Cyber Security
Increase in cybercrime and Business Email Compromise – Who bears the risk?
Cybercrime is on the rise with criminals becoming more sophisticated and creative in their attacks. Organisations and individuals should be hyper-vigilant given the prevalence of these attacks. In the case of a successful attack, who will bear the responsibility and liability for damage incurred? The matter of Hawarden v Edward Nathan Sonnenberg Inc and subsequent appeal, Edward Nathan Sonnenberg Inc v Hawarden, addressed this question.
Background and High Court Ruling
Ms Hawarden purchased a property for the sum of R6 million. She was then contacted per email by the estate agency who attended to the sale of the property, Pam Golding Properties (Pty) Ltd (PGP), advising her to deposit R500 000 into its trust account as required by the contract of sale. The email warned Ms Hawarden of the risk of cybercrime and advised her to call the agency to verify their banking details telephonically. Ms Hawarden accordingly verified the banking details and thereafter made payment.
Upon receipt of the deposit, Edward Nathan Sonnenberg Inc. (ENS) received instruction from the seller to attend to the transfer of the property. Subsequently, a secretary in the employ of ENS forwarded a letter to Ms Hawarden per email containing guarantee requirements in respect of the balance of R5.5 million and the correct banking details of ENS. However, this email was intercepted by a cybercriminal who altered the banking details and caused the payment of R5.5 million to be diverted to his/her account. As such, ENS never received the balance of the purchase price.
At no point did Ms Hawarden verify the banking details of ENS (as she did with PGP before paying the deposit) despite being in telephonic contact with the firm on various occasions.
During trial, Ms Hawarden presented evidence which showed that ENS was aware of the risks of Business Email Compromise (BEC) and cybercrime and that it had failed to warn Ms Hawarden about the relevant risks and failed to advise her to take the necessary precautions. She held that ENS has control over how it conveyed is banking details and should have used more secure methods rather than email.
ENS denied any wrongful and negligent conduct and denied causation. In the alternative, ENS pleaded that Ms Hawarden was contributorily negligent in that she failed to exercise reasonable care to verify banking details.
The Court held that a duty of care exists between a purchaser and conveyancing attorneys to prevent harm resulting from cybercrime. It was further held, that as experienced conveyancers, ENS understood the inherent risks in conveyancing transactions and the dangers of BEC. The risk of BEC was foreseeable and ENS had a duty to protect Ms Hawarden from such harm. It was held that ENS’s failure to do so, was negligent.
The court determined that ENS was the proximate cause of Ms Hawarden’s loss as it was responsible for the accuracy of its banking details and the secure transmission thereof. Had it not been for the negligent transmission of banking details and ENS’s failure to inform Ms Hawarden about the risks and prevalence of BEC, Ms Hawarden would not have suffered the loss.
Ms Hawarden’s claim was therefore upheld.
On appeal
The issue to be dealt with is whether wrongfulness has been established as an element for a delictual claim arising out of an omission which caused pure economic loss.
Conduct causing pure economic loss is not prima facie wrongful. In order to succeed with a claim based on pure economic loss flowing from an omission, it must be shown that policy considerations require that the plaintiff be compensated by the defendant for loss suffered.
The following test is applied in order to determine wrongfulness:
- Would it be reasonable to impose a liability on the defendant for damages; and
- What is reasonable, would in turn depend on considerations of public and legal policy in accordance with constitutional norms.
Our law does not generally hold persons liable for loss caused to others by omission unless a legal duty exists to prevent harm/loss. Whether a legal duty exists, involves criteria of public and legal policy.
At the time of Ms Hawarden’s loss, no contractual relationship existed between her and ENS. The loss occurred as result of compromise of Ms Hawarden’s email account, and not that of ENS. She had been warned by PGP about the risk and heeded the warning in respect of payment of the deposit, but did not take the same precaution when making payment to ENS when she could have easily confirmed banking details with ENS.
A finding that ENS’ failure to warn Ms Hawarden attracts liability would have serious implications for all creditors who send their bank details by email to their debtors. The reasoning of the high court judgment that all creditors in the position of ENS owe a legal duty to their debtors to protect them from the possibility of their accounts being compromised, is irrational. The effect of the judgment of the high court is to require creditors to protect their debtors against the risk of interception of their payments. The high court should have declined to extend liability in this case because of the real danger of indeterminate liability.
The Constitutional Court, in other matters, recognised the risk of indeterminate liability as the main policy consideration against the recognition and liability for pure economic loss as, unlike losses resulting from physical harm to the person or property, pure economic loss is not subject to the laws of physics and can spread widely and unpredictably. An example was given of people reacting to incorrect information in a news report.
The Constitutional Court further identified “vulnerability to risk” as an important criterion for the determination of wrongfulness in claims for pure economic loss. It was determined that if a plaintiff has taken steps, or could have reasonably taken steps to protect itself against loss, that this is an important factor counting against a finding of wrongfulness.
Non-vulnerability on the part of the plaintiff is an important factor when determining liability of the defendant. There will be no sound reason to impose a duty on a defendant to protect the plaintiff when the plaintiff could have easily protected itself.
Vulnerability is therefore a prerequisite to imposing a duty.
Ms Hawarden could reasonably have avoided the risk by verifying the account details of ENS as she had done before her payment to PGP. As such, sufficient protection was available to Ms Hawarden.
The court therefore, on appeal, determined that Ms Hawarden had ample means of protection available and that she must take responsibility for not protecting herself against a known risk. There can no reason to shift responsibility for her loss to ENS. It follows that Ms Hawarden ought to have failed before the high court. Consequently, the appeal must succeed.
The appeal is therefore upheld.