Overturning a high court ruling that it was liable for R5.5 million intercepted by a scammer. Despite the ruling letting ENS off the hook, companies need to be on high alert for cyber-crime.
In May 2024, the Supreme Court of Appeal overturned an earlier ruling of the Gauteng Local Division, which found law firm Edward Nathan Sonnenberg Incorporated (“ENS”) liable in respect of a claim relating to the sum of R5.5 million that had been intercepted by a hacker.
It goes without saying that the Gauteng Local Division judgment, handed down in January 2023, was received with some alarm across the property eco-system since it held that ENS, acting as conveyancer in a property transaction, was liable for the loss suffered by the property purchaser on the grounds that it failed to exercise the required legal duty of skill and care in alerting her to the dangers of criminal syndicates hacking email accounts.
There is also little doubt that this South Gauteng High Court judgement prompted a change of behaviour among conveyancers and professional services firms, particularly over the manner in which bank account details are shared.
The Supreme Court of Appeal judgement sets aside the South Gauteng High Court judgement, to the relief of many in the legal and conveyancing professions. The Supreme court of Appeal judgement states that “The ratio of the high court judgment that all creditors in the position of ENS owe a legal duty to their debtors to protect them from the possibility of their accounts being hacked is untenable. The effect of the judgment of the high court is to require creditors to protect their debtors against the risk of interception of their payments. The high court should have declined to extend liability in this case because of the real danger of indeterminate liability.
”Despite the ruling letting ENS off the hook, the case still serve to illustrate why companies need to be on high alert for the risk of cyber-crime. Emails are often the easiest point of entry for hackers into corporate networks as a way of spreading malware (such as ransomware), viruses or – in this case – for impersonation.
This case sent a shockwave through the professional services community by highlighting the potential of “indeterminate liability” for those companies that do not exercise sufficient care in their communications with clients. Though the Supreme Court of Appeal has set aside the earlier high court judgment, professional services firms and companies should not be lulled into believing that it is “business as usual” for the foreseeable future. Lax cyber-security carries with it potentially massive financial liabilities, as well as significant reputational harm.
The facts of the case
Judith Hawarden (“Hawarden”) purchased a property for R6 million in 2019 through real estate agent Pam Golding Properties (“PGP”). She was requested to pay a deposit of R500,000 into the PGP trust account, along with a warning of the dangers of cyber-crime and advised her to contact its office to verify the bank account details.
Prior to making the R500,000 deposit, Hawarden phoned the office of PGP to verify the bank account details as she had been advised.
ENS was appointed as conveyancer in the transfer, and promptly dispatched a letter to Hawarden setting out the guarantee conditions and the correct banking details for the transfer of the balance outstanding on the property of R5.5 million.
That letter was intercepted by a cyber criminal who had gained access to Hawarden’s email account. The intercepted email was then forwarded to Hawarden on 21 August 2021, with fraudulent banking details.
Hawarden contacted ENS and enquired whether she could make an electronic bank transfer rather than provide a bank guarantee, which would take additional time. ENS confirmed this would be possible, but two further documents would have to be signed. These documents were duly emailed to Hawarden but never arrived. One of these contained an FNB letterhead and a warning of cyber-crime risks.
Instead, later that day an email appeared in Hawarden’s inbox that appeared to be a follow-up of her conversation with ENS earlier that day, but with one crucial error: ENS “Africa” appeared as “Afirca”. She was unaware that the ENS email had been manipulated, the fraudulent banking details inserted and the warning from FNB removed. Hawarden then made the transfer of R5.5 million to the fraudulent banking details provided, and sent proof of payment to ENS. That proof of payment from Hawarden was also intercepted and altered to say payment should reflect within 24 to 48 hours.
ENS sent Hawarden a follow-up email thanking her for the deposit of R5.5 million along with several warnings about the risk associated with business email compromises (“BEC”). Unbeknown to ENS however, the payment had already been made, and the fraudsters had withdrawn all the money.
The fraud was only discovered on 29 August 2021, by which time the money was gone.
Hawarden launched proceedings against ENS for recovery of the R5.5 million on the grounds that the law firm had failed to exercise the skill and care required of a reasonable conveyancer, nor did it advise her that it was safer to effect the transfer by means of a bank guarantee.
She further pleaded that ENS is a large, sophisticated firm of attorneys, while she is an elderly, divorced pensioner without the knowledge, experience or resources to protect herself against sophisticated cybercrime such as BEC. She further averred that ENS could or should have been fully aware of and taken practical steps to minimise the risk of BEC and protect its clients from the risk of BEC, especially where banking transactions of high value are involved.
ENS denied it had a legal duty to advise Haraden on the payment, which she had made with the help of her own bank.
In its judgement, the South Gauteng High Court found that ENS did not have adequate information security measures in place.
The Supreme Court of Appeal, however, set aside this judgement, arguing: “The issue of wrongfulness in this matter needs to be considered having regard to the following: That Ms Hawarden was not a client of ENS at the relevant time and there was no contractual relationship between Ms Hawarden and ENS. Her loss occurred at a time when there was no attorney-client relationship between them. Ms Hawarden suffered loss, not as a result of any filing in the ENS system, but because hackers had infiltrated her email account and fraudulently diverted her payment meant for ENS into their own account. The interference that caused the loss was as a result of her email account having been compromised. Ms Hawarden had been warned in the PGP letter about this very risk. In that instance she heeded the warning and verified the account details. She, however, failed to do so three months later in respect of ENS and was unable to explain her failure in that regard. It would have been fairly easy for Ms Hawarden to have avoided the risk of which PGP had warned her.
”This judgement of the Supreme Court of Appeal clarifies the duties and responsibilities of each party in a transaction of this nature, and removes the potential “indeterminate liability” that loomed over law firms, conveyancers and other professional services providers following the earlier South Gauteng High Court judgement. But it is also clear that some positives came out of the case by alerting conveyancers to the cyber-crime risks associated with money transfers.
Impact of the case on cyber security in South Africa
Cybercriminals have become more sophisticated in their endeavours, while corporate networks continue adding new devices and nodes, thereby increasing the opportunities for security breaches. We have noticed a welcome increase in companies training their staff to defend against email cyber attacks and alerting them to phishing attacks (where scammers attempt to convince the email recipient to disclose account and other details).
This is one positive outcome of the ENS case. We also see companies tightening up on basic email security measures such as two-factor authentication or multi-factor authentication, and mandating better password management. Email encryption is another popular means of preventing hackers gaining unauthorised access to company correspondence.
Then there is basic corporate cyber hygiene, such as deploying strong anti-virus software that prevents malicious emails or software being downloaded in the first place, and endpoint protection solutions that monitor all devices connecting to the network.
We, however, highly doubt that the ENS judgement will be the last word on this matter. The ENS judgement serves as a sobering reminder of the growing dangers we all face due to cyber-criminals.
We can only urge you not to let this lesson go to waste.