Hacker Diverts Settlement Funds: Who Should Pay?
Anytime there is a transaction that requires wiring funds, there is the risk of sending the funds to the wrong person. In a business email compromise exploit, hackers use electronic communications to request fraudulent payments. By the time the innocent parties realize what occurred, the money is already withdrawn or transferred from the fraudulent account and long gone (probably oversees beyond US jurisdiction). When this happens, the question becomes: who should bear the loss?
Should the payor have to pay again, or should the payee forego the payment?
Business Email Compromise is a known risk in real estate transactions. I've seen cases where innocent home buyers or their agents wired hundreds of thousands of dollars to hackers. No one is happy when this happens (well, except for the hacker).
I've also seen hackers target settlement payments. Just imagine, the parties to a contentious, stressful litigation finally agree to settle for $$$ dollars. The defendant, happy to be done with the case, receives wire instructions from the opposing attorney. Not thinking twice, the defendant wires $$$ dollars pursuant to the wire instructions. Later, the opposing attorney asks, "where's the $$$ dollars." Defendant then realizes $$$ dollars went to a hacker.
Question: Is there still a settlement?
This issue came up in Virginia where a court was faced with the question of whether to force the defendant to pay again, or tell the plaintiff, "Sorry, but you get nothing."
In 2016, a plaintiff, Amangoua Bile, won a $63,000 settlement in an employment discrimination suit. A few days after reaching the settlement, Bile’s counsel, Uduak Ubom, received an email purportedly from Bile, asking that the settlement funds be wired to a Barclay’s account in London. Ubom called Bile, who told Ubom that she had not sent the email. Ubom deleted the email and did not notify LeClairRyan, P.C., the firm representing the defendants, that someone had attempted to divert the settlement.
Two days later, Ubom and Olaolowaposi Oshinowo, an attorney at LeClairRyan, agreed over the phone that LeClairRyan would send Bile a check for the settlement funds to his residence. Ubom emailed Bile’s home address to Oshinowo following their conversation.
Later that day, Oshinowo received another email, purportedly from Ubom, asking that the settlement funds be wired to the Barclay’s account. Oshinowo believed this email came from Ubom because it was sent from his email address and used syntax consistent with the emails Oshinowo had previously received from Ubom.
LeClairRyan followed the wire instructions and transferred the money to the Barclay’s account.
Eventually, the parties discovered that the wire instructions were sent by a hacker who had infiltrated Ubom’s email account. LeClairRyan refused to send another payment, and the parties filed cross-motions to enforce the settlement agreement.
What the Court Did
Recognizing there was “no case law precisely on point,” the court looked to common law contract principles and Article 3 of the Uniform Commercial Code for guidance.
Under the UCC, “if a payor issues an instrument but fails to deliver the instrument to the payee’s possession, then the payor is still liable on the underlying obligation.”(citing UCC § 3-420 & cmt. 1). However, under UCC §§ 3-404 and 3-406, which address third-party fraud in negotiable instruments, “a party whose failure to take ordinary care results in loss must be the party to bear that loss,” and “a blameless party is entitled to rely on reasonable representations, even when those reasonable representations are made by fraudsters.”
Applying those general principles, the court concluded that Ubom failed to use ordinary care under the circumstances and that failure substantially contributed to the $63,000.00 loss.
The court decided the defendants were entitled to enforce the settlement agreement without paying a second settlement because Ubom’s failure to alert opposing counsel to the fraud “substantially contributed” to the loss. So, poor Mr. Bile did not receive his settlement payment because his attorney failed to take ordinary care. Case over?
I'm guessing Mr. Bile threatened to sue Ubom for professional negligence and failing to use ordinary care to obtain his settlement payment. But, that is for another blog.
The policy behind the Virginia Court's ruling falls in line with years of precedent: an innocent party should not pay for the errors of a negligent party. If a party's negligence causes a loss, or causes a hacker to intercept funds, then the negligent party should bear that loss.
The case is cited as Bile v. RREMC, LLC, No. 3:15-cv-051, 2016 WL 4487864 (E.D. Va. Aug. 24, 2016).
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP