Ouch. Time to review what your insurance (assuming you have insurance) actually covers…
[…] The case of Russell Barnett Ford v. H&S Bakery began when the dealership filed a lawsuit to enforce the bakery’s contract with the dealership to buy the 48 delivery trucks. Under the contract, the dealership agreed to construct and deliver 48 vehicles. The dealership sought to enforce the contract and compel the bakery to pay the dealership the $1.337 million down payment, despite the bakery sending the payment to fraudsters.
The dealership argued it had an enforceable contract to sell the vehicles to the bakery. From the dealership’s perspective, it did not matter that the bakery attempted to send payment, because the dealership did not receive the payment.
There are many reasons why a dealership might seek to enforce a contract for an order like this. For example, the dealership may have expended resources to prepare for the construction of the vehicles. The vehicles may be configured in a manner unique to the bakery, which makes them difficult to sell to third parties. Finally, the dealership may just want the contract performed because that is what the parties bargained for.
The reasons why the dealership might try to enforce the agreement with the bakery are the same reasons other vendors may try to enforce an agreement, even when fraudsters steal the contract payments. A vendor that is selling a product or service will expect payment regardless of whether fraudsters stole the funds.
Russell Barnett Ford v. H&S Bakery is a good example of the legal havoc fraudsters can cause. In addition to losing $1.337 million, the bakery also faces the prospect of having to perform the contract. The bakery might have insurance, but as this blog has previously covered, so-called “cyber” insurance often does not cover liability to third-parties based on a contract. The bakery will likely argue that the dealership’s email compromise contributed to the loss, but it is not clear whether those facts will be relevant to a breach-of-contract analysis.
There are a number of ways this loss could have been avoided. If bakery employees had done more to verify the authenticity of the dealership wire instructions, it might have avoided this incident. Similarly, the dealership apparently failed to implement quality controls to prevent fraudsters from infiltrating its email system.
This case is yet another example of how important it is for organizations of all kinds to make sure they have controls and processes in place to mitigate the risk of a cybersecurity incident. Neither a bakery nor a vehicle dealership seem like a type of organization that would need to be concerned with cybersecurity, but they were targets nonetheless.