Outsourced IT Providers’ Liability for Cyber-Attacks (and the Concurrent Liability of Cyber-Attackers)

Print Friendly, PDF & Email

By Stefan Sudweeks, Partner, Robert Csillag, Special Counsel, and Tamara James, Lawyer


Mills Oakley acted for an outsourced IT services provider (or Managed Service Provider, MSP) in relation to a claim brought against it by one of its clients who had fallen victim to a cyber-attack.

The cyber attack involved a business email compromise – a type of cybercrime where a fraudster gains access to an employee’s email account and poses as that person to obtain access to sensitive information or influence other employees to pay fraudulent invoices.

The victim’s account department in this case paid fraudulent invoices that were sent by a fraudster posing as a senior executive in the victim’s business. The victim brought a claim against the MSP for breach of s 18 of the Australian Consumer Law concerning misleading or deceptive conduct. The victim alleged, amongst other things, that the MSP had misled or deceived it by making certain pre-contractual and contractual representations that it said gave rise to an expectation that the MSP was providing cyber security services and that had these services actually been implemented, the cyber-attack would have been prevented.

Leaving aside the contractual dispute, the MSP argued that the victim’s claim was an ‘apportionable claim’ as defined under Part 4 of the Civil Liability Act (NSW) (CLA) and that regard had to be had to the materiality of the fraudster’s conduct in causing the victim’s loss. The MSP argued that the victim was contributorily negligent in failing to implement proper banking procedures in accordance with best industry practice which also had a material impact on the loss in circumstances where those practices had significant potential to avoid fraudulent activity perpetrated both internally and by external parties.

Relying on the principles set out in Hunt & Hunt v Mitchell Morgan Nominees [2013] HCA 10, the MSP argued that the victim’s loss ought to be reduced by 87.5% (being the amount apportioned to the fraudsters in that case).

The victim contended that while the corporate entity that had set up the bank account that received the stolen funds had been identified, the MSP could not establish that this was the same entity that perpetrated the fraud on the victim (and therefore could not be named as a concurrent wrongdoer for the purposes of Part of the CLA). The MSP rejected this assertion noting that the corporate entity that set up the account that received the funds was also the same entity listed on the fraudulent invoices paid by the victim.

The Takeaways

The question of whether the recipient of the funds is liable as the fraudster (and therefore responsible for up to 87.5% of the loss) or is distinct from the fraudster (and therefore not liable for the “lion’s share”) is yet to be determined by the Court. The argument against the recipient of the funds being liable as the fraudster is that the fraudster itself has not been identified and is therefore not a concurrent wrongdoer under the Civil Liability Act.

Until the Court determines the issue, prudent advice is that the MSP relies on the identified (but untraceable) recipient of fraudulently received funds as a concurrent wrongdoer, and thereby seek to reduce it liability (considerably) for the victim’s loss.

The proportionate liability regime was introduced to replace the system of joint and several liability for most economic loss claims to prevent plaintiffs taking advantage of a system that allowed them to target only well-insured wrongdoers (whose contribution to the loss might have been minimal) and obtaining 100 per cent of the damages. One of the recognised and intended consequence of the move from joint and several liability to the proportionate liability regime was that the risk of trying to recover from a concurrent wrongdoer that was untraceable was shifted from the defendant to the plaintiff (see Williams v Pisano [2015] NSWCA 177).

This matter serves as a timely reminder for businesses that outsource their IT functions to MSPs (and for MSPs themselves) to review the terms of their retainers to understand the scope of the services being provided. Businesses should also be aware that cybersecurity is just one line of defence against a business email compromise attack and that basic banking procedures can also play an important part in preventing or minimising the impact of a cyber-attack.

For further information, please do not hesitate to contact us.

Get the latest news insights and articles straight to your inbox, simply enter your details.




    *Required Fields


    Personal costs orders – ‘a shield not a sword’