Circuit recently issued a new decision analyzing the issue of who bears the risk of a commercial transaction negatively impacted by a cyber security breach. Two car dealers agreed to the purchase/sale of a fleet of vehicles and, during the email communications discussing the transaction, a hacker breached the seller’s email system and arranged for a false wire transfer by the buyer to the hacker’s account. Needless to say, the money evaporated by the time the parties figured out something had gone terribly wrong. The ensuing lawsuit was based on the issue of who bears the risk of such a loss. The court concluded that the person or entity best positioned to avoid the fraud bears the risk and that this will usually be a fact issue that a jury must decide. One interesting thing to note is that neither of the parties included any provisions in its agreement for the contractual allocation of such a risk. So, one consideration for possibly protecting yourself is to include a specific term in your contracts that specifically provides who will bear the risk of such an event.
Read the full decision here