This is a matter that you should be extremely concerned about. A few days ago, the appellate court for the Sixth District issued a decision in a case entitled Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc. and remanded the case back for a full trial. The transaction involved in the case is something you do every single day with another dealer, that is, dealer trades. If you will bear with me, the fact pattern is a little long, but here it is.
Don Hinds agreed to purchase 20 Ford Explorers from Townsend for about $736,225. It must be noted that the dealerships had dealer traded before but not in such a large, single transaction. During past transactions, the dealerships merely exchanged checks to pay for the vehicles. In this particular transaction, Hinds received a wire transfer from Townsend stating that the payment should be wire transferred to an out-of-state bank. The problem is a hacker had infiltrated the email system of Townsend and it sent Hinds fraudulent wiring instructions. Naturally, after Hinds transferred the funds, his bank account was depleted.
Now, the heart of the matter. It appeared that the negotiations for the vehicles and directions for payment were all done via email with the exception of one disputed telephone call. Hinds sent several emails to Townsend and the invoices were responded to. However, the response was from a different email address than the original Townsend emails. The only difference was instead of .com, it was @gmail.com. However, the text of the emails received by Hinds were authored by Townsend. After half the invoices were sent, Hinds sent an email indicating they will be paying by check and received an email response stating that “due to some tax related procedures, we would prefer a wire transfer.” Later that day, Hinds received wiring instructions to pay money to a bank in Missouri City, Texas. The account at the bank was under a dba of Beau Townsend Ford. Hinds testified that they did not think a wire request would be unusual due to the large amount of money involved. Two days after the final invoices were sent, Hinds emailed Townsend and asked Townsend to review Hinds’ paperwork to see if it was in order. Hinds received a reply purportedly from Townsend indicating that the paperwork was in order and received another copy of the wiring instructions. Over the next two days, drivers from Hinds picked up the 20 Explorers and wire transferred the money. Hinds further sent a wire transfer confirmation to Townsend and received an email purportedly from Townsend indicating they had received the money in their bank account. It must be noted that approximately two months earlier, a hacker had infiltrated the email account of the fleet manager at Beau Townsend Ford.
Townsend used a third party email service called FuseMail. The service allows users to set up their own rules about how messages will be handled, for example, some emails will be automatically forwarded from a specified sender to another email address or they can be directed to flow into a different folder such as a deleted folder. The hacker infiltrated the FuseMail and set up rules as to how emails from Hinds would be handled in Townsend’s FuseMail account. All kidding aside, it was found out afterwards that the hacker originated in Nigeria.
During a period of time, two things happened when Townsend received emails from Hinds. First, the email was diverted to the fleet manager’s deleted items folder and the email was forwarded to the hacker’s email account. Therefore, any emails from Hinds to Beau Townsend were automatically diverted to a deleted folder where the fleet manager was unlikely to see them but emails from Hinds were also sent to the hacker and the hacker was able to forward the messages back where they would appear as if Townsend had responded to them. It must be noted that the negotiations for the vehicles were legitimate, however, when the talk of payment began was when the hacker began his activities. In essence, the hacker filtered out any type of email from Hinds that would have tipped off Townsend to the fraud.
Shortly thereafter, other dealerships doing business with Townsend alerted them that they were receiving wire transfer instructions that they had never been accustomed to before and others indicating that their emails had not been responded to. At that same time, Townsend called Hinds and asked when they would be receiving a check and Hinds indicated to them that they had already paid via wire transfer. Thereafter, the lawsuits were filed.
I will not go into the nitty gritty regarding the appellate court’s decision to return it to the lower court for a trial, but it did a very good job in its analysis. The court looked at the matter under several different legal theories. One was breach of contract. The court stated that if there was a mistake by both parties, then the contract is essentially voidable and/or the transaction could be rescinded. However, in this case, rescission was not a possibility since the money was gone. The court further stated under the UCC that typically “if a payer issues an instrument but fails to deliver the instrument to the payee’s possession, then a payer is still liable under the underlying obligation”; unless a party fails to take ordinary care then that party must bear the loss. Further, an innocent party has a right to rely on representations even if those reasonable representations were made by third party fraudsters. The court also addressed agency law regarding indicating that an innocent party has the right to rely on the bad acts of a third party if that third party manifests some type of authority as an agent.
The primary question the court wants resolved is who is responsible to exercise ordinary care in protecting the transaction? The court in essence stated, “no attempt is made to define particular conduct that will constitute failure to exercise ordinary care …. Rather, ordinary care is defined … in general terms.” The question of who is responsible to conduct ordinary care is left to the court or jury to decide in light of the circumstances in the particular case. In this instance, Don Hinds states that Beau Townsend was in the best position to protect its email server and knew or should have known it was hacked and Beau Townsend states that Don Hinds knew or should have known Townsend never used wire transfers before and should have called to verify same.
The moral of the story is, make sure your IT people have programs, policies and procedures in place to monitor your website and your email system to see whether it has been subject to attacks and/or hacking.