The supreme court of appeal has overturned a high court ruling that found that leading law firm ENSafrica was liable to pay a woman R5.5-million stolen by fraudsters who manipulated e-mails sent from the firm.
In a unanimous decision, the appeal court said the liability finding by high court judge Phanuel Mudau in the case brought by Judith Hawarden would have “profound implications”, not just for the attorney’s profession, but all creditors who send their bank details by e-mail to their debtors.
Acting Judge Fathima Dawood, who penned the judgment, said the high court’s reasoning that all creditors in the position of ENSafrica owed a legal duty to their debtors to protect them from the possibility of their accounts being hacked was untenable.
Because Hawarden’s case rested on pure economic loss, extending liability created a real danger of unpredictable, indeterminate liability.
Judge Dawood said Hawarden could have avoided the risk by verifying ENSafrica’s account details, because she had previously been made aware of the risks of business e-mail compromise fraud by the estate agency handling her property deal. She had also elected to not pay ENS through a bank guarantee but through a cash transfer.
“She must in the circumstances take responsibility to protect herself against a known risk,” Dawood said, upholding the appeal by the law firm.
The court also set aside a punitive cost order against the firm and instead ordered Hawarden to pay ENSafrica’s costs.
The case centred on an e-mail Hawarden received from what she thought was the law firm. The e-mail contained details of the account into which she then paid R5.5-million. This was the balance of money owed for the purchase of a property in Forest Town, Johannesburg. ENS had been appointed by the seller as the conveyancer.
Intercepted
But it emerged that the e-mail had been intercepted by fraudsters, who then stole the money. Hawarden did not notice that the e-mail had come from ensafirca.com – not ensafrica.com.
In her arguments, Hawarden claimed that ENSafrica owed her a duty of care, and that in corresponding with her it also had a legal duty to warn her of the danger of business e-mail compromise, that this was on the increase and that it was already prevalent.
ENS denied liability, claiming that Hawarden herself had been negligent in using an electronic transfer without ensuring that the bank details were correct.
In the high court, Judge Madau said while Hawarden was not a client of ENS, it owed her a general duty of care. He said ENS conveyed its bank account details to her through an unprotected e-mail, which was easily manipulated.
Hawarden, he said, could not be faulted for placing her trust in the firm and the risk of Hawardeen’s loss was “highly foreseeable” by the law firm.
But the appeal court’s Dawood said Hawarden’s loss was not caused by ENSafrica or a failure of their systems, but by hackers who infiltrated her e-mail account and fraudulently diverted her payment for ENS into their own account.
Hawarden had been warned by the estate agent, Pam Golding Properties, about this very risk. She had previously verified Pam Golding’s bank account details and she had not explained why she did not verify ENS’s bank account details.
“Moreover, any warning by ENS of the risk of business e-mail compromise would have been meaningless, in the circumstances of this case, because by that time the cybercriminal was already embedded in her email account.”
Judge Dawood said there was no reason to shift responsibility for her loss to ENS, and the appeal must succeed.
In the high court, Judge Madau awarded punitive costs against ENS for breaching Hawarden’s privacy by including irrelevant documents about her divorce and other investments in the court papers.
The SCA has also set this aside, and ordered that Hawarden pay ENS’s costs on a normal scale.
- This article was originally published by GroundUp. It is republished by TechCentral under a Creative Commons Attribution-NoDerivatives 4.0 International Licence. Read the original article