Your business contracts to sell custom manufactured equipment. The equipment is ready, and you email the Buyer to confirm, request wire transfer of payment, and arrange for pick-up. Buyer confirms receipt of your email and that it will send payment and a truck to pick up the equipment. The Buyer’s carrier shows up to take possession of the equipment, but the money never hit your account. The Buyer insists it wired the money three days ago. Someone, somewhere fell for a Business Email Compromise (BEC) Scam. The money is gone.
Who bears the loss? Do you, the manufacturer, have to release the equipment without having received the funds? Does the Buyer have to pay a second time? Does a vendor to the Buyer or Manufacturer bear some responsibility in letting the scammer inside the system? Georgia’s Courts have yet to squarely address these issues, but other jurisdictions have set forth a potentially relevant framework for analyzing liability in analogous cases. The answer likely depends on who’s system was compromised and what safeguards were in place to prevent BEC scams.
In March of 2018, the U.S. District Court for the Western District of North Carolina allowed claims to proceed for negligence and invasion of privacy against an employer who failed to safeguard its employees’ information against a phishing scam. The events giving rise to the claims in Curry v. Schletter are shockingly simple. A human resources employee of Schletter, Inc. received an email purporting to be from the company’s CEO requesting current employees’ W-2 forms. The human resources employee did not recognize that this was a phishing scam and provided the personally identifiable information (PII) of its employees to a cybercriminal.
The court was particularly unforgiving of this employee’s mistake because Schletter, Inc. had been warned of this exact scam and yet failed to prepare its employees. The FBI, IRS, and a cybersecurity journalist had all provided warnings to the general business community. In light of the widespread warnings, the court found that the company had failed to adequately train its employees on what the court considered “basic” cybersecurity protocols, including:
- how to detect phishing emails by providing examples and guidance on how to verify suspicious emails;
- effective password management and encryption protocols for internal and external emails;
- avoidance of responding to emails that are suspicious or from unknown sources;
- locking and encrypting access to computers and files containing sensitive information;
- implementing guidelines for maintaining and communicating sensitive data; and
- implementing protocols on how to request and respond to requests for sensitive employee information and how to securely send such information through a secure file transfer system.
Arm’s length transactions with third parties may not give rise to a duty similar to what Schletter, Inc. owed its employees. Therefore, a negligence claim may not carry the day. On the other hand, a savvy litigator might convincingly argue that businesses are on notice of this prevalent type of scam and do have a duty to take basic action to prevent loss. In that scenario, your company may be held liable for failure to heed warnings of wire transfer fraud and internet fraud cases and turn the equipment over without actually receiving payment. In short, your business may have a duty to your customers, vendors and employees to safeguard against BEC scams.
And, even if you do not have a duty to the markeplace, a Buyer may have a right to follow instructions sent from your system–even if they look odd—without penalty. If you do not have a duty, neither does the Buyer and even if wiring money to an account in Nigeria for a Georgia based business sounds irresponsible, your company may still bear the loss.
As the courts work to assign liability in this burgeoning area of law, it seems that the best defense is always to take reasonable precautions. Consider this a lesson to enact safeguards now to prevent BEC scams from impacting your company.
Berman Fink Van Horn thanks Erin Doyle, a 3L at the University of Georgia School of Law, and 2017 summer intern here at Berman Fink Van Horn P.C. for her assistance in researching and writing this article.