In Hail v. Beaver Builders, the Colorado Court of Appeals held absent a contractual provision that creates a duty to use reasonable cybersecurity practices, a company whose poor cybersecurity practices increased another company’s risk of being harmed by computer crime cannot be held liable under contract law. This holding entails there is no implied contractual duty to use reasonable cybersecurity practices.
In the fall of 2016, a roofing company doing business as A to Z Roofing emailed an invoice for $54,985.00 to a subcontractor, Beaver Builders. According to court documents, Mr. Beaver of Beaver Builders received a second email the next day from the same person at A to Z Roofing. The second email included the invoice and requested payment in the form of a bank wire transfer. Eventually, after a few more emails were exchanged, Mr. Beaver wired the money as instructed.
It was at least a few days before the parties realized that A to Z Roofing’s email had been hacked and that Mr. Beaver sent over fifty thousand dollars to the hacker rather than to A to Z Roofing. A to Z Roofing demanded payment since they had never actually received any of the money owed to them. Beaver Builders blamed the hacking incident on A to Z’s lax email security and argued it should not have to pay twice.
The case went to a bench trial (a trial before a judge). The judge did not decide who was to blame for the hacking incident and observed that there is little authority from other cases or laws on the question of whether “parties to a business transaction have a duty to each other to take reasonable steps to protect themselves and others from hacking attacks…and whether a breach of any such duty may relieve the party of its contractual obligations.”
The court entered a judgment against Beaver Builders, meaning that Beaver Builders would be required to pay both the original amount invoiced and A to Z’s attorney fees totaling over $40,000.00.
Not surprisingly, Beaver Builders appealed the decision.
But a Colorado Court of Appeals upheld the judgment against Beaver Builders and rejected the three reasons Beaver Builders provided for why A to Z had a duty to take better care with its cybersecurity.
First, Beaver Builders argued a provision of the Universal Commercial Code addressing impostors and fraudulent inducement applied to their situation. The Court disagreed, finding the particular provision applied to more limited circumstances and not the ones at issue.
Second, Beaver Builders had argued that the duty to protect against hacking came, not from any contract with A to Z but from an overall duty of reasonable care that businesses have in communicating information to the other parties to a business transaction. A failure to live up to that duty would be a form of negligence, Beaver Builders argued. But A to Z had argued that the case was a contract case, not a negligence case, and the appeals court agreed, finding the “economic loss rule” that “serves to maintain a distinction between contract and tort law” applied to the case. As the Court explained, the idea behind the distinction between the two types of claims is to “hold parties [to a contract] to the terms of their bargain” (and no more than that) by encouraging them to address “risks and costs during their bargaining” before the contract is formalized.
Finally, the court rejected Beaver Builders’ argument that there are other grounds for recognizing a duty of care concerning email security, at least on the facts before the court in the Beaver Builders case.
The trial court and the Court of Appeals were reluctant to determine who was responsible for the hack—A to Z for having easy-to-guess passwords and lax security, or Beaver Builders for not being more suspicious of an unusual payment form request. Both sides argued the other was to blame. But ultimately, the issue was sidestepped, likely due in part to the fact that both parties were professional businesses on fairly equal footing. Arguably, companies entering into the kinds of contracts at issue in this case can more readily negotiate about privacy terms and risks. For example, it’s possible to build cybersecurity measures into contracts and express the parties’ understanding of who owes what in the event of a hacking or other security breaches.
In the past two years since the events giving rise to this case took place, we have seen an increase in lawsuits related to large-scale security breaches by hotels, credit agencies, retailers and service providers, where consumers’ expectations about the security of their transactions have not been met. We also have seen more states considering or enacting laws like Colorado’s Protections for Consumer Data Privacy Act. Colorado’s new law sets a higher bar for handling and protecting consumers’ personally identifying information. Over the next few years, we can expect to see more cases involving one-on-one transactions like Mr. Beaver’s contract with A to Z Roofing. And perhaps as more cases reach the courts that show a greater disparity in bargaining power or where the blame for the security incident is more readily apparent, we may see more of a shift toward establishing a unified standard of care when it comes to cybersecurity practices for all businesses, big and small.
By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2019. All rights reserved.