Arguably, the increasing sophistication and widespread adoption of digital technologies presents far more challenges than their emergence. As global commerce continues to shift from manual to purely electronic communication media, cyber criminals double-pedal in their malicious quests to outsmart and defraud unsuspecting commercial entities. Emails being the starting point for an overwhelming majority of cyberattacks, Business Email Compromise (BEC) is a major thriving channel for cybercrime and internet fraud.
On the average in the United States of America, there were 15,208 BECs per year from 2013 to 2021, costing an estimated $8.6 billion annually and $43 billion alone between 2016 and 2021. There were nearly 20,000 BEC complaints to the Federal Bureau of Investigation (FBI) in 2021 alone.1 Reports of BEC attacks increased by 65% between 2019 and 2021, making it a critical issue for businesses including law firms.2 The consulting industry ranked second in BEC attempts worldwide in 2021 with an average of 27,770.3 This evident boom in the BEC market led to the recent South African case of Judith Hawarden v. Edward Nathan Sonnenbergs Attorneys Inc (ENS).4
The Gauteng (Johannesburg) judicial division of the High Court of South Africa was invited to determine whether a law firm acting as a conveyancer is liable in delict (tort) for pure economic loss arising from a BEC. This article briefly reviews this judicial decision and makes salient recommendations for Nigerian law firms.
2. What is BEC?
Simply put, it is a type of cybercrime where a scammer uses email to trick another into sending money or revealing confidential business information. Here, the scammer disguises as a trusted figure, and requests for either a fake bill to be paid, or for sensitive data to be deployed for another scam.
2.1 What are Some Types of BECs?
- Lawyer Impersonation – A cyber attacker gains unauthorized access to a law firm's email account which he uses to email an invoice or a payment link to a client. Here, the email address is legitimate, but the bank details are not.
- Data Theft – Targeting an information repository (such as the Human Resource Department) to steal business information. The scammer uses this information to execute BEC and make himself appear more believable.
- False Invoice Scheme – Disguising as a legitimate vendor, the scammer emails a fake bill (bearing a largely unmistakable semblance with a genuine one), with the account number being probably a digit or two off. The scammer may request payment to a different bank, advancing logical but dishonest reasons.
- CEO Fraud – A scammer either spoofs or hacks into a CEO's email account after which he mails instructions to employees to launch a financial transaction.
- Account Compromise – Here, a scammer uses phishing or malware to gain access to the email account of an employee in the finance department. Then, the scammer sends fake versions of the company's invoices to its suppliers requesting payment to a fraudulent bank account.
3. Highlight of Facts of the Case
Judith Hawarden (Hawarden) purchased a developed residential realty in Johannesburg from a third-party seller who engaged Edward Nathan Sonnenbergs Attorneys Inc (ENS) as the conveyancer. Hawarden paid the deposit of ZAR 500,000 as required under the sale agreement and thereafter, chose to pay 5.5 million Rand - the balance of the purchase price - by electronic fund transfer directly into ENS' trust account for the benefit of the seller, pending perfection of the title transfer.
ENS' conveyancing secretary emailed Hawarden on 21st August 2019, setting out its bank details in a PDF attachment. Unbeknown to Hawarden and ENS, Hawarden's email account was hacked and the email containing the bank details was intercepted by an unknown fraudster. The fraudster altered the details to reflect his bank details. Consequently, the funds which were electronically transferred by Hawarden were deposited in the fraudster's bank account rather than ENS'.
ENS called on Hawarden to make the payment of the balance which was evidently not received by ENS. An impasse ensued which both parties were unable to resolve. Hawarden then filed the instant suit against ENS in June 2020, for her loss of 5.5 million Rand as a result of the BEC.
3.1 Hawarden's Pleadings
Hawarden's claim against ENS was for pure economic loss occasioned by ENS' (tortious) negligence. She alleges that ENS owed her a duty of care, and that a breach of this duty occasioned her loss of the sum of 5.5 million Rand. She also pleaded that ENS owed her a legal duty to:
- Warn her in the relevant electronic communications of the dangers of BEC and the increase in the prevalence of the BEC type of fraud in particular;
- Warn her before making any payment to ENS to ensure that she verified that the account into which payment will be made is a legitimate bank account of ENS;
- Implement adequate security measures such as password protection of emails and/or attachments thereto or loading the ENS Trust Account as a "public beneficiary" in the FNB and Standard Bank online banking systems so that the bank account number does not require transmission by the medium of an unprotected and unsafe form of communication.
3.2 ENS' Pleadings
ENS' defence took the form of denials:
- That its conduct was wrongful, negligent, or caused the loss;
- ENS pleaded that it simply undertook to send Hawarden its trust account details, "in case the Plaintiff chose to transfer the balance of the purchase price to ENS";
- In the alternative, ENS pleaded that Hawarden was contributorily negligent by her failure to exercise reasonable care to:
- ensure that it was safe to pay the balance of the purchase price by electronic transfer;
- to ensure that the number of the account to which she transferred the balance of the purchase price was correct;
- to ask ENS' contact persons or even her own bank whether it was safe to pay the balance of the purchase price to the account number received by email.
In sum, the evidence adduced during trial was aimed at answering the question - whether ENS should be held tortiously liable for Hawarden's loss.
4. Highlight of Evidence Adduced During Trial
Hawarden paraded four (4) witnesses including herself in support of her claim, while Edward Nathan Sonnenbergs Attorneys Inc (ENS) had five (5) witnesses testify. There were joint experts' meetings held in respect of this case, considering that both sides had expert witnesses in line for testimony.
Hawarden is a retiree and senior citizen with background in social activism rather than in commerce. It was only after Hawarden had made payment that ENS sent her an investment mandate to be signed, containing several warnings about BEC and precautions to be taken.
ENS admitted to owing Hawarden a duty of care. It was established through the examinations-in-chef and cross examinations of various witnesses on both sides that ENS was well aware of the risks of BEC prior to the fraud incident, and failed/neglected to warn Hawarden of known risks of email and pdf manipulation, and precautions that Hawarden could take against BEC prior to effecting the electronic fund transfer. It was also well established that ENS neglected to either train its staff on these known cybersecurity risks or even implement its approved cybersecurity policies and procedures.
It was also established that ENS had control over the way in which it transmitted its bank account details to Hawarden, but eventually sent same in an unprotected pdf attachment despite knowledge by ENS of other technically safe measures including multi-channel verification (such as in-person or telephonic confirmation of bank details).
Regarding the portion of ENS' pleadings listed as (b) above, evidence was adduced to show that Hawarden telephoned a staff of ENS to ask whether she could elect to transfer the outstanding amount directly to ENS. In response, the ENS staff confirmed that she could proceed, and that she would be sent the appropriate ENS account details for payment. It was after this telephone conversation that ENS had sent a mail attaching a pdf containing its bank account details, which email alongside the pdf was intercepted by a cyber attacker.
Notably, the ENS staff sender's email address originally had the word "africa". This was changed by the cyber attacker to "afirca" and reflected in the email received by Hawarden. Hawarden's money was withdrawn during the period between her effecting payment and becoming aware of the fraud. The beneficiary bank into which the money was transferred was unable to retrieve the funds.
Furthermore, Hawarden gave oral evidence to the effect that the beneficiary bank was not in a position to verify the account details because it was an account domiciled at First National Bank (FNB). She testified that ENS' account details were on a formal FNB letterhead. Also, after the mistaken payment by Hawarden, ENS sent a statement of account and its banking details for Hawarden to make a second (replacement) payment. Instructively, at the foot of the statement was a warning urging the reader to telephonically verify the ENS' banking details before making any payment, a warning which was absent in its previous communication. A similar and more explicit warning even appeared in the investment mandate mentioned above.
5. Issue for Determination
The court couched the following question for determination:
- Whether the Plaintiff established her delictual (tortious) claim?
5.1 Court's Decision
The court cited with approval, the South African Supreme Court of Appeal case of Hawekwa Youth Camp v. Byre5 where it was held as follows:
However, the court held that Edward Nathan Sonnenbergs Attorneys Inc (ENS) owed at least, a general duty of care to a purchaser of property. Whilst acknowledging that it was established as a near-universal practice for conveyancers and other businesses to send their banking details to others by email, the court held that ENS could not be absolved by that very fact, from its "unsafe behaviour", which it knew at the time was unsafe and knew to take precautions against.
The court also held that Hawarden could not be faulted for placing her trust in ENS known to her a very large and reputable law firm. The court agreed with Hawarden that in a situation like hers where the possibility of BEC did not occur to her while trusting ENS, a duty exists between a purchaser in a conveyancing transaction and the conveyancing attorney handling the transaction.
The court found that ENS' banking details were financially sensitive information and that the risk of BEC of the document containing these details being intercepted and altered was a foreseeable one (from ENS' standpoint). The court equally found as a fact that ENS' lack of care/precaution was the proximate cause of Hawarden's loss in that it provided its own bank account details but was careless in its responsibility to ensure that it was accurately and safely transmitted to the recipient.
In conclusion, the court considered legal and public policy to recognize that a legal duty is saddled on ENS to protect information transmitted to its clients or other parties to a legal transaction. ENS was ordered to pay inter alia, 5.5 million Rand to Hawarden for the economic loss suffered due to its negligence.
Despite the global prevalence of BECs, the allocation of liability for negligent conduct in the peculiar circumstances of this case is quite novel. Nonetheless, the moral of this decision suggests that law firms must now begin to exercise abundant caution and assume a high level of legal and social responsibility to protect every piece of information in its custody. It is grossly insufficient for law firms to only exercise due diligence; due care must also be exercised.6
It is worth noting that ENS had an Acceptable Use Policy (a type of cybersecurity policy) which contemplated email protection by passwords. Unfortunately, ENS neither exercised due care nor did it adopt other technologies or security controls available and affordable in 2019.
Moreover, in anticipation of similar court cases on the interplay between cybersecurity and legal liability in Nigeria, this case offers compelling lessons. In humble realization of the intricacies of cybersecurity, the court permitted the convention of joint expert meetings where issues relating to cybersecurity and BECs were thrashed out. Notably, the joint expert meetings were a time-saving and highly productive avenue for the court to reach an informed decision in this case.
In addition, similar to the workings of a coroner's court, legislations must now be contemplated to create digital, information and communication technology (DICT) tribunals to conduct thorough inquests into cybersecurity breaches and disasters. As an alternative to legislations (considering the bureaucratic process of law making), courts must begin to contemplate practice directions and/or annexures to existing rules of court that empower presiding judges to exercise their inherent jurisdictions in favour of such DICT tribunals or meetings. Trial-within-trial is an established concept in the Nigerian criminal jurisprudence, so why not DICT tribunals or meetings?
In summary, law firms are strongly advised to implement the following measures immediately:
- Part-time or full-time engagement of a competent data protection officer and cybersecurity analyst to formulate the firm's business continuity strategies.7
- Formulation and immediate implementation of a firmwide cybersecurity policy.8
- Thorough and continuous training of staff on data protection and cybersecurity requirements.
- Implementation and regular assessment of cost-effective security protocols and software applications.
It is increasingly crucial to engage the attention and services of competent data protection and cybersecurity experts including legal practitioners to guide firms through the minefields deployed by threat actors in this digital dispensation. As a licensed Data Protection Compliance Organisation, SPA Ajibade & Co., can provide the necessary guidance to establishments seeking data protection and cybersecurity services.
1 Federal Bureau of Investigation, "Internet Crime Report 2021", available at https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf, accessed on 31st March 2023.
2 Gitnux Blog, "Business Email Compromise 2023: A Look at the Latest Statistics", March 15th 2023, available at https://blog.gitnux.com/business-email-compromise-statistics/#:~:text=On%20average%2C%20there%20are%2015%2C208,businesses%20to%20be%20aware%20of, accessed on 21st March 2023.
3 Statista, "Industries With the Highest Number of Business Email Compromise (BEC) Attempts Worldwide in 2021", available at https://www.statista.com/statistics/1318815/most-bec-targeted-industries-worldwide/, accessed on 14th April 2023.
4 (Unreported) The Gauteng Judicial Division (Johannesburg) of the High Court of South Africa, Case No: 13849/2020. Judgment dated 16th January 2023 delivered by Mudau J.
5 (2010) 6 SA 83 (SCA) para 22.
6 Due diligence means to establish a plan, policy, and/or process to protect the interests of an organization. Due care is practicing the individual activities that maintain the due diligence efforts; bringing due diligence to life.
7 See Olukolade Ehinmosan, "The Importance of Cybersecurity Management Planning to 21st Century Law Practice", available at: https://spaajibade.com/the-importance-of-cybersecurity-management-planning-to-21st-century-law-practice/, accessed on 31st March 2023.
8 This may be issue-specific or system-specific. The former denotes a policy that focuses on a specific network service, department, function, or other aspects, distinct from the organization as a whole. The latter focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for running or locking down a system, and mandates the adoption of specific security controls.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.