the wiser since the email actually does come from Basil's email system. The hacker will use the same email format, signoff and language, which they are easily able to copy from Basil's prior email traffic they have access to.
The perfect storm
Janice's, unaware of the fraud, then makes payment to the hacker's bank account. The sophisticated hacker continues the ruse for days afterwards, sending receipts and thank you emails backwards and forwards and deleting any legitimate emails from Janice's and Basil's to each other so that the hacker gains time to shift the funds to a jurisdiction where it is harder to track.
The prevalence of internet purchase and payment methods, ease of shifting funds through jurisdictions, including via non-banking channels, combined with the increasing sophistication of online hackers, creates the perfect storm. In these situations, often the original hacker (and the money) is never traced. Hackers tend to target high-value transactional businesses, so the construction industry, as well as intermediaries like lawyers, real estate agents and share and boat brokers, are obvious targets.
The big question is, what happens next? Is Basil's still required to supply the building materials contracted and (from her perspective) paid for by Janice's, or does the fact that payment has not actually been received by Basil's mean that Janice's must pay again to get the materials?
Resources to help
There is no immediate answer in New Zealand and no case law (although we are aware of examples that have been settled between the parties often involving insurers). There is a range of online resources such as those from CERTNZ, NetSafe, the New Zealand Law Society, and the Government's Consumer Protection guidance. However, beyond a summary of prevention measures, behaviour to be aware of, and various reporting agencies to contact in the event of a scam being detected, these resources do not address the question of legal liability.
The facts have it
The underlying question will inevitably be determined on a case-by-case basis. However, While BEC legal liability is an evolving issue, several principles come through from overseas judgments which will be relevant in New Zealand as we look to develop our own body of case law.
Commonwealth courts have looked at "who is best placed to prevent the fraud". Is the victim responsible for acting on the scam? Or is it the person whose email system has been compromised? Sympathy will naturally lie with the most vulnerable person in each case, which can often be the customer despite the fact that in less sophisticated BEC situations they may have been in a position to identify the fraud.
Nowadays, however, with the "expertise" that hackers bring to bear, and the longstanding public warnings of the dangers in not properly securing business systems and training staff properly, the focus is shifting to the business itself - Basil's in our example. NetSafe's guidance above, for example, is six years old, so businesses have no excuse for ignoring the issue.
Failure to comply with cybersecurity precautions has proved detrimental to litigants overseas and will be considered in the context of negligence on the part of the business. A failure to exercise reasonable care means that the business will be increasingly likely to be liable. Insurers are also requiring that businesses take reasonable precautions.
So, business liability will often be the default starting point, perhaps with some small percentage on the basis of fault (contributory negligence in legal parlance) on the part of the customer - Janice's in our example - if there was something obvious that should have raised a red flag.
In the US, similarly, the "imposter rule" in Article 3 of the Uniform Commercial Code, adopted in some states, assesses how the parties' respective failure to exercise ordinary care contributed to the hacker's success, and assigns loss according to their comparative fault.
Overseas case law
A good example of how courts are viewing this is a recent Canadian case where the court granted summary judgment in favour of a bank in an action brought against it by the victim of a cyber-security hack. Here, the customer's personal email account was hacked, resulting in its bank making two wire transfers to the hacker. The Court held that because the bank acted on the customer's instructions, which the bank believed in good faith to be genuine, there was no liability on the part of the bank.
In New Zealand, we will see such claims made in negligence for failure to exercise due care and skill or, where goods and services are supplied to a consumer, as a breach of section 28 of the Consumer Guarantees Act 1993.
The CGA also requires that services are carried out with reasonable care and skill, and so will require a careful evaluation of the conduct of both parties. As we note above, however, now that BEC is well known and the chances of a customer spotting it are decreasing, the onus is clearly on businesses to step up their game or be found liable.
Rosalie Van Dael is an associate at law firm, Lowndes Jordan. Rick Shera is a partner at Lowndes Jordan. He is the first lawyer to obtain the IT Professionals NZ CITPNZ certification and is a chartered member of the Institute of Directors.
You must be logged in in order to post comments. Log In