Hacker re-directs settlement funds paid by defendant, but defendant still on the hook
In St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd., Deputy Judge Shane A. Kelford heard a civil dispute between two companies, the central issue in which he summed as follows: “The Plaintiff and Defendant were both innocent victims of a ‘cybercrime’ which resulted in the loss of funds which were paid by the Defendants to settle the Plaintiff’s claim. Both parties are innocent. Unfortunately, one of them must bear the loss.” The two companies had agreed to settlement terms to resolve a dispute about an unpaid invoice. Baker, a paralegal at the law firm representing St. Lawrence, sent the terms of settlement to Lanark via email; the terms included that Lanark would pay $7,000.00 into the law firm’s trust account at a Bank of Montreal branch in Cornwall, Ontario. Less than three hours later, a hacker had taken over Baker’s email account and was intercepting all emails between her and Lanark. The hacker sent revised settlement terms to Lanark, under which Lanark would send the funds to a different account at a credit union in Medicine Hat, Alberta, which was held by someone named “Richard Hoehn.” Lanark asked for a physical address for Hoehn, which the hacker provided, and the funds were sent. There were several exchanges of emails between Lanark and the hacker in which Lanark sought confirmation that the funds had been received, and (the judge surmised) the hacker stalled until the funds cleared the Medicine Hat account.
When the fraud was discovered, it became clear that the hacker was unknown and that the funds were gone and probably unrecoverable. The law firm’s IT provider determined that the firm’s overall system had not been compromised, but just the email address of Baker, probably by way of a phishing attack or brute force (though she had a password in place that was “strong” by Microsoft’s standards). There was no evidence that the firm had been negligent in its IT security and the court held that Baker had acted reasonably and promptly once the fraud had been discovered, based on what she knew.
The question that arose was: which party was responsible for the settlement funds? Deputy Judge Kelford reviewed the similar 2017 case of Du v. Jameson Bank, in which Du sued the bank for accepting a request to transfer funds from a hacker purporting to be Du. In that case, Du had signed an account-holder agreement with the bank in which he agreed that: the bank was not obliged to question any request that came from an email account which Du authorized; he was responsible for his own email security; and he was aware of the risk associated with email requests. Outside gross negligence by the bank, Du had given up any potential claim. Here, however, there was no such agreement in place. Lanark argued that, similarly to the bank in Du, it was entitled to rely on email from Baker, the law firm’s representative and had no reasonable basis on which to question the revised instructions regarding the funds. St. Lawrence argued that Lanark should have been suspicious of the same-day revision of the instructions, and that there was no evidence of negligence by St. Lawrence or the law firm.
The court held:
56. As noted at the outset of these reasons, the issue in this case can be restated as follows: Where a computer fraudster assumes control of Victim A’s email account and, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?
57. In my view, the answer is “no”, unless:
a. Victim A and Victim B are parties to a contract which (i) authorizes Victim B to rely on email instructions from Victim A and, (ii) assuming compliance with the terms of the contract, shifts liability for a loss resulting from fraudulent payment instructions to Victim A;
b. There is evidence of willful misconduct or dishonesty by Victim A; or
c. There is negligence on the part of Victim A.
Deputy Judge Kelford continued:
59. By way of further reasoning, I see no basis on which to distinguish the circumstances of the fraud in this case from those in which a home computer or business computer is “hacked”, giving a fraudster access to the owner’s email account. The fraudster then sends out an email to all of the “contacts” in the owner’s email address book, asking the recipient to wire funds (typically $1,000 to $5,000) immediately to a PayPal or similar account able to receive electronic funds transfers. Assuming that the computer owner took the reasonable and recommended security precautions for its email account, I see no basis on which the computer owner could be held liable to reimburse those individuals who unfortunately fall victim to the fraud.
60. In reviewing legal commentary on computer fraud, this is clearly an area that would benefit from legislation to establish clear principles and guidelines for the allocation of liability in the event of computer frauds, which are increasing in number. In the United States, commentary with respect to the Uniform Commercial Code provisions dealing with wire transfer fraud suggests that in most cases, absent evidence of negligence or malfeasance by the “beneficiary” (receiving party), it is the “originator” of the transfer who is in fact dealing with the fraudster (albeit unknowingly), and is therefore in the best position to recognize potential indicia of fraud (i.e. such as changed or unusual payment instructions).
61. As a general rule, equitable negligence principles seek, after the fact, to place responsibility for a loss on the party best able to prevent the harm.
In the result, Lanark was ordered to pay the settlement funds but with no award of pre-judgment interest. Moreover, due to the novelty of the case, no costs award was made.