Who’s to Blame for This Hacker Heist Over Email?
A legal feud is underway between the world’s biggest hedge fund administrator and a former client over an email scam that resulted in hackers stealing millions in client funds. And not surprisingly, the time-honored tradition of finger pointing is on full display as each party accuses the other of employing sub-par internal controls and lackluster cybersecurity standards.
This tangled case began in March 2016. Tillage Commodities Fund, L.P., then almost a $10 million commodities investment fund, had engaged SS&C Technologies as its third-party administrator. As is typically the case, SS&C was responsible for executing wire transfers related to the fund’s operations such as investor redemptions and bill payments.
According to the 25-page complaint filed by Tillage in New York Supreme Court, SS&C received a series of fraudulent emails over a 21-day period purportedly sent from Tillage, asking for money to be transferred to a bank account in Hong Kong. The complaint charges that the fraudulent emails came from a domain name with an extra “l”– @tilllagecapital.com, a detail that SS&C is alleged to have failed to notice.
Tillage’s complaint sets forth a laundry list of alleged “red flags”: the emails sought the transfer of millions of dollars at a clip and contained grammatical errors which Tillage alleges were not only inconsistent with prior Tillage communications but rendered them “unclear in substance,” requiring SS&C to respond to the hackers with clarifying questions. Tillage also alleges that SS&C was dilatory and negligent following the transfers, failing to immediately notify Tillage of the incident and refusing to turn over its emails with the hackers.
But in a sharp rejoinder to Tillage’s complaint, SS&C filed its own third-party action against the commodities fund, claiming that it was Tillage that dropped the ball by – the complaint alleges – “abdicating their core responsibilities … and enabl[ing] unknown criminals to obtain authentic credentials for the [f]und and go undetected while using those credentials to steal millions from the [f]und’s coffers.” In the complaint, SS&C claims that Tillage’s lawsuit is merely a “bad-faith effort” to shift blame. See SS&C Techs, Inc. v. Tillage Commodities LLC, No. 654765/2016, Dkt. No. 40 (New York Supreme Ct. June 5, 2017).
The case – though still in its infancy – has already had one roundtrip to the state appellate court. At the outset, SS&C moved to dismiss, seeking protection from a clause in its services agreement limiting SS&C’s obligations to damages “resulting from the gross negligence, willful misconduct, fraud, or bad faith of SS&C.” The trial court judge, the Honorable Barry R. Ostrager, refused to dismiss the breach of contract claim, noting that gross negligence is typically a question of fact and does not require a showing of intentional wrongdoing. See Tillage Commodities Fund, L.P. v SS&C Tech., Inc., 2016 N.Y. Misc. LEXIS 4834 (Dec. 22, 2016). Judge Ostrager also allowed Tillage to move forward with a breach of the implied covenant claim. SS&C appealed.
On appeal, the court largely sided with Tillage and permitted several claims to proceed. See Tillage Commodities Fund, L.P., v. SS&C Technologies, Inc., 2017 N.Y. App. Div. LEXIS 5051 (1st Dept. 2017). The three-judge panel of the New York Supreme Court, First Department, held that the breach of contract claim – based on “defendant’s disbursement of funds without plaintiff’s instruction of approval” – could proceed. The court observed: “Although the alleged unauthorized transfer of funds does not appear to have been intentional, plaintiff has sufficiently alleged that defendant’s conduct ‘evince[d] a reckless disregard’ for plaintiff’s rights insofar as it failed to comply with basic cybersecurity precautions and actively disregarded its own policies as well as obvious red flags.”
The appellate court also sustained the breach of implied covenant claim based on allegations that SS&C did not “immediately notify plaintiff of the fraud and filings a misleading policy report with the Hong Kong police ….”
The case – however it turns out – shines a spotlight on the risks of fund transfers in an age of increased digital fraud. But it’s not just about fund administrators and their clients’ cybersecurity practices and internal controls. It’s about the contractual undertakings between the parties and how those agreements allocate risk in the event of a cybersecurity incident.
We will continue to monitor and report on significant developments in this case.