Victims of cybercrime - SCA's landmark ruling on responsibilities of affected parties

Image source: Périg MORISSE – 123RF.com

The effect of the preceding High Court judgment was that all creditors who send their bank account details by email to their debtors owed a legal duty to those debtors to protect them against the risk of the debtors’ payments to the creditors from being intercepted by cybercriminals. The SCA disagreed with this approach in the context of the facts of this particular case.

The hack job

In May 2019, Judith Hawarden (the purchaser) concluded an agreement for the purchase of an immovable property from the seller thereof. Shortly thereafter, the estate agent sent the purchaser an email to pay the deposit into the estate agent’s trust account. Significantly, the estate agent’s email also contained a notice to the purchaser warning her of the risk of cybercrime and advised her to call the estate agent to verify the banking details before paying the deposit. The purchaser took note of the warning and first verified the estate agent’s bank account details before paying the deposit.

Unbeknown to the purchaser and the attorneys attending to the transfer of the property (the conveyancing attorneys), the purchaser’s email had been hacked by a cybercriminal. Consequently, after the initial email from the conveyancing attorneys to the estate agent (to which the purchaser was copied), all relevant emails between the conveyancing attorneys and the purchaser were intercepted by the cybercriminal.

As a consequence, the purchaser paid the balance of the purchase price into a bank account controlled by the cybercriminal instead of the conveyancing attorneys’ trust account.

The fraud was only discovered one week after the purchaser had made this final payment into the bank account controlled by the cybercriminal.

The aggrieved purchaser instituted an action against the conveyancing attorneys for the recovery of the balance of the purchase price. She claimed that the conveyancing attorneys owed her a legal duty to, amongst other things:

• exercise that degree of skill and care by a reasonable conveyancer, who specialise in the preparation of deeds documents, to advise her that it was safer to secure the balance of the purchase price by way of a bank guarantee issued in favour of the seller in accordance with the offer to purchase;

• warn the purchaser of the danger of “business email compromise” (BEC) and the increase in BEC type fraud;

• alert the purchaser to the fact that criminals may try to induce her to make payments into a bank account controlled by the criminals instead of the conveyancing attorney’s bank account;

• advise the purchaser that frauds of that nature are typically carried out by using emails or letters that appear to be materially identical to letters or emails sent to her by the conveyancing attorneys;

• warn the purchaser, before making any payments to the conveying attorneys, to ensure that she verified that the account into which payment will be made is a legitimate bank account of the conveyancing attorneys;

• advise the purchaser that if she was not certain of the correctness of bank account, that she may contact the conveyancing attorneys who will assist in confirming the correct bank account details;

• implement adequate security measures such as protection of emails and attachments thereto;

• load the conveyancing attorneys trust account as a public beneficiary in the online banking systems of the banks with which they had bank accounts; and

• use secure portals so that users log in by means of a two or multifactor authentication for access.

The purchaser was also of the view that considerations of public and legal policy in accordance with constitutional norms imposed a legal duty on the conveyancing attorneys and held the conveyancing attorneys liable in delict for the damages suffered by her in breach of that legal duty.

The wrongfulness element

In its judgment, the SCA confined itself to whether or not the purchaser had in particular established the wrongfulness element for a delictual claim arising out of omission causing pure economic loss and did not deem it necessary to deal with all of the requirements placed in issued by the conveyancing attorneys.

Referring to the decisions in Home Thought Development (Pty) Ltd v Ekurhuleni Metropolitan Municipality [2017] and Halomisa Investments Holdings (RAF) Ltd and Another v Kirkinis and Others [2020], the SCA held that South African law does not generally hold persons liable in delict for loss caused to others by omission.

The SCA, quoting the judgment Hawekwa Youth Camp and Another v Byrne [2009] held that

...negligent conduct in the form of an omission is not required as prima facie wrongful. Its wrongfulness depends on the existence of a legal duty. The imposition of this legal duty is a matter for judicial determination, involving criteria of public and legal policy consistent with constitutional norms. In the result, negligent omission causing loss will only be regarded as wrongful and therefore actionable if public or legal policy consideration require that such omissions, if negligent, should attract legal liability for the resulting damages.

When considering the issue of wrongfulness, the SCA had regard to the following facts:

• the purchaser was not a client of the conveyancing attorneys at the relevant time and therefore when the purchaser’s loss occurred there was no attorney–client relationship between her and the conveyancing attorneys;

• the loss suffered by the purchaser was not the result of any failing of the conveyancing attorneys’ system but rather because a cybercriminal had hacked and compromised the purchaser’s email account (not the conveyancing attorney’s email account) and fraudulently diverted the purchaser’s payment of the balance of the purchase price into a bank account controlled by the cybercriminal;

• the estate agent’s letter to the purchaser had warned her about that very risk and that the purchaser had heeded the estate agent’s warning and verified the estate agent’s bank account details when she made payment of the deposit. The purchaser, however, failed to do the same thing a few months later when it was time for her to make payment to the conveyancing attorneys and she was unable to explain her failure to do so;

• in terms of the offer to purchase, the payment of the balance of the purchase price could have been secured by the purchaser furnishing a bank guarantee for the amount. However, the purchaser chose rather to make payment of the balance of the purchase price by way of EFT. She did so in the bank and with the assistance of her banker after having discussed telephonically the payment with two representatives of the conveyancing attorneys. She could, therefore, have obtained the assistance of her bankers to verify the conveyancing attorney’s bank account but she could not explain her failure to do so; and

• a warning by the conveyancing attorneys to the purchaser of the risk of BEC would have been meaningless because by that time the cybercriminal had already hacked and compromised the purchaser’s email account.

Accordingly, the SCA held that the High Court’s judgment that all creditors in the position of the conveyancing attorneys owed a legal duty to their debtors to protect them from a possibility of their email’s accounts being hacked, was untenable. The SCA held further that the High Court should have declined to extend liability in this case because of the danger of indeterminate liability.

Responsibility

Relying on the judgments in Country Cloud Trading CC v MEC, Department of Infrastructure Development, Gauteng [2014], Cape Empowerment Trust Limited v Fisher Hoffman Sithole [2013], and Trustees for the Time Being of Two Oceans Aquarium Trust v Kantey and Templer (Pty) Ltd [2005], the SCA held that the purchaser could reasonably have avoided the risk by verifying the account details with the conveyancing attorneys, just as she had done with the estate agent when paying the deposit, or she could have had her own bank verify the bank account details. The purchaser therefore had to take responsibility for her failure to protect herself against a known risk.

This judgment will come as a great relief not only to attorneys and estate agents, but also to all creditors who send their bank account details to their debtors by way of email.

Case by case basis

However, a word of caution. Given the legal principles to be applied in matters such as this, especially that the determination by a court will involve considerations “of public and legal policy consistent with constitutional norms”, it is important to note that the facts of each matter will be extremely important in the determination. The outcome may vary, depending on the facts of each case.

In the circumstances, it is crucial that all creditors who send their bank account details to their debtors take any and all means necessary to notify their debtors of the risk of the BEC and ways of ameliorating that risk.