For years, online shopping portals, such as Amazon and eBay, have passively allowed counterfeiters to easily advertise, sell and ship counterfeit products with little to no ramifications. These online portals provided a world-wide audience and, more importantly, a cloak of anonymity for sellers of counterfeit goods. Sellers who were caught peddling counterfeits could easily create a new account and open another storefront with little effort and without facing punitive measures. For international customs officials, the influx of large volumes of small packages being continuously exported and imported has made it even more challenging to detect and seize counterfeit goods. Even courts have shied away from finding these portals liable for selling counterfeit goods because their lawyers successfully argued that they were acting as a selling platform, rather than being a seller itself.

Courts have been hesitant to hold e-commerce portals from being responsible for what third-parties are selling on their sites and have acknowledged the difficulties in monitoring every product being sold on a website, in part, due to the 1998 Digital Millennium Copyright Act which provided safe harbor from copyright infringement liability. However, last year, in its 2019 annual form 10-K report to the United States Securities and Exchange Commission, Amazon acknowledged that the sale of counterfeit goods on its site posed a liability risk to consumers and even to Amazon itself. Shortly thereafter, “Amazon Project Zero” was announced which placed the onus on intellectual property rights holders to register with Amazon and, in essence, self-police, tag and report counterfeit product listings. In addition, Amazon created automated protections to scan over 5 billion product listings on the shopping portal to compare IP holder’s uploaded logos and trademarks against these listings to check for intellectual property infringement. In an August 2019 blog, Amazon announced that over 3,000 brands had enrolled in the US and that over 65 million suspicious listings for brands that had enrolled in Project Zero had been stopped by automated protections.¹

In it’s next most recent step, Amazon is taking a more proactive role to end the sale of counterfeits on its website through the newly created Counterfeit Crimes Unit. The Unit is “dedicated to bringing counterfeiters attempting to list counterfeit products in its store to justice. The global team, made up of former federal prosecutors, experienced investigators, and data analysis, will support the company’s substantial efforts already underway to protect its store from counterfeits.”² Amazon’s Vice President for Customer Trust and Partner Support, Dharmesh Mehta, claims that each counterfeiter will be “held accountable to the maximum extent possible under the law, regardless of where they attempt to sell their counterfeits or where they’re located.”³

The move also comes on the heels of the Trump administration placing five of Amazon’s marketplaces in Canada, the UK, Germany, France and India on its annual “Notorious Markets” report in April. This marks the first time a US company has been named on the notorious list. While the listing carries no financial or regulatory penalties, Amazon’s brand reputation was put in jeopardy as it is now among the ranks of other portals, notably Alibaba’s Taobao website, which has been named multiple times as counterfeit-friendly in previous “Notorious Market” reports. In January, the Department of Homeland Security released recommendations for the government and private corporations to stop counterfeit goods from being imported into the US. The report came on the heels of President Trump’s executive order last April calling on DHS to more stringently combat counterfeit trafficking. White House trade advisor, Peter Navarro, stated, "it's like Amazon, Alibaba, JD.com, Shopify, these companies are the great enablers of Chinese counterfeiting...so, they're going to be called to account as well if we're going to solve this problem."⁴ In March, a bipartisan group in the US House of Representatives urged Amazon and EBay to take stronger actions against third parties who sell counterfeit, stolen and unsafe products on their websites and submitted the SHOP SAFE Act to incentivize platforms to engage in best practices to curb counterfeits on their websites.

Amazon claims that it spent over $500 million and dedicated approximately 8,000 employees in 2019 to fight fraud and counterfeits.⁵ Amazon will now purportedly report merchants to US and European federal authorities whenever it is able to identify the sale of a counterfeit product.

---

¹https://blog.aboutamazon.co.uk/innovation/project-zero-expands-to-europe

²https://blog.aboutamazon.com/company-news/amazon-establishes-new-counterfeit-crime-unit#:~:text=The%20Counterfeit%20Crimes%20Unit%20enables,in%20criminal%20actions%20against%20counterfeiters

³https://blog.aboutamazon.com/company-news/amazon-establishes-new-counterfeit-crime-unit#:~:text=The%20Counterfeit%20Crimes%20Unit%20enables,in%20criminal%20actions%20against%20counterfeiters

⁴https://www.foxbusiness.com/money/peter-navarro-china-counterfeits-trade-deal

⁵https://www.theverge.com/2020/6/24/21302114/amazon-counterfeit-crimes-unit-knockoffs-store-online-investigators

Networking giant Cisco is continuing to proactively fight against unauthorized resellers and counterfeiters in court. In December 2019, Cisco won a court injunction against online ecommerce websites, including Amazon and Alibaba, to stop the sale of Chinese-made counterfeit Cisco products. The lawsuit named four Chinese manufacturers including: Shenzhen Tianheng Network Co., GezhiPhotonics Technology Co. Ltd., Shenzhen Sourcelight Technology Co., and Dariocom. Cisco argued that the counterfeit equipment posed a risk to national security and health systems as they were more prone to failure and would be difficult to update and maintain.

More recently, on June 8, 2020, Alan Gould and Kelley Stewart were banned for a period of 12 years from being involved, directly or indirectly, in the promotion, formation or management of a company without permission of the British Insolvency Service.¹ Gould and Stewart were both former directors of GEN-X IT Ltd, an electronics distribution company incorporated in 2002 in Manchester, England. In January of 2016, GEN-X IT Ltd filed for insolvency due to litigation from Cisco who discovered that the distributor had violated trademark laws by importing Cisco products from outside of the European Economic Area. In 2018, the pair admitted their wrongdoing and agreed to pay a seven-figure settlement to Cisco.² During the insolvency proceedings, it was discovered that Gould and Stewart had bought and sold approximately 55,000 counterfeit Cisco products over a three-year period.³ The parts had been sourced from a third party who had purchased the equipment from China. In 2005, Gould and Stewart had previously been caught by Cisco selling counterfeit goods and agreed to make a public apology, disclose supplier information and pay a cash settlement to Cisco.⁴

Rob Clarke, Chief Investigator for the Insolvency Service stated, “Both Alan Gould and Kelley Stewart were fully aware GEN-X IT was importing and selling computer products that infringed on Cisco’s intellectual property rights, which was a flagrant breach of an undertaking promising they would stop. Their conduct fell well short of what is expected of company directors. Alan Gould and Kelley Stewart’s substantial disqualifications should serve as a stark warning to those who seek to gain a corporate advantage illegitimately that they could face a lengthy ban from limited liability trading.”⁵ Neil Sheridan, Cisco Director of Brand Protection, stated, “Last year’s UK Supreme Court decision that trading in grey products, as well as counterfeit products, can result in criminal prosecution is further proof that trading outside Cisco’s authorised distribution network will have consequences.”⁶

---

¹Alan Gould Disqualification: https://beta.companieshouse.gov.uk/disqualified-officers/natural/e5BvQhl-JwkP-v1n2l5_EW2L0S0

  Kelley Stewart Disqualification: https://beta.companieshouse.gov.uk/disqualified-officers/natural/niFMc0YTPYuWbNJW1pWNjc_9Bgg

²https://www.theregister.com/2018/07/05/distributor_bosses_had_7figure_settlement_to_cisco_for_dodgy_importing/

³https://www.channelweb.co.uk/news/4016926/cisco-issues-warcry-counterfeit-traders-gen-duo-banned

⁴https://www.networkworld.com/article/2349061/cisco-catches-u-k--firm-red-handed-peddling-counterfeit-cisco-gear.html

⁵https://www.securingindustry.com/electronics-and-industrial/uk-traders-get-lengthy-bans-for-selling-fake-cisco-goods/s105/a11870/

⁶https://channeleye.co.uk/cisco-defeats-gen-x-it-in-court/

Many of the parts submitted to ERAI are reported after failing an external visual inspection, remarking and resurfacing testing or AC/DC electrical testing. In many cases companies continue to rely mainly on these tests, despite advances in counterfeiting techniques, because they are relatively inexpensive and do not require costly specialized equipment to perform. However, some nonconformances can only be uncovered using more advanced testing techniques such as decapsulation and electrical testing on a dedicated platform. Advanced testing may be necessary, dependent on application risk, which is why clear dialogue with your customer is key.

ERAI received an analysis report from an independent test lab which illustrates how extended testing can detect advanced counterfeits and cloned devices. The test laboratory received 50 pieces of Analog Devices part number AD822ARZ-REEL7 for inspection. The parts arrived in a coiled tape strip with ESD protective packaging. The parts were subjected to external visual inspection (EVI), and resurfacing testing. The parts were measured and were found to be within the manufacturer’s dimensional specifications. The devices displayed the same exterior configuration as shown on the Package Outline Drawing (POD). The leads displayed exposed base metal from trimming and stress marks from the forming process, which indicated that they were not re-plated. There were no solder remnants, scratches, or any other indications of prior use. All 50 pieces passed coplanarity analysis. Remarking and resurfacing tests, both chemical and mechanical scraping, revealed no evidence of remarking or resurfacing.





Five pieces were then subjected to X-ray and decapsulation analysis. The X-ray analysis revealed that the structures across the 5-piece sample were consistent and exhibited no voids or other abnormalities. The decapsulation analysis; however, revealed that a sample part showed an unknown logo die marking and 956 marking that was not traceable to Analog Devices or the specified part number. Die markings and die topography did not match those of a known good sample.





Subsequent electrical testing of 49 samples indicated that all pieces failed with low Vout or output voltage. ERAI was able to confirm that the die is not an Analog Device die.

While AC or DC electrical testing can confirm performance characteristics, many times only a small part of the die is covered. Complex parts can require in-depth test planning and development, which can result in long testing lead times and high costs. Many times, test laboratories have to develop their own solutions in the form of models or device simulators if they do not have support from the manufacturer to ensure that the part is operating to the manufacturer’s specifications. Device emulators can be used to simulate how a part will operate. By using a known good device configured for use in the final application, test vectors can be obtained that can be used for comparison to parts to be tested.

While developing a test strategy, you should keep in mind to test the performance characteristics of the design you are implementing and perform a risk assessment on the application. Working closely with a test lab to reduce unknowns and setting limits to your parameters allows you to control costs and avoid lengthy testing times. Remember that test labs can face lead times for hardware and testing sockets critical for testing, so it’s important to start the dialogue early in your process with your chosen test lab. You, as a supplier, must know and clearly understand your customer’s expectations. Keeping an open dialogue with your customer, suppliers and test labs is critical to your organization’s success in delivering quality product, whether your organization is supplying parts or a final product. As counterfeiters become more sophisticated, it is important that, regardless of the source of supply and, if risk analysis dictates, the highest level of due diligence must be applied during testing for authenticity verification.

On January 30, 2020 the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC). Version 1.02 was subsequently released on March 18, 2020. The CMMC is a unified standard containing five maturity processes and 171 cybersecurity best practices to standardize and ensure cybersecurity across the Defense Industrial Base (DIB), which includes over 300,000 companies providing goods and services to the United States Department of Defense (DoD). The framework has been designed to ensure that the DIB supply chain has adequate processes and practices in place to protect sensitive defense information.

What is the CMMC?
There are two main types of unclassified information the standard aims to protect:

• Federal Contract Information (FCI): FCI is information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.¹
• Controlled Unclassified Information (CUI): Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.²

The document, developed by cooperation between the DoD, Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory, uses a framework to determine an organization’s cybersecurity maturity using third-party audits. Contractors still remain responsible for ensuring their organization is executing crucial cybersecurity best practices, but third-party assessments will now be required to ensure compliance with procedures and practices mandated by the basic safeguarding requirements set forth for FCI by FAR Clause 52.204-21 and for CUI as specified in NIST Special Publication 800-171 rev. 1’s 110 security requirements per DFARS Clause 252.204-7012.

According to Katie Arrington, Chief OUSD(A&S) Information Security Officer, “The CMMC is about level setting and making the industry get where they need to be to protect themselves and us. It’s about giving you the right resources to be able to provide that security, helping you to help us.”3 The CMMC will be used as an assessment tool to determine an organization’s cybersecurity maturity level for use as a requirement for a contract award.

What are the CMMC requirements?
In essence, the CMMC is a benchmark of best practices and processes against which an organization can measure its current cybersecurity infrastructure capabilities. There are five levels of certification consisting of processes and practices across 17 domains. In order for an organization to achieve a particular level of certification, it must have achieved compliance with the preceding lower level requirements. The CMMC provides a list of processes and practices for each domain for each level for a total of 171 practices at level 5.

Level 1:
An organization must perform 17 specified practices. “Basic Cyber Hygiene” is practiced for the protection of FCI according to the requirements specified in 48 CFR 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems”. No maturity processes are assessed at this level as the organization performs the practices but does not necessarily have documentation in place. Examples of level 1 practices include (but are not limited to): limiting data access to authorized users; limiting the use of portable storage drives; authorizing, permitting and controlling remote access; enforcing the use of passwords; destruction of media containing FCI; and monitoring of information systems against malicious code. Many organizations that have already been awarded DoD contracts will likely already have most level 1 requirements in place and most DoD contracts are anticipated to require level 1 certification.

Level 2:
In addition to level 1 practices, an organization must perform an additional 55 specified practices. Level 2 requires documented practices and policies and includes some of NIST SP 800-171 rev 2 requirements. “Intermediate Cyber Hygiene” is practiced to protect CUI. Practices cover the following domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Physical Protection, Personnel Security, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

Level 3:
In addition to level 1 and 2 practices, an organization must perform an additional 58 specified practices. “Good Cyber Hygiene” practices ensure the security of CUI, including all NIST SP 800-171 rev 2 security requirements.

Level 4:
In addition to level 1, 2, and 3 practices, an organization must perform an additional 26 specified practices. At this level, organizations must be proactive in measuring, detecting and defending advanced persistent threats, including audits of historical data. Organizations have systems in place to review and measure effectiveness and can take corrective actions if threatened by a threat’s changing tactics. This level is most likely the minimum level expected of prime government contractors.

Level 5:
In addition to level 1, 2, 3, and 4 practices, an organization must perform an additional 15 specified practices and have standardized and optimized procedures across their entire organization. Enhanced and sophisticated cybercapabilities are optimized to detect and respond to cybersecurity threats.

How do I know if my organization needs to be CMMC certified?
All DoD contractors, including subcontractors will need to achieve CMMC certification to be awarded DoD contracts as long as your company does not solely produce COTS products. This includes government prime contractors and their subcontractors, although the DoD has not stated what level of compliance must be achieved and maintained. Meaning, subcontractors and smaller organizations may not need to achieve level 5 compliance. If your organization does not handle CUI but handles FCI, your organization will need a minimum of Level 1 CMC certification. It is anticipated that the DoD will specify the required CMMC level in requests for information and requests for proposals.

How can my organization become certified?
Organizations are not permitted to provide self-certification. Certification will be handled by the CMMC Accreditation Body (www.cmmcab.org), a not-for-profit independent organization. The CMMC AB will establish a CMMC Marketplace which will include a list of approved certified third-party assessor organizations that companies can contact to schedule assessments. No set pricing structure has been determined and CMMC certification will be valid for a period of 3 years. The OUSD(A&S) has estimated that certification to level 1 should be no higher than $3,000 and that grants will be made available to assist small businesses.4

What should my organization do now?
Organizations in the DoD chain of supply should familiarize themselves with the CMMC requirements and evaluate their current practices and procedures and identify gaps as certification will soon be a requirement for contract awards. While some organizations may already be able to achieve compliance, others may need to consider contracting with outsourced IT companies and, if doing so, should also verify that organization’s CMMC compliance. A thorough assessment and gap analysis can help determine your organization’s desired level of maturity and guidelines toward compliance. Depending on your desired level of maturity, implementation of cybersecurity monitoring and development of a system security plan will need to be developed and implemented as part of your organization’s routine processes. Katie Arrington has stated that CMMC requirements could be included in DoD solicitations as early as November 2020.5 However, she has stated that CMMC certification will not be required until the time of contract award, allowing contractors additional time to obtain certification.

For more information, the Office of the Under Secretary of Defense for Acquisition & Sustainment has created an FAQ page at https://www.acq.osd.mil/cmmc/faq.html.

Download the CMMC at:
https://www.erai.com/customuploads/newsletter/CMMC_ModelMain_V1.02_20200318.pdf

---

¹https://www.acq.osd.mil/cmmc/docs/CMMC-V0.6b-20191107.pdf

²https://www.archives.gov/cui/about

³https://spycloud.com/the-latest-from-dods-katie-arrington-on-cmmc-and-next-steps-for-dib-suppliers-awaiting-cmmc-audits/

⁴https://spycloud.com/the-latest-from-dods-katie-arrington-on-cmmc-and-next-steps-for-dib-suppliers-awaiting-cmmc-audits/

⁵https://www.govconwire.com/2020/05/katie-arrington-cmmc-requirements-in-rfps-expected-in-november/

Secure Sockets Layer (SSL) is a protocol used to provide privacy and security between two computers. When browsing a website, you will notice the use of SSL by a padlock in the browser address bar along with the HTTPS prefix in the website’s URL address. SSL helps to provide assurance that your communication with the website is secure and encrypted.

When SSL encryption was first introduced, it was a costly addition to a website that was only available to larger companies such as banks, financial institutions, large retail portals and government sites. There were only a handful of providers of SSL certificates and companies had to go through a lengthy validation process to obtain and enable the SSL technology on their sites. Often, a lengthy documentation list was required (including business license and various other proof of a business’ legitimacy).

Due to the vetting process required to obtain a valid SSL certificate, it is commonly assumed that a site with SSL is fairly trustworthy. Many times, people also assume that the SSL symbols are an indication of a website’s legitimacy. Some popular browsers (e.g. Google Chrome) enabled features that would mark non-SSL sites as “not secure” and those with a valid SSL as “secure”, further feeding into this misperception.

Unfortunately, these assumptions are no longer the case. This has changed dramatically with SSL technology becoming mainstream and widely available. These days you can get an SSL add-on to any domain you register with a majority of internet service providers who collect only a minimal amount of information. SSL certificates can be obtained for free and implemented in minutes through technologies such as Cloudflare, and, as far as a browser is concerned, the site is considered “secure”.

It is important to remember that SSL ONLY means that the information that is exchanged between you and the site is securely encrypted and cannot be intercepted and viewed by a third party. It does not say ANYTHING about the quality of the information being exchanged.

If you have accessed a phishing website that has a valid SSL certificate, it only means that your computer will be compromised in a way that is secure from third party intercept and observation. If you entered a website that is there to defraud you, your communications with them are protected from prying eyes. SSL encryption does not provide any guarantees that the content you are accessing is not harmful and that the company whose website you just accessed is legitimate or trustworthy. All it means is that the company has purchased/obtained a widely-available encryption tool and installed it on their site shielding your interaction with the website from third parties.

As ERAI has recently reported a number of online wire fraud alerts, we have had several members asking if it is worthwhile contacting the issuers of the fraudulent site’s SSL certificates and petition for their revocation. Ten years ago, when there were just a few SSL providers, this would be a valid suggestion. Unfortunately, today, a revocation of an SSL certificate (even if it was achieved) would only mean that the offending site would have to change the hosting location or the site’s URL (e.g. from .com to .net) and obtain a new SSL certificate within days before resuming operations.

As an example, Component-HK has been reported by ERAI multiple times for taking money in advance for goods but never supplying the goods and is part of a criminal network ERAI has been tracking since 2017. Their website, www.component-hk.net, contains an SSL certificate, which displays a message stating “Connection is secure”. While your communication with this website appears to be secure, conducting business with this company will not be. It is also worth noting that the website address ends in “.net” while the website displays a logo for Component-HK.com. The company may have had to change their website address in order to obtain a new SSL certificate.



The only way to protect your organization from fraudulent suppliers is to conduct a thorough background check. Obtaining and verifying an organization’s trade references within the electronic supply chain, using safer payment methods such as net terms, PayPal or escrow when dealing with new suppliers, and understanding that a deal from an unknown source that sounds too good to be true, often is. It is also critical to report fraudulent suppliers and suspicious websites to ERAI to help other organizations in the chain of supply make safer supplier selection choices.

ERAI Tip: Be sure you are communicating with legitimate contacts

On June 18, 2020 a buyer placed an order totaling $2,566.93 with an independent distributor (ID) located in Europe on wire transfer in advance payment terms. According to the ID, they were unable to provide all of the requested parts and checked with the buyer to see if they would accept a revised quantity. When no response was received by July 8, 2020, the ID contacted the buyer again, asking if the revised quantity was acceptable and attached an invoice totaling $2,169.87 for the revised quantity.

The buyer responded on July 9, 2020 stating they had already made payment and provided the ID with a copy of a wire transfer confirmation showing payment in the amount of $2,576.73 was sent on June 29, 2020 to a bank located in the United States. The ID immediately informed the buyer that this was not their bank account and that they had only issued the invoice on July 8, 2020.

A review of emails took place between the ID and the buyer.

On June 18, the buyer had attempted to wire funds to a US bank account they had received in an email allegedly from the ID. On June 26, the buyer replied to the email seeking confirmation of the company's address and SWIFT code, as the wire would not go through. The same day, the buyer received another email apparently from the ID apologizing for the delay and stating the accounting department had mistakenly provided their Euro bank information instead of the USD information. The sender attached a revised invoice and provided new bank information.

A comparison of the legitimate and falsified invoices shows several discrepancies: the initial invoice appears to include a cut and paste of the original purchase order in the body of an invoice from the ID(various fonts and sizes were used in both); the date was not written in the European format used by the ID; the invoices mention "tax" rather than a European VAT; and the revised invoice was retyped and a shipping charge of $30 was added, but the bank information was not changed. The review also indicated that the ID’s legitimate emails had a different title other than that of the imposter.

Immediately upon learning of this matter, the ID changed the passwords to their email account as well as that of their online trading platform accounts. The ID contacted their email service provider, requested an investigation and is awaiting a response. The customer was unable to recover the funds and sustained a loss of $2,576.73 due to possible business email compromise.

In another instance, an organization received an unsolicited email in which the identity of an Independent Distributor (ID) had been fraudulently used in an attempt to purchase goods on net terms. As the email contained misspellings and grammar errors, the organization contacted the ID directly and was informed that this email was not sent by the ID.

The body of the email referenced the ID’s corporate name, contained their company logo and the email header appeared to have been sent from a legitimate email address used by the ID. The ID believes this email was spoofed and is looking into the situation. As the organization performed their due diligence, the organization did not sustain a loss.

The imposter was able to manipulate the Buyer into believing they were communicating with the ID through the use of email spoofing. Email spoofing is when the sender of the email forges (spoofs) the email header's from address, so the sent message appears to have been sent from a legitimate email address. Part of the reason why spoofed emails are prevalent is that it is incredibly easy to spoof an address. Any email server can be configured to send from any domain (e.g. erai.com) and there are even websites that will let you send one-off emails using any email address for free. But both of these methods leave telltale tracks that give it away as a spoofed email.

To find these tracks, you need to look at the email header. The header contains critical components of every email – From, To, Date and Subject – as well as detailed information about where the email came from and how it was routed to you. Importantly, it also contains the results of the verification process your email provider used to determine if the sending server has permission to send using that domain (i.e., is this server authorized to send emails from erai.com?).

Showing your email headers varies depending on which email service you’re using. For detailed directions of how to locate email headers in all mainstream mail client software, visit https://mxtoolbox.com/public/content/emailheaders/. For Gmail, open the email and click on the three vertical dots next to the reply arrow and select “Show Original”. If you are suspicious of an email you receive, send a separate email or contact the sender by phone and confirm they sent the original message. Do not click on any embedded links contained in the suspicious email and keep your anti-malware and web protection software active and up to date.

On September 25, 2019, an Independent Distributor (ID) placed a purchase order with a Maintenance and Repair Organization (MRO) for an electronic part commonly used in aircraft totaling $8,140.00. Because this was a special order, payment terms were 50% in advance with the balance due 30 days after delivery of the parts.

The ID paid the 50% deposit as required via credit card on September 26, 2019. The ID’s purchase order contract specified a delivery date of February 13, 2020. The MRO’s sales order reiterated the February 13, 2020 delivery date.

On February 26, 2020, when the goods had not been delivered as agreed, the ID requested a delivery status update. A representative of the MRO indicated they would provide an update “as soon as possible”. On March 12, 2020, the ID again pressed for a delivery status update. This time, the MRO responded stating, “I will have a date for you this week. Unfortunately, our manufacturer has encountered delays due to the severity of COVID-19. I will be in touch with you this week to provide you with a firm delivery date.” A firm delivery date was not provided.

On April 6, 2020, the ID requested a refund of their advance payment. The MRO responded, “these units are expected to ship May 18th.” This delivery deadline was not acceptable to the ID who then formally requested a cancellation. The MRO would not accept the cancellation citing the order acknowledgment which stipulated the order was non-cancellable/non-returnable. The MRO assured the ID the parts were on track to deliver “next month”. The ID states subsequent requests for a delivery update went unanswered.

On June 17, 2020, the MRO responded via email to ERAI when they were advised a complaint had been filed against their organization. A representative from the MRO stated:

“Attached is our Sales Order Acknowledgement; highlighted you will see that this order was/is NON-CANCELLABLE/NON-RETURNABLE. In addition, please refer to clause [redacted] of our order acknowledgement; Force Majeure which we refer to COVID-19. Unfortunately, due to COVID-19 and the restrictions beyond our control, this order has been delayed. Our manufacturing has fallen behind due to the pandemic however we have every intention of fulfilling our Customer's order. This order is nearly complete and we expect to ship as soon as possible.”

The MRO will not accept the ID’s cancellation. Instead, they offered the ID a 15% discount for any inconvenience caused by the delivery delay. The ID considers the order cancelled and is seeking reimbursement of their advance payment.

Of note, the MRO’s Terms and Conditions of Sale clause regarding Force Majeure is incomplete. The language states that performance of the contract is considered suspended during the force majeure period; however, language is missing that details what actions are taken upon cessation of the force majeure. Had the ID reviewed the MRO’s terms and conditions, they would have noticed that the language was incomplete and may have avoided a financial loss.

When looking at issues caused by force majeure, courts typically look to determine if the event qualifies as force majeure, if the risk of nonperformance was foreseeable and could be mitigated, and how difficult performance of the contract is given the circumstances.¹ These factors will help the court to determine if performance of a contract is difficult or truly impossible.

The language contained in force majeure clauses often varies and should be evaluated prior to placing an order to determine if your organization can rely on it to excuse nonperformance of a supplier’s contract. Additionally, check for inclusion of language that provides relief if there is a nonperformance due to force majeure. Also consider if event-specific insurance coverage is available as well as business interruption insurance, which can provide coverage for coronavirus losses. Suppliers should also document all steps taken to mitigate nonperformance of a contract including notifications made to customers, as under most force majeure clauses, the party invoking force majeure must provide notice to its customer notifying them of the expected duration effects of the force majeure event excusing performance.²

While force majeure clauses typically limit the seller’s requirements during an event, lack of a clause can put the buyer at risk of a financial loss or delivery delay under Uniform Commercial Code Sections 2-613, 2-614 and 2-615. If a contract lacks a force majeure clause or is incomplete, common law doctrine dictates that if it is impossible to perform a contract due to events that cannot be reasonably anticipated, then nonperformance is excused or delayed.³ However, the parameters can vary from jurisdiction to jurisdiction. Meaning, buyers may be expected to endure delays due to COVID-19 disruptions. Buyers and sellers should agree when contractual obligations will resume after an event has ended and the expectations should be clearly outlined prior to entering into a contract.

Whether or not the COVID-19 pandemic is covered under force majeure may trigger the creation of language in clauses that specifically address pandemics as they can result in supply chain interruptions, workforce cessation and material shortages. These clauses should take into consideration if either or both parties have the right to terminate a contract in the event of a prolonged force majeure event. Event-specific provisions could also be included to address examples such as a defined allocation that a customer might receive in the event of shipment disruptions or the identification of alternate production sites for manufacturing contracts. As always, governing law and dispute resolution provisions should also be taken into consideration.

As always, please consult with your organization’s legal counsel.

---

¹https://www.paulweiss.com/practices/litigation/litigation/publications/update-force-majeure-under-the-coronavirus-covid-19-pandemic?id=30881

²https://www.wilmerhale.com/en/insights/client-alerts/20200413-drafting-force-majeure-clauses-in-light-of-the-covid-19-pandemic

³https://www.mwe.com/insights/force-majeure-and-covid-19-frequently-asked-questions/

Coronavirus causes sourcing headaches for buyers
http://www.electronics-sourcing.com/2020/04/02/coronavirus-causes-sourcing-headaches-for-buyers/

Large numbers of counterfeit Intel CPUs are circulating in China
https://www.notebookcheck.net/Large-numbers-of-counterfeit-Intel-CPUs-are-circulating-in-China-Retailers-are-attempting-to-RMA-en-masse.462021.0.html

ECIA survey finds increased concern over Covid-19
https://epsnews.com/2020/04/23/ecia-survey-finds-increased-concern-over-covid-19/

USTR adds Amazon sites to ‘notorious markets’ list
https://www.securingindustry.com/electronics-and-industrial/ustr-adds-amazon-sites-to-notorious-markets-list/s105/a11631/

US, Japan and China move to become self-sufficient in semiconductors
http://english.hani.co.kr/arti/english_edition/e_business/944802.html

U.S. tightens rules to crack down on Huawei's chip supply
https://www.latimes.com/business/story/2020-05-15/u-s-tightens-huawei-chip-supply

Report: Shortages Threaten Electronics Supply Chain
https://www.ecommercetimes.com/story/86680.html

How COVID-19 Has Impacted the Electronics Supply Chain
https://www.sourcetoday.com/supply-chain/article/21132924/how-covid19-has-impacted-the-electronics-supply-chain

As Tensions Rise in Hong Kong, so Does the Possibility for Supply Chain Disruptions
https://www.sourcetoday.com/supply-chain/article/21134967/as-tensions-rise-in-hong-kong-so-does-the-possibility-for-supply-chain-disruptions?utm_source=Source+Today

U.S. lawmakers unveil bid to boost domestic chipmaking industry
https://www.reuters.com/article/us-usa-china-semiconductors-bill/u-s-lawmakers-unveil-bid-to-boost-domestic-chipmaking-industry-idUSKBN23X05C

Renewed optimism amid electronics supply chain
https://www.ept.ca/2020/06/renewed-optimism-amid-electronics-supply-chain/

Pentagon releases 'initial' list of Chinese military-linked companies operating in US
https://www.washingtonexaminer.com/news/pentagon-releases-initial-list-of-chinese-military-linked-companies-operating-in-us

U.S. Officials Fear Chinese Predatory Acquisitions During Pandemic
https://www.nationaldefensemagazine.org/articles/2020/7/2/officials-fear-chinese-predatory-acquisitions-during-pandemic