As the quantity and complexity of cyber threats continue to increase across various industries, a recent case from the U.S. District Court in Maryland, United States of America for the Use and Benefit of Jay Worch Electric, LLC v. Atlantic Specialty Insurance Company et al., No. 8:22-cv-02420-PX (D. Md. May 21, 2024), highlights some of the security risks particular to the construction industry and presents an opportunity for contractors to address an increasingly common problem.
In 2021, defendant Pontiac Drywall Systems d/b/a PDSI Contractors (PDSI) was awarded a government contract to install lighting at a parking lot of the Naval Air Station in Patuxent River, Maryland. PDSI then subcontracted a portion of the work to plaintiff Jay Worch Electric, LLC (JWE). Monthly progress payments to JWE were conditioned on:
- JWE performing the work required.
- JWE signing a waiver, release, and sworn statement.
- The U.S. Navy paying PDSI for the work performed.
Regarding the payment that became the subject matter of this lawsuit, the parties agreed that all three conditions were met and JWE never received the payment. Thus, the court granted summary judgment to JWE, concluding that PDSI breached the contract and owed damages. However, the payment never reached JWE because the email address of JWE’s president, Jay Worch, was spoofed by a hacker pretending to be Worch. The spoofed email directed PDSI to mail a check to the wrong address. Notably, the court reasoned that PDSI would still be in breach of the contract even if the cause of the security incident was JWE’s own inadequate cybersecurity measures. The contract was silent on the payment method and the parties’ responsibilities regarding an incident that disrupted PDSI’s efforts to pay. Consequently, PDSI’s argument that it was not “at fault” for the breach fell flat.
The security incident was a fairly straightforward phishing attack. In May of 2022, Worch emailed an invoice to PDSI’s project manager. Worch’s email address ends in .com. Within an hour, the project manager received an email identical to Worch’s, except that the sender’s address ended in .net. This email related that payment needed to be made the next day to JWE’s corporate account via ACH, as JWE’s primary bank account was under review. The phisher used the exact same signature block, title, and contact numbers as Worch’s email. PDSI later received a revised invoice and waiver from the phisher, both identical to the ones sent by Worch’s real email address. The phisher then directed PDSI’s accountant to mail a check to a Connecticut address, rather than JWE’s Maryland address. PDSI mailed the check to Connecticut, and JWE brought suit for the contract balance.
Lessons for Contractors
The case brings to light several issues related to cybersecurity for the construction industry. First, although contractors may not frequently think about their cybersecurity measures, it is an essential aspect of operating a construction business today. Even if PDSI was not at fault for JWE’s breach, proper cybersecurity practices could have stopped the phisher’s theft. Deliberate and habitual inspection of emails is key to spotting phishing attacks, which frequently use email addresses extremely similar to those of real individuals and demand immediate action from recipients. Routine education and employee training on these practices is key for the construction industry. Contractors must also safeguard their networks, databases, and computer systems against professional hackers who can spoof email addresses or otherwise gain improper access. A 2023 report from security consultant ReliaQuest ranked construction as the top industry for cybersecurity incidents due to a “perceived lack of cybersecurity maturity, controls, and tools paired with the significant impacts of outages.” Contractors across the industry must ensure that their systems are secure and that best practices are followed by employees.
Furthermore, contractors should be aware that they may be liable for payments under a contract even when it is the other party’s lack of sufficient security measures that causes a payment to be lost or stolen. Adopting contract language that specifically addresses that individuals will receive payments, how payments will be made (wire transfer, mailed check, etc.), and the parties’ relative obligations regarding payment or performance in the event of a security breach are prudent terms to include in construction contracts. Standard form contracts may not sufficiently cover these scenarios, especially when those contracts involve government entities. In the contract negotiation process, companies should also contemplate the internal security practices of their partners. This is especially important for large general contractors frequently dealing with smaller subcontractors who may not employ fundamental cybersecurity measures.
By following the appropriate cybersecurity guidelines and addressing security concerns in their contracts, companies in the construction industry can do much to avoid the situation in which PDSI found itself. The potential liability for damages even when another company’s systems are breached should motivate contractors to prepare for and protect themselves from today’s increasing security threats.