Proceed with caution: the sca overturns cyber fraud ruling

This week, the Supreme Court of Appeal (‘the SCA’) in Edward Nathan Sonnenberg Inc v Judith Mary Hawarden (421/2023) [2024] ZASCA 90 overturned a seminal High Court ruling on cyber fraud. In a considered analysis, the SCA unanimously held that a law firm (‘the Appellant’) is not delictually liable for pure economic loss emanating from a failure to warn a purchaser of immovable property (‘the Respondent’) of the risk of fraudulent email interceptions.

In 2019, the Respondent was scammed out of R5.5 million after she received an email instructing her to pay the balance of the purchase price against registration of the transfer of the property into a bank account believed to belong to the Appellant, which was appointed by the seller to attend to the transfer. Unbeknownst to the Respondent, her email communications were intercepted by fraudsters who altered the Appellant’s bank details and replaced their emails with forged communications. The hackers maintained a sophisticated web of deception for long enough to defraud the Respondent, who subsequently instituted legal proceedings against the Appellant in an attempt to recover her R5.5 million.

Last year, the Johannesburg High Court ordered the Appellant to compensate the Respondent for pure economic loss – R5.5 million – stemming from their omission to warn her of the risk and prevalence of email fraud. In the conveyancing context, law firms purportedly have a duty to combat this risk by notifying parties involved in commercial transactions of known cyber fraud and implementing adequate security protocols to mitigate loss.

Focusing squarely on the element of wrongfulness, the SCA remarked that neither negligent omissions nor conduct which results in pure economic loss are prima facie wrongful. Instead, delictual liability for negligent omissions or conduct causing pure economic loss is permitted where public and legal policy considerations demand it. Following established case law, Dawood AJA noted the ‘risk of indeterminate liability as the [primary] policy consideration [militating] against the recognition and liability for pure economic loss’. In other words, the nature of pure economic loss – distinct from loss resulting from property damage or physical harm – creates the risk of unpredictable, wide-ranging liability.

In an analysis of the facts, Dawood AJA noted that the Respondent was previously warned by the estate agent of the risk of cyber fraud – and heeded that warning when she telephonically verified the agency’s bank details before transferring the deposit of R500 000.00. Since the seller appointed the firm to register the transfer, there was no attorney-client relationship between the Respondent and Appellant. Indeed, the Respondent’s loss emanated from cyber criminals gaining access to her email account instead of infiltrating the Appellant’s IT systems. Moreover, the Respondent elected to forgo obtaining a bank guarantee – as provided for in the agreement of sale – and instead sought to make a cash payment. Importantly, she did not telephonically verify the firm’s bank details.

In light of these factors, Dawood AJA departed from the High Court’s ruling holding that the Appellant’s conduct was not prima facie wrongful in the circumstances. In reaching this decision, Dawood AJA noted that the Respondent could have easily prevented the loss by confirming the Appellant’s bank details over the phone. Significantly, the SCA held that imposing liability on the Appellant for omitting to warn the Respondent ‘would have profound implications not just for the attorneys’ profession, but for all creditors who send their bank details by email to their debtors.’ In this sense, the finding that creditors in the Appellant’s position ‘owe a legal duty to their debtors’ to safeguard them from the prospect of their email accounts being compromised is simply ‘untenable’.

It is thus advised that purchasers – along with all parties in the conveyancing transaction – familiarise themselves with the known risk of cyber fraud and exercise caution when making electronic payments.

Notwithstanding the SCA’s decision, cybersecurity measures implemented by conveyancing firms are critical to protecting recipients and distributors of electronic payments. Setting the benchmark for the legal industry, STBB has developed a revolutionary mechanism for sharing sensitive information between ourselves and our clients. Beyond this, STBB prioritises IT system security and conducts continuous staff training to protect our current and future clients from increasingly sophisticated digital scams. It is this level of risk mitigation that consumers should expect of service providers in industries where cyber fraud is so prevalent.

For more information or legal assistance, contact STBB at info@stbb.co.za or visit their website  www.stbb.co.za/

Acknowledgement to STBB as the writers and owners thereof, which can be viewed at https://stbb.co.za/stbb-newsflash-proceed-with-caution-the-sca-overturns-cyber-fraud-ruling/