This article was featured in the January 2024 edition of the Utility Contractors Association of New England, Inc.’s Construction Outlook.
You are undoubtedly familiar with various types of business email compromise scams, likely because you probably receive several a month. Many of these email scams are easily identifiable. Oftentimes, the spelling and grammar is poor, the emails are riddled with typographical and other errors, and you are not familiar with the sender or its sometimes bizarre email address. Some of them seem obvious: a request from a foreign prince to assist with the transfer of funds in exchange for a share of a great fortune. Believe it or not, according to CNBC, these types of scams reportedly “still rake[d] in over $700,000 a year” as recently as 2019.
However, scammers have become more sophisticated and their tactics have become harder to recognize. Scammers are now able to send email messages that are much more tailored to your business or company and may even appear to be legitimate, even on closer inspection. In some cases, it can be very difficult to determine whether a given email is bona fide, particularly if viewed on a mobile device. Sometimes, these emails appear to be from a company executive or an immediate superior, asking you to make arrangements to wire funds. In other instances, the illegitimate email might be sent as a reply all to an earlier legitimate email. In other words, the scammer hacked into a system and then used a legitimate email to send a follow-up email that appears to be part of a legitimate email chain, but is actually a scam email. Another popular scam involves emails that appear to be legitimate payment requisitions, which result in a diversion of funds away from the contractor. In other words, the scammer might pose as a contractor submitting a request for payment to an awarding authority. Then, when the contractor actually seeks to requisition funds, the awarding authority responds that it has already made payment.
Cybersecurity issues are on the rise and this is a developing area of law. In some instances where cybersecurity issues have reached the courts, courts have determined that the party that was in the best position to avoid the loss bears responsibility for the loss. As a result, it has become imperative for contractors to implement appropriate measures to safeguard against cybersecurity issues and also to promptly respond to cybersecurity breaches if and when they occur. Time is of the essence and contractors should consult with competent counsel before issues arise.
Cybersecurity is also an important issue for government contractors, as illustrated by a recent U.S. Department of Justice (“DOJ”) press release. In September of 2023, the DOJ announced a settlement with a federal contractor that allegedly failed to completely satisfy applicable cybersecurity controls in connection with federal contracts. The contractor in this particular case was required “to provide federal agencies with secure connections to the public internet and other external networks.” However, the contractor allegedly failed to provide required cybersecurity controls in connection with General Services Administration (“GSA”) contracts over a 5-year span. When the company discovered the issue, the company self-reported, initiated an independent investigation and compliance review, and provided additional supplemental disclosures. The company cooperated with the government and took other measures to remedy the situation, which the DOJ duly-noted in its press release.
You can imagine the importance of complying with applicable cybersecurity requirements when it comes to federal contracts, including military contracts. In the press release, the Deputy Assistant Attorney General was quoted as saying that “[w]hen government contractors fail to follow required cybersecurity standards, they may jeopardize the security of sensitive government information and information systems.”
But generally speaking, it has become imperative for contractors of all sizes working on projects of all kinds to take appropriate measures to protect against cybersecurity issues. Beyond the practical impacts of cybersecurity breaches (including ransom-schemes and actual losses of funds), liability can attach in various scenarios, including where there is a disclosure of confidential personal information. In other words, from both a practical and legal standpoint, contractors must take immediate action to position themselves to protect against ever-evolving cybersecurity attacks and promptly mitigate issues when they arise.