The legal profession in South Africa is reeling after Edward Nathan Sonnenbergs Inc (ENS), Africa’s largest law firm, has been found liable to pay R5.5 million in damages stolen through a cyber crime attack on its email system, writes Tania Broughton.
Lawyers are now urging the Legal Practice Council (LPC) to give guidance on steps they can take to avoid liability in business email compromise matters and what must be included in their email disclaimers.
“This is extremely concerning,” one attorney, who did not wish to be named, told Africa Legal. “We believe that we require the input of the LPC.”
The lawsuit, heard by Johannesburg High Court Judge Phanuel Mudau, was brought by a property buyer, Judith Hawarden, who deposited R5.5 million into what she believed was the firm’s trust account.
ENS had been appointed by the seller of the property to handle the conveyancing. Hawarden had been in touch with a secretary in the property division who, via email, sent her a PDF confirming the firm’s banking details.
What neither knew was that the email had been intercepted and had been hacked. The PDF had been altered to change the banking details to one controlled by the fraudsters. The money was never recovered.
The relevant emails did not contain any warning about the prevalence of business email compromise and that depositors must double-check before making deposits.
Hawarden, in her claim, said that ENS owed her a duty of care, and that in corresponding with her, it also had a legal duty to warn her of the danger of business email compromise (BEC) and its prevalence.
While ENS denied liability, claiming that Hawarden herself had been negligent, Judge Mudau this week ruled against the firm. He noted that a joint expert meeting had agreed that, had a secure portal been used by ENS to communicate its banking details to the plaintiff, there would have been no way for the cyber criminals to tamper with the sensitive letter or documents.
Judge Mudua said ENS owed at least a general duty of care to a purchaser of property and the “near-universal practice for conveyancers to send their banking details by email does not absolve ENS of its unsafe behaviour”.
The judge said Hawarden could not be faulted for placing her trust in the firm, which she knew was large and reputable. He said ENS was the proximate cause of the loss and the risk of loss was highly foreseeable.
“The evidence in this case shows that BEC attacks are rife, especially in the conveyancing industry. The parties’ experts agree that BEC has been around for many years.
“ENS contends that if this court holds ENS liable, it would expose all conveyancers, big and small alike, to claims of the same kind by third parties, with whom they have no relationship, for losses they suffered at the hands of fraudsters who hacked their own email accounts.
“ENS contends that the ripple effect thereof would not only extend to all firms of attorneys, but indeed to all businesses who send their invoices, with their banking details, to their clients by email which is a near universal practice for all firms.
“ENS submits that it is the responsibility of the debtor, who chooses to make an electronic payment, to ensure that it is paid into the right account,” the judge said.
He said while Hawarden was not ENS’s client, the firm owed her a general duty of care as a purchaser of property.
“ENS, as Hawarden contends, had control over the way its bank account details were conveyed to her. It chose to do this by way of an unprotected email attaching its bank account details as a PDF document which could be easily manipulated as the evidence clearly established.
“ENS failed to safely communicate its bank details using technical safety measures … Hawarden depended on (ENS) to act professionally.
“I have no difficulty in finding that the firm’s banking details were financially sensitive information and needed to be treated as such, that the risk of BEC was foreseen by ENS … and that sending bank details by email is inherently dangerous.
“The interests of society demand that a legal duty is recognised in this case,” Judge Mudau concluded.
He also ordered ENS to pay Hawarden’s costs on a punitive scale for breaching Hawarden’s privacy by using personal documents in the case which it took from her computer during an investigation into the breach, in spite of undertakings that it would not.
To join Africa Legal's mailing list please clickhere
Copyright : Re-publication of this article is authorised only in the following circumstances; the writer and Africa Legal are both recognised as the author and the website address www.africa-legal.com and original article link are back linked. A bio for the writer can be provided on request.