As a compliance officer, I like to keep tabs on recent case law. Law is after all my first love. When the matter of Hawarden v Edward Nathan Sonnenbergs Inc.¹(“ENS case”) was published, they had my attention: Take some law of delict, add a dash of cybercrime and you have a match made in heaven (or at least in my books!).

The case revolves around the sale of a property and money going astray because the email from the conveyancing attorney to the client was intercepted and the banking details of the conveyancer were changed to that of the fraudster.

Not long after this decision, the High Court also handed down a decision against PSG Wealth Financial Planning (Pty) Ltd²; (“PSG case”). The financial services arena has been my home for a few years now so again this was of particular importance to me.

The latter case revolves around a fraudster who managed to hack the email account of a PSG client and provided them with an instruction to change the client’s bank account details to that of the fraudster and make two withdrawals from the client’s investment, effectively wiping out the investment.

Both cases involve instances of what is known as business email compromise (“BEC”). The difference, however, between the two cases is that the ENS case was brought based on delict and the PSG case was based on contract and estoppel³. Another important fact to note is that both cases played out in 2019, before the coming into effect of the Protection of Personal Information Act, 4 of 2013 (“POPIA”).

Law of delict

One of the elements that must be proven in the case of delict is wrongfulness⁴. It was contended in the ENS case on behalf of the plaintiff that ENS’s conduct was wrongful in that they failed to warn her timeously of the known risk of BEC⁵.

There is no general duty on anyone to prevent harm to another, everyone is expected to carry their own loss. There are however certain exceptions, created by case law, where a legal duty to prevent harm to another does in fact exist and the applicable barometer is the legal convictions of the community. The court in the ENS case indicated that such a duty clearly exists between a purchaser and the conveyancing attorney responsible for the transfer of the property which duty starts the moment the attorney decides to accept the instruction to attend to the transfer⁶.

The court further found that even though it is a common practice for attorneys and other businesses to send their bank account details via email to clients, bank account details are financially sensitive information and that sending it by email is inherently dangerous. A secure portal, precautionary measures or an appropriate warning is preferred⁷.

Law of contract

In terms of the contracts between PSG and their client, PSG had a duty to protect the client against gross negligence and fraud. Over and above this, financial services providers, such as PSG, are subject to the General Code of Conduct for Financial Services Providers and Representatives (“General Code of Conduct”). The General Code of Conduct was incorporated into the contracts with the client and requires FSPs to “at all times have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that clients, product suppliers and other providers or representatives will suffer financial loss through theft, fraud, other dishonest act, poor administration, negligence, professional misconduct or culpable omissions”⁸.

The court indicated that cybercrime is a universal problem and there is a contractual obligation on PSG to employ measures to eliminate the risk that the client will suffer a loss as far as possible. PSG could not establish that they complied with their contractual obligation in that staff circumvented their own processes. Estoppel could also not be established.

What can we learn from this?

This article is not meant to be a detailed analysis of these cases, but there are definite lessons to be learnt from them by business owners and even more so by those that are subject to professional duty. I always tell the wauko team that this could have been us, so it is better to learn from other’s mistakes rather than your own.

Here are some of my takeaways:

• It is clear from these cases that staff should be aware of and receive training on cybercrime and how it is committed, specifically in respect of BEC. In the POPIA era, responsible parties can no longer plead ignorance of the prevalence of cybercrime in our society.
• Employers should implement appropriate controls to avoid, as far as possible, either the company or their clients falling prey to cybercrime. These processes should be followed diligently by employees with appropriate deterrents in place to avoid staff attempting to circumvent processes.
• If businesses wish to establish long-term relationships with their clients, they should warn individual clients of the possibility of, for example, BEC, and how they should go about avoiding falling victim to it. This warning should be issued at the start of the relationship and is especially relevant to those who send out their bank account details via email.

You can find the wauko Cybercrime Warning and Disclosure here.

What are your key takeaways from these cases?