Hawarden v Edward Nathan Sonnenbergs Inc. case puts cybersecurity in the spotlight

Introduction

On 16 January 2023, the Johannesburg High Court handed down judgment in favour of the plaintiff in the matter of Hawarden v Edward Nathan Sonnenbergs Inc [2023] ZAGPJHC 14. In a recent landmark ruling, the court had to confront an issue at the intersection of cyber security and corporate responsibility: whether or not organisations should be held liable for financial losses incurred through business email compromise (BEC), when their failure to protect against such risks is proven negligent. This verdict set an important precedent in navigating these issues and establishes new standards for how companies must keep themselves secure from criminal activity online.

about the case

Purchasing an immovable property, Hawarden (the plaintiff) opted to electronically transfer R5.5 million into Edward Nathan Sonnenbergs (ENS) Attorneys’ trust account for the seller. Appointed as conveyancers in this sale transaction, ENS (the defendant) was tasked with ensuring that all funds were held securely until registration of transfer had been completed.

In an unfortunate twist of fate, the plaintiff fell prey to cyber crime when executing a payment for R5.5 million. Unaware that her email account was hacked by fraudsters, she transferred funds into what appeared to be the ENS account in accordance with details emailed from a conveyancing secretary employed by ENS – but unbeknownst to both parties, these bank account particulars had been altered maliciously and all money diverted elsewhere!

Despite being aware of the cyber fraud perpetrated against them, ENS still requested full payment from the plaintiff. Unable to reach an agreement and reclaim their lost funds, R5.5 million in total, the aggrieved party chose to take legal action as a last resort.

At trial, the evidence confirmed that the defendant was aware of Business Email Compromise (BEC)-based risks and had failed to inform the plaintiff about protective measures against such cyber threats. Additionally, it is well-known that BEC attacks are rampant in particular industries; here being conveyancing services. Finally, although there were secure options available for providing bank account details – like multi-channel verification methods – the defendant chose an unsecured pdf email attachment instead.

Ruling

The Court held that ENS was liable, on various grounds, including;

  • A duty of care exists between a purchaser in a conveyancing transaction and the conveyancing attorneys handling the transaction to prevent harm resulting from the conveyancer’s failure to warn the depositor of the dangers of cyber hacking and spoofing of emails or of the fact that pdf attachments to emails containing sensitive information such as bank account details are not invulnerable to BEC;
  • Further, as an experienced conveyancer, ENS understood the risks inherent in conveyancing transactions by virtue of its own prior knowledge of the dangers of BEC, the risk of BEC was thus foreseeable and ENS was under a duty to guard against the harm eventuating – its omission to do so was negligent in the circumstances;
  • ENS was the proximate cause of the plaintiff’s loss in that it provided its own bank account details and was responsible for their accuracy and for the safety of the transmission – in failing to safeguard the safety of the transmission, ENS acted wrongfully;
  • As regard to wrongfulness, the plaintiff’s loss in the case of this nature is quantifiable and determinate and the risk of indeterminate liability as a policy consideration that militates against the recognition of liability for pure economic losses thus averted;

Factual causation was established in that but for the negligent transmission by ENS of its bank account details, Ms Hawarden would not have suffered a loss. Legal causation was also established as the negligent conduct of ENS was linked sufficiently closely to the loss suffered by Ms Hawarden for legal liability to ensue, given that the loss was reasonably foreseeable under the circumstances.

Order: The plaintiff’s claim was upheld with costs on the scale as between an attorney and client including the costs occasioned by the employment of two counsel.

Conclusion

Cyber crime is a grave risk that every individual should take steps to protect themselves against. Ms Hawarden’s situation highlights how tragic the consequences of such criminal acts can be: not only was her money stolen, but she had also suffered through three years without receiving any compensation and spent resources on legal fees to try to resolve the matter.

Taking careful consideration before transferring money and making sure who one is dealing with are simple measures which can prevent delays in financial transactions as well as legal costs associated with such cases. By using precautionary methods, individuals will be able to ensure their safety and gain timely resolution when dealing with monetary matters involving third parties.

AUTHOR

Michelle Opperman

Head of Governance & Compliance

Michelle Opperman is an admitted attorney with over 10 years’ experience in the legal industry, specialising in insurance for the past 7 years. She has extensive knowledge of the insurance industry and providing legal and technical advice and support to the business. As the Head of Governance and Compliance Michelle is responsible for identifying, managing, and reporting regulatory risks and assisting the business with overall compliance with legislation. Michelle views her role as a passion rather than a career and thrives on solving complex legal and compliance challenges.
Tags: