The Supreme Court of Appeal (SCA) has set aside a judgment that opened the door to liability claims against businesses that send their banking details in an unsecured manner to a debtor who falls victim to cyber-crime.
In January last year, the High Court in Johannesburg ordered law firm Edward Nathan Sonnenbergs (ENS) to pay Judith Hawarden R5.5 million, plus interest and costs.
Read: Cybercrime judgment has implications for FSPs that email bank details to clients
Hawarden lost the money in August 2019 when she transferred the balance owed on a R6m property purchase. Hawarden thought she was paying the money into ENS’s account, but a cyber-criminal had accessed her email account.
The criminal intercepted the emails between Hawarden and ENS’s employees. Hawarden was sent a fraudulent attachment that contained the fraudster’s bank account details. The criminal also created emails that appeared to come from ENS and altered the details on emails that were sent by ENS. As a result, Hawarden paid the money into the criminal’s bank account.
To delay the detection of the fraud, the fraudster intercepted and changed Hawarden’s proof of payment email to ENS. This gave the criminal enough time to withdraw the funds.
Hawarden subsequently instituted action against ENS to recover the R5.5m.
The High Court ruled that ENS owed a duty of care to Hawarden to ensure she did not fall victim to business email compromise (BEC). ENS had failed to perform this duty and was the direct cause of her loss.
ENS did not act wrongfully
But in a judgment handed down on Monday, the SCA found that Hawarden had not established one of the essential elements of a successful delictual claim: wrongfulness (ENS’s conduct was legally objectionable).
The court noted the distinction in South African law between delictual claims to recover a financial loss and those that arise because of damage to property or injury to a person. It is an established principle that persons cannot generally be held liable in delict for losses caused to others by omission.
Conduct that causes pure economic loss is not prima facie wrongful in the delictual sense, and it does not give rise to liability for damages unless considerations of public and legal policy require that the defendant should compensate the plaintiff for the loss suffered.
The judgment, penned by Acting Judge of Appeal Fathima Dawood, said the issue of wrongfulness in this matter needed to be considered with regard to the following:
First, Hawarden was not a client of ENS at the time of her loss, and there was no contractual relationship between Hawarden and ENS.
Second, Hawarden’s loss was not a result of any failing in the “ENS system”, but because hackers had infiltrated her email account and fraudulently diverted her payment.
Third, Hawarden paid the deposit of R500 000 into the trust account of Pam Golding Properties in May 2019. At the time, the estate agency warned Hawarden about the risk of cyber-crime and advised her to phone to verify its banking details. Hawarden did so.
But Hawarden failed to verify ENS’s banking details three months later, and she was unable to explain her failure to do so. She could have sought verification when she phoned two ENS employees while making the payment at a Standard Bank branch, or she could have asked the Standard Bank employee who assisted her.
Hawarden had “ample means to protect herself”, the judgment said.
Fourth, any warning by ENS of the risk of BEC would have been “meaningless”, because the cyber-criminal was already embedded in Hawarden’s email account when the payment occurred. Consequently, the risk had already materialised.
Risk of ‘indeterminate liability’
The SCA expressed its concern that the High Court’s judgment risked setting a problematic precedent. It would extend liability in a manner that could lead to “indeterminate liability” in that all creditors who email their bank details to their debtors might face unlimited claims for unforeseeable economic losses.
The Constitutional Court has recognised the risk of indeterminate liability as the main policy consideration that militates against the recognition of and liability for pure economic loss, AJA Dawood said.
The High Court should have declined to extend liability in this case because of the “real danger” of indeterminate liability.
Creating a legal principle that all creditors in the position of ENS owe a legal duty to their debtors to protect them from the possibility of their email accounts being hacked is “untenable”.
Hawarden could have avoided the loss
The SCA also highlighted “vulnerability to risk” as another important legal principle when determining wrongfulness in claims for pure economic loss. Essentially, the court must decide whether the plaintiff could have taken steps to protect him- or herself from suffering the loss.
In Cape Empowerment Trust Ltd v Fisher Hoffman Sithole (2013), the SCA stated: “If the plaintiff has taken or could have taken steps to protect itself from the defendant’s conduct and was not induced by the defendant’s conduct from taking such steps, there is no reason why the law should step in and impose a duty on the defendant to protect the plaintiff from the risk of pure economic loss.”
AJA Dawood said Hawarden could reasonably have avoided the risk by asking the ENS employees to verify the account details. She could also have enlisted the help of Standard Bank to verify ENS’s account details.
Furthermore, while Hawarden was at the bank branch, she had discussed the option of a bank guarantee instead of a cash transfer. She had elected to forego the bank guarantee.
The SCA set aside the High Court’s decision and upheld ENS’s appeal with costs.