Sector - Defence

Email hacking – the thorny question of liability

As our reliance on technology increases, so does our exposure to risk, particularly in terms of online security. Unfortunately, some companies in the construction industry have been slow to address this issue and are failing to ensure that they have sufficient protection against hacking, viruses, online scams and other security breaches. It’s vital that this is attended to as if security is breached, companies could find themselves seriously out of pocket. This is because the question of legal liability is more complex than many may think.

In this article, Michael Gerard of Michael Gerard Solicitors explains how the law views liability when email fraud has been committed.

Ensuring secure transactions

The construction industry is particularly vulnerable because of the nature and number of financial transactions involved in a typical building project – from contractors to suppliers to agencies to the professionals. This means that it’s advisable for all companies along the construction supply chain to re-evaluate the online security procedures that they have in place.

Until relatively recently, many contractors, building companies and suppliers were heavily paper based, sending invoices by post and paying bills by cheque. So, in days gone by, fraud was often easier to spot, trace and understand. For example, companies receiving payments by cheque were protected by the ‘cheque rule’. This allowed the payee to bring an action against the payer if a cheque had been stopped. They were able to do this because the action of issuing the cheque created a binding contract for both parties, separate to the contract entered into for the supply of the goods and / or services. In addition, then as now, there was no defence to stopping a cheque unless it was counterfeit or stolen. This means that once the cheque was signed and sent, the payer was legally bound to honour the debt.

The pros and cons of online transactions

However, now as in most industries, businesses operating in the building sector carry out most transactions and communication online with electronic funds transfers (EFTs) the favoured method of payment. While indisputably quicker and more efficient, the disadvantage of online transactions is that security can also be seamlessly breached with email hacking and the like.

This is where issues around liability can get a little confusing – if an email system is hacked resulting in fraud, it can be difficult to determine who is legally liable. In brief, to avoid a claim where funds are diverted or not received due to email fraud, the payer would need to establish either a breach of contract or negligence.

Learning by example

The concept of establishing liability is perhaps best illustrated by the example of a real case that I was involved in recently. In this instance, a main contractor had engaged a specialist contractor on a construction project which took several months to complete. The specialist contractor was involved for much of the duration of the project and so had stipulated regular valuations and payments as part of the contract. All document exchanges and financial transactions were carried out electronically.

However, at some point during the project, the specialist contractor’s email account was hacked – something of which neither party were aware of. The hackers installed software that was capable of reading all incoming and outgoing emails, flagging up certain words to the hackers like (presumably) ‘bank’, ‘payment’, ‘monies’ and ‘invoice’.

Adding further complexity, part way through the contract the specialist contractor informed the main contractor of an intention to change bank accounts. Alerted to the opportunity that this presented and having intercepted an application for payment, the hackers subsequently advised the main contractor’s accounts department that a new bank account had been set up, and requested that all future payments be paid into the new account. With no reason to suspect anything was amiss and having received internal authorisation of the amount to be paid (which was tens of thousands of pounds), the main contractor’s accounts department duly complied.

The email hack was eventually discovered, but not until the specialist contractor started to chase payment, by which time the fraudster’s account had been cleared of all funds, bar a few pounds, leaving both parties (albeit only one party temporarily) out of pocket.

A question of liability

So, who was liable? The main contractor had complied with what appeared to be a legitimate request for payment to a specific bank account. However, they were still liable for payment to the specialist contractor, despite the fact that it was the specialist contractor’s email account that had been hacked. This was because the specialist contractor had a strict contractual claim for the monies owed and to avoid that claim, the main contractor needed to establish either (a) a breach of contract; or (b) negligence to set-off the contractual claim.

In addition, there was no evidence that the specialist contractor was aware of the fraud and / or the overwhelming likelihood of fraud occurring. If the fraud had been carried out by an employee of the specialist contractor, they would be vicariously liable, but this was not the case. Finally, neither the contract nor common law imposed a duty of care on the specialist contractor to maintain a cyber-security system capable of preventing a payment fraud of this nature. So, although it may seem unfair, the main contractor was still legally obliged to pay the monies owed.

Prevention is better than cure

Of course, prevention is the best way that any business can protect themselves. Cases such as these highlight the need for companies in any industry to take practical steps to guard against email hacking.

So, what are the main issues that companies need to protect themselves from?

Spam is the most likely cause of malware being installed onto a computer system. All businesses should ensure that they have a good security software system installed to protect against malware and viruses. This includes a firewall to monitor network traffic and connection attempts into and out of a network or computer.

Although online transactions are quick and efficient, they do pose a security risk. So, when setting up payment on an EFT such as CHAPS, it’s advisable to test the details sent over by a supplier. You can do this easily by transferring a small and unusual amount eg. £0.98 then asking the supplier to confirm receipt – by telephone, not email. Follow the same procedure if an existing supplier changes their bank details and apply the process in reverse when receiving monies from a client.

If you are able learn how to read message headers and IP addresses, you can cross-check a particular IP address with a previous IP address to authenticate communications. Other simple steps like reconciling the bank account daily and having a written company policy on internet security that all employees know about and have access to, can help make people more alert to the warning signs.

The supplier’s responsibility

Including clauses around the minimum standards of security on a supplier’s server can also help businesses protect themselves. These standards should include:

  • Protection against malware and viruses and a firewall;
  • Regularly updated software; and
  • A stipulation that any changes to company bank account details be confirmed in writing by post or hand delivered and signed.

Email fraud is unlikely to go away and hackers are constantly finding new ways to get around firewalls and security so it’s also advisable for businesses to Invest in cyber liability insurance. This should cover data breaches (including by hacking) and business interruption. However, it will not cover losses where a business has voluntarily made a payment into a third-party bank account.

Hackers and online fraud often make the news, so ignorance is no excuse. We all know the risks, and so it makes good business sense to review practices and ensure that appropriate measures are being put into place. Negligence is not viewed kindly by the legal system or by the banks – and will be no defence if you are hacked. The only sensible option is to ensure that you have good security products and practice in place.

If you would like to read more articles like this then please click here.