THE INCREASING LIABILITY ON BUSINESSES SHOULD THEIR EMAILS BE COMPROMISED

By: Kasper Brits–  Brits Law Inc.

Published Wednesday, 27 June 2023, 19:04 PM 

britslaw_attorneys_pink_line_divider

Cybercrime is on the rise and the global result thereof is that there is an increase in the duty of care a business needs to maintain when communicating via email with its clients. Very little case law existed in this field until recently when a surge of reported matters have been dealt with on appeal in court.

During January 2023 in the case of Hartog v Daly, the court determined that an attorney was responsible for the funds he inadvertently paid into the wrong bank account. A fraudster gained unauthorized access to an email exchange between the attorney and his client, and subsequently sent the attorney an email posing as the client, providing instructions to transfer the funds into the fraudster’s account. Since the email appeared to originate from his client, he mistakenly transferred the funds to the fraudsters account, believing it to be his client’s. In this matter the attorney challenged the bank but ultimately failed in this attempt as it was established that the bank had followed the proper procedure to open the bank account to which the moneys have been paid. This case set a precedent that if a person does not do proper due diligence before making payment, the other parties right to claim the outstanding amount from that person lasts, notwithstanding the fact that the money had been stolen by a fraudster.

Few businesses maintain the appropriate security measures when sending out emails, particularly when large amounts of money are being discussed and requested.

ATTORNEYS LIABLE

Furthermore, in January 2023, a significant legal case known as Hawarden v ENS Inc unfolded in the Johannesburg High Court, where one of the nation’s largest law firms was entrusted with the role of conveyancers. Regrettably, due to a breach in their email security, the firm became liable for reimbursing a property purchaser a substantial sum of R5.5 million. This situation arose when the compromised emails led the purchaser to mistakenly making a payment into a fraudulent bank account which was changed on the firms pdf document. The court mentioned that there are numerous security measures which may have prevented a compromise in their emails such as:

  • Implementing DMARC and SPF on their systems,
  • Encrypting documents and using OTP’s to transfer sensitive information such as banking and payment information,
  • Listing the firms bank account as a public recipient at the bank rather than using account numbers,
  • Informing clients of the risks involved with making large payments and to follow a secure procedure
  • Accurately confirming bank details telephonically.

The above case was published via email by the legal practice council to each firm in the country and resulted in a panicked attempt by some to address their liability. Numerous law firms responded by adding a disclaimer on their email signatures stating that their clients must call to confirm banking details before making payment. In our opinion the disclaimer alone will not be sufficient to rise to the standards as set in the above case.

At this stage the latest standard in duty of care which is set in the ENS matter only relates to legal practitioners, however, time will tell if this obligation toward security will spread to other businesses. The same precedents have already been set in the financial service industry as well and the international trend points to businesses being liable toward their clients when their business or even their clients emails have been compromised. Our courts tend to follow the trend of international law and internationally, the law is in line with the precedents as set in both of the above new court matters so any new matters or appeals  in these matters will likely not bring a significant change.

 

BEWARE THE CYBERCRIMINAL

Our firm has seen an influx of clients who need assistance in recovering their money from illusive cybercriminals. These individuals can be very hard to track down and as such any negligent and compromised business is held responsible instead.

We already mentioned a few possible security measures which may be implemented /  followed. In addition thereto:

  • Everyone needs to be weary of the risks involved with business email compromise.
  • Adequate insurance to cover any losses due to cybercrime should be kept by certain businesses.
  • Make sure you partner up with a trustworthy business that has adequate security measures in place before going on large financial transactions through / with them.

In our opinion as well as that of top internet security professionals your business can never be 100% protected from email compromises. Even the famous Hillary Clinton and Joe Biden’s emails have been compromised and leaked after a successful cyberattack / hacking attempt on their emails. These individuals have some of the latest technology and procedures to ward against this threat and still failed against an ever evolving enemy.

We expect the year ahead to surely provide more caselaw and developments in this field as numerous similar cases are being appealed and brought to court.

If you have suffered damages due to business email compromise from your service provider, get in contact with one of our legal practitioners for assistance.