BECause Cyber Security is Imperative
The case of Hawarden v Edward Nathan Sonnenbergs Inc. 13849/2020 [2023] ZAGPJHC 14 (16 January 2023) concerned a dispute between the purchaser of a property, Judith Hawarden (“Hawarden”), and law firm Edward Nathan Sonnenbergs Inc. (“ENS”), who was appointed as the conveyancer in the property transaction. Hawarden made an EFT payment of R5.5-million, being the balance of the purchase price of the property, directly into ENS’s trust banking account.
Payment was made using the details provided to Hawarden by ENS by way of email. However, the Plaintiff fell victim to a hacking incident, whereby the email containing ENS’s banking details was intercepted and amended to reflect different (incorrect) banking details, which resulted in the R5.5-million being transferred directly into the hacker’s bank account. This amounted to what is commonly referred to as Business Email Compromise (‘BEC’), a recognised form of cybercrime. As a result of this, Hawarden brought a delictual claim of pure economic loss against ENS in the amount of R5.5-million.
Having heard the evidence presented by both sides, the court ultimately found in favour of Hawarden. In delivering its judgment, the court highlighted the importance of cyber security, particularly in conveyancing transactions, and more specifically in an environment where a duty of care rests upon a company operating at the scale and in an environment within which ENS operates.
It was concluded that ENS failed to exercise its duty of care in not highlighting the risks of BEC. It was also concluded that the sharing of banking details by way of email, in an unprotected pdf (without an access password), illustrated negligence on the part of ENS.
The argument presented by ENS, that an order in favour of Hawarden would open up a proverbial can of worms for conveyancers industry-wide, was dismissed by the court. The court reiterated that, as experts and facilitators of these potentially vulnerable transactions, law firms/conveyancing attorneys owe a duty of care toward parties who place their trust and dependence in them, to securely and effectively provide the services that they purport to provide.
Shortly after its judgment in the above case, the Johannesburg High Court handed down its judgment in the appeal case of Hartog v Daly and Others (A5012/2022) [2023] ZAGPJHC 40 (24 January 2023), which saw the court decide on a similar set of facts involving the threat posed by BEC. Here, the court held the conveyancing attorney, Gavin Roy Hartog (of Gavin Hartog Attorneys) (“the conveyancer”) liable for payment of the proceeds of a sale of immovable property in respect of which the conveyancer was under a mandate to facilitate.
The conveyancer was contacted directly by a fraudster purporting to be the respondents, and was provided with the details of a Standard Bank banking account belonging to the fraudster. The conveyancer thus fell victim to BEC.
Interestingly, the court explored the issue of liability of financial institutions in such fraudulent transactions, given the conveyancer joined Standard Bank as a respondent in the matter and instituted a delictual claim against it. It was argued that Standard Bank has a legal duty of care to ensure these fraudulent transactions do not arise. The court disagreed, affirming that Standard Bank acted neither wrongfully, nor negligently in the circumstances. The court agreed that Standard Bank followed due procedure, and that the fraudster did not traverse any rules or regulations that would ordinarily prompt the financial institution to raise alarm bells or conduct an urgent inquiry into the transaction. The claim was accordingly dismissed.
These cases serve as a reminder of the ever-present threat of cybercrime and the importance of ensuring an effective and updated system of cyber security within one’s business. Such cases also highlight the potential risks and responsibilities that partner the provision of professional services and are likely to be far reaching in the legal industry.