The recent reversal by the Supreme Court of Appeal (SCA) of a high court decision on liability in the event of cybercrime has far-reaching implications for consumers. It essentially means you need to tighten security measures on your digital devices and be especially cautious when transferring large sums of money online.
The case, which has been covered widely in the media over the past two weeks, involved what is termed “man-in-the-middle” email fraud. A cybercrime outfit intercepted emails between a property buyer, Judith Mary Hawarden, and the property seller’s conveyancing attorneys, Edward Nathan Sonnenberg (ENS).
The outfit impersonated the attorneys in emails to Hawarden, giving its own bank account number of the account into which funds were to be transferred. Hawarden transferred R5.5 million electronically into what she thought was the conveyancers’ trust account when, in fact, it landed in the fraudsters’ grubby hands.
Hawarden took ENS to court, claiming compensation for her loss. In the Gauteng High Court in January 2023, Judge Phanuel Mudau handed down judgment in favour of Hawarden, arguing as follows:
“Hawarden (an elderly divorced pensioner) was not sophisticated enough to know how to protect herself from the risk of business email compromise. On the contrary, ENS was aware of the risks. Despite this, it failed to safely communicate its bank details using technical safety measures or multichannel verifications. Notwithstanding the near-universal practice for conveyancers, and indeed for other businesses, of sending their banking details by email, ENS knew better and should have taken precautions against the loss.”
In a similar case two months later, in March 2023, Judge Denise Fisher ordered PSG Wealth to reimburse Jan Jacobus Gerber his retirement investment of more than R800 000, which he had lost in a similar “man-in-the-middle” interception by cybercriminals.
Referring to the Hawarden case in her judgment, Judge Fisher said: “PSG Wealth had an obligation to its clients to employ resources, procedures and appropriate technological systems that can reasonably be expected to eliminate, as far as reasonably possible, the risk that clients will suffer financial loss through theft or fraud … The assumption of these contractual obligations must be construed in the context that cybercrime is universally recognised as a scourge.”
The cases entrenched the duty of professional institutions, such as asset managers, banks and law firms, to reasonably protect the public from cyber fraud. You, the reader, can judge for yourself whether the duty has been undermined by the appeal decision.
Supreme Court judgment
ENS appealed Judge Mudau’s decision and, in a unanimous judgment handed down on June 10, the SCA overturned it.
According to commentary on the case by Victoria Campos, a partner, and Micaela Pather, an associate at Webber Wentzel, the SCA confined itself to determining whether ENS was wrongful in an omission that caused financial loss. It held as follows:
• In our law, it is an established principle that persons cannot generally be held liable in delict (in other words, be held liable for acting wrongfully) for losses caused to others by omission.
• Hawarden was not a client of ENS and there was no attorney-client relationship between them.
• Hawarden's own email account had been compromised and this ultimately led to her loss.
• Hawarden had been warned of the risk of business email compromise by Pam Golding just three months previously.
• She enlisted Standard Bank to assist her with the transaction and did so at the computer of an individual who worked at the bank. She could have easily asked the bank employee to verify the bank details of ENS. Further, Hawarden was given the option of furnishing a guarantee versus an electronic transfer to ENS. She elected to forgo a bank guarantee for a cash transfer.
• It would have been “fairly easy” for Hawarden to avoid the risk of business email compromise. She could have verified ENS’s bank account details by enquiring with the attorneys at ENS, whom she had called while at the bank. (She had previously telephonically verified the bank details of Pam Golding.)
• In the words of the court, “she had ample means to protect herself … she must, in the circumstances, take responsibility for her failure to protect herself against a known risk”.
• ENS could not be held responsible for Hawarden's loss.
“The judgment serves as a cautionary tale for both creditors and debtors in all businesses, emphasising the importance of vigilance, secure payments and multi-verification payment processes,” Campos and Pather say. “It also serves as a reminder that the person making the payment bears a responsibility to ensure that it is made into the correct account.”
I hardly need to add that the larger the amount involved, the more precautionary measures you need to take. Transferring R5.5 million for a property requires proportionately more vigilance than buying an R500 sweater online.
* Hesse is the former editor of Personal Finance.
PERSONAL FINANCE