Cybersecurity Gaps Leave General Contractor Liable in Phishing Scam

The increasing complexity of cyber threats has exposed vulnerabilities across various sectors, including construction. A recent U.S. District Court case in Maryland, involving Jay Worch Electric, LLC v. Atlantic Specialty Insurance Company, emphasizes the need for robust cybersecurity measures in the construction industry. In this case, Pontiac Drywall Systems (PDSI) subcontracted work to Jay Worch Electric (JWE), but a phishing attack resulted in a payment being diverted to a hacker. Despite the phishing attack, the court held PDSI responsible for the breach of contract, underscoring the critical need for contractors to enhance their cybersecurity protocols.

The phishing incident occurred when a hacker spoofed JWE’s email address, directing PDSI to mail a payment to the wrong address. The court ruled that PDSI breached the contract, highlighting that even though the security breach stemmed from JWE’s inadequate cybersecurity, PDSI was still liable for the lost payment. This case underscores the necessity for construction companies to implement stringent cybersecurity measures and to include specific terms in contracts addressing payment methods and responsibilities in the event of security breaches.

The construction industry, often perceived as lacking in cybersecurity maturity, must prioritize the protection of their networks, databases, and communication systems against cyber threats. Routine education and training for employees on recognizing phishing attacks and other cybersecurity threats are crucial. Additionally, adopting contract language that clearly defines payment procedures and responsibilities in the event of a cyber incident can help mitigate potential liabilities.

By proactively addressing cybersecurity concerns and incorporating comprehensive security terms in contracts, construction companies can better protect themselves from cyber threats and potential liabilities. The case serves as a crucial reminder for the industry to prioritize cybersecurity and contractual clarity to avoid similar pitfalls.