With the number of financial transaction and suppliers involved in a standard building project, the construction sector is particularly vulnerable to cyber fraud. But determining liability when organisations have been victims of online scams or hacking can be complex.
Back in the days when cheques were the common method of payment, fraud was much easier to understand for both the lay person and legal professional alike. There was even the ‘cheque rule’ that allowed the payee to bring an action against the payer if a cheque had been stopped, the cause of the action being the binding contract that the parties had entered into on the basis of the cheque being issued (which was a separate contract for the supply of the goods/services). Furthermore, there is no defence to stopping a cheque unless it is counterfeit or stolen. Once the cheque is signed and sent, legally the payer has to honour the debt.
Although the cheque rule still applies, electronic funds transfers (EFTs) have now become the favoured method of payment for many companies (and individuals). Although very quick and efficient, the downside of online transactions is that security can also be breached, leading to email hacking.
If an email system is hacked and fraud takes place, it is not always clear what the victim’s legal rights and obligations are.
A recent cyber-attack on a specialist construction contractor demonstrated the potential ramifications.
The specialist contractor was retained at the time by a main contractor on a construction project lasting several months. As the specialist contractor was under subcontract for much of the duration of the project, it was entitled to regular valuations and payments. As is the case with many building projects now, document exchanges and financial transactions were carried out electronically.
When the specialist contractor’s email account was hacked, software was installed that could read all incoming and outgoing emails, flagging up certain words like ‘bank’ and ‘invoice’. Having intercepted a valuation, the hackers contacted the main contractor’s accounts department informing it that a new bank account had been set up with all future payments to be paid into that account.
With no reason to suspect otherwise, the accounts department duly complied. The scam was not discovered until the specialist contractor started to chase payment, by which time the fraudster’s account was practically empty, having received tens of thousands of pounds.
From the perspective of the main contractor, it had complied with what it deemed to be a legitimate request to make payment to a specific bank account. However, and although it may seem unfair, the main contractor was still liable for payment to the specialist contractor. Despite the fact that it was the specialist contractor’s email account that had been hacked, the main contractor did not have grounds or a valid defence for not making payment for the following reasons:
- The specialist contractor had a strict contractual claim for the monies owed. To avoid that claim, the main contractor would need to establish either (a) a breach of contract; or (b) negligence to set-off the contractual claim.
- A lack of evidence that (a) the specialist contractor was aware of the fraud and / or the overwhelming likelihood of fraud occurring; or (b) the fraud was carried out by an employee of the specialist contractor for whose actions it was vicariously liable. Neither the contract nor common law would impose a duty of care on the specialist contractor to maintain a cyber-security system capable of preventing an authorised push payment fraud of this nature.
The message from cases such as this is clear: companies all along the construction supply chain need to take practical steps to guard against email hacking.
Spam is the most likely cause of malware being installed onto a computer system. Installing a good security software system to protect against malware and viruses is essential. A firewall will monitor network traffic and connection attempts into and out of a network or computer – so long as it is kept updated. And of course, never click on unfamiliar links or download unfamiliar attachments. This much should be obvious by 2020.
When setting up payment on EFT (e.g. CHAPS), always test the information supplied by transferring a small and unusual amount e.g. £0.99 and ask the supplier to confirm receipt by telephone, not email. Follow the same procedure if an existing supplier changes their bank details. The same applies in reverse when receiving monies from a client.
Cross-check the IP address of any financial instructions with a previous IP address in order to authenticate.
Or if asked to change a supplier’s bank details, demand confirmation in writing by post or hand-delivered and signed.
Consider investing in cyber liability insurance to cover data breaches (including by hacking) and business interruption. However, such insurance will not cover losses where a business has voluntarily made a payment into a third-party bank account.
Any company that has not implemented sufficient measures to ensure cyber security will be considered negligent in the eyes of the law. This means that if its systems are breached, there will be no right of redress from the banks. This is something that all organisations need to take on board to keep their business protected.
About the author: Michael Gerard is a solicitor, practising adjudicator and accredited expert in quantum and planning. He is a Fellow of the Chartered Institute of Building and a Member of the Chartered Institute of Arbitrators, and is also a registered adjudicator on the panels of the Royal Institute of British Architects, the Chartered Institute of Arbitrators and Hunt ADR. He is the founding partner of Michael Gerard Solicitors.