The Subcontractor Performed. The Prime Contractor Paid. But A Hacker Ended Up With The Money. Who Is Responsible?

When hackers gain access to a subcontractor's information systems and divert the prime contractor's payment to themselves instead of to the subcontractor...
United States Government, Public Sector
To print this article, all you need is to be registered or login on

When hackers gain access to a subcontractor's information systems and divert the prime contractor's payment to themselves instead of to the subcontractor, does the prime contractor still have to pay the subcontractor? A recent decision from the U.S. District Court for the Western District of Maryland held that “absent express, bargained-for limitations on liability,” failure to pay a subcontractor when a subcontractor has fulfilled all work and billing requirements constitutes a breach of contract, and the prime contractor must pay damages that result from the breach. In this case, that was true, even assuming the subcontractor was responsible for its systems being hacked.

What was the case about?

Jay Worch Electric, LLC (JWE) sued Pontiac Drywall Systems, Inc. (PDSI) and its surety Atlantic Specialty Insurance Company (ASIC) for breach of contract and for payment under the Miller Act. See United States for the Use and Benefit of Jay Worch Electric, LLC v. Atlantic Specialty Insurance Company et al., No. 8:20220-CV-02420 (D. Md. May. 21, 2024). JWE was the subcontractor and PDSI was the prime contractor on a project to install lighting at a parking lot on the Naval Air Station in Patuxent River, Maryland. JWE sought summary judgment on both of its claims, arguing that there was no genuine dispute that PDSI had breached the subcontract by failing to pay for work JWE performed.

Importantly, the court noted that the subcontract “did not address the how PDSI would make payment to JWE. That is, the Subcontract was silent on to whom the payment would be directed and on the relative responsibility for payment if PDSI's efforts to pay were thwarted, whether by error, inadvertence, or third-party interference” (emphasis in original).

JWE's president invoiced PDSI for work performed from his corporate email account, and PDSI confirmed that it would pay JWE for the work. PDSI then received an email from an account that was nearly identical to that of JWE's president, including an identical signature block. But there was one small difference: the email address ended in “.net” instead of “.com.” While neither party realized it at the time, JWE had been hacked.

The hacker's email stated that JWE's primary bank account was “under review” and directed PDSI to render payment instead to a separate “Corporate account via ACH only.” The same process repeated itself after JWE's president sent a revised invoice from his correct .com email: the hacker sent another message from the .net email (this time, PDSI had no record of even receiving the .com email). After several similar exchanges, PDSI ultimately mailed a check to an address provided by the hacker. JWE never received the payment. The court noted that “the bank appears to have frozen the assets in connection with an investigation into the fraudulent activities behind the .net addressee.”

What did the prime contractor and subcontractor argue to the court?

In its motion for summary judgment, JWE argued that the subcontract required payment because JWE had performed and presented a proper invoice. It denied responsibility for the hacker's diversion of funds. Thus, JWE was entitled to judgment because of PDSI's failure to pay the undisputed subcontract balance.

In response, PDSI admitted that JWE had not received the payment. PDSI alleged, however, it was not at fault because JWE had neglected to have proper cybersecurity protocols in place and PDSI should not be held responsible for JWE's failure to secure its own computer systems.

How did the court rule?

The court held in favor of JWE and granted it summary judgment. Neither party disputed that JWE carried out the required work per the subcontract's terms. Nor did either party dispute that PDSI failed to pay JWE the amount due. Because the plain and unambiguous terms of the subcontract compelled payment, and PDSI had not paid JWE, PDSI breached.

Responding to PDSI's claim that it was not at fault for JWE's having been hacked, the court explained that, even if “JWE's own substandard internet security led to the hack, this alone does not excuse PDSI from its contractual obligations.” Quoting the Restatement of Contracts and prior precedent, the court reasoned that, “[a]s a rule, ‘contract liability is strict liability;' once parties agree to terms of performance under a contract, the parties must fulfill those terms or be liable for damages arising from the breach.” Here, the “plain and unambiguous” terms in the subcontract required PDSI to pay JWE upon the latter's performance and proper billing, which were undisputed. As there were no other obligations that JWE was required to comply with, PDSI must pay JWE what JWE is entitled to receive. The court concluded that, if PDSI had wished to protect itself from a situation like this, it should have done so when it drafted the contract.

The court noted in a footnote that in “extraordinary circumstances, it may exercise its equitable powers to relieve the performing party from its duties under a contract.” However, PDSI did not seek equitable relief in this case, and the court saw no basis to exercise it.

Why is this case important, and what are the takeaways?

This case highlights the importance of considering and allocating the ever-growing risks of cybersecurity incidents at all levels of the supply chain. Standard Federal Acquisition Regulation (FAR) and Defense FAR Supplement (DFARS) clauses contain some relevant requirements, but planning to comply with and flow down those clauses may not be enough to address worst-case scenarios like the one highlighted in this case. See, e.g., FAR 52.204-21 (basic safeguarding requirements); FAR 52.204-28 (new supply chain orders program); DFARS 252.204-7012 (Department of Defense safeguarding requirements); DFARS 252.204-7021 (new Cybersecurity Maturity Model Certification Level program).

Cybersecurity threats can pose risks not only to government clients, but to subcontractors and commercial clients as well. Contractors should be aware that even if another party may be at fault for security and data breaches that prevent the receipt of payment, these incidents will not discharge their payment obligation. This case highlights the importance of including payment terms in subcontracts, including regarding the specifics of how payments will be made, where payments will be made, to whom they will be made, and who bears responsibility if a company's system is hacked and thereby causes a payment to be stolen.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More