In Edward Nathan Sonnenbergs(ENS) v Hawarden, ENS appealed the judgment handed down in Hawarden v Edward Nathan Sonnenbergs. The Supreme Court of Appeal (SCA) upheld the appeal and dismissed the original order from the high court.
Hawarden may appeal this case to the Constitutional Court.
Who should care about this judgment and why?
- Anyone who rely on email to send and receive banking information because there is an inherent risk of BEC and other cybercrimes that could have costly consequences. They need to be aware of this and take steps to mitigate this risk.
- Organisations who act as responsible parties because they have an obligation under POPIA to ensure they take āappropriate, reasonable technical and organisational measuresā when processing personal information.
What could you do about it?
- Do an information security assessment.
- Make use of a secure portal tool that helps you send a registered email to communicate banking or other types of sensitive or confidential data.
- Contact the Michalsons team to help you with all your information security needs.
Our insights on the judgment
While the SCA found that ENS did not act wrongfully, the duty of care to protect against cybercrimes still exists. This may seem contradictory but the SCA doesn’t differentiate between pre- and post-POPIA contexts. It’s essential to recognise that the facts of this case occurred in a pre-POPIA context. The judgment should not be taken to mean that organisations have no duty to implement proper information security measures when processing personal information. With the introduction of POPIA, there is now a clear legislative obligation for responsible parties like ENS to ensure adequate security safeguards are in place.
This distinction should not cause misunderstandings about the differences between past and current legal obligations. Under POPIA responsible parties have a duty to implement appropriate security safeguards when processing personal data. The SCA judgment does not extinguish this duty and has limited application in the post-POPIA context.
Digest
Facts
While buying a R6 million house, Hawarden experienced a business email compromise (BEC). She sued ENS for R5.5 million as compensation for the pure economic loss she suffered due to the BEC. She succeeded in this claim, and the high court ordered ENS to pay Hawarden the R5.5 million. ENS appealed this order to the SCA.
Background
Hawarden bought a R6 million house from the Davidge Pitt Family Trust. She made a R500 000 deposit into the trust account after receiving an email from Pam Golding Properties (the real estate agency) asking her to do so. In the email, the real estate agency included a notice about cybercrime. The notice advised that she call the agency to confirm the bank details before making the payment. Hawarden made the call and successfully paid the deposit. The paperwork was then sent to ENS for transfer of the property to be effected.
During this process, Hawardenās email was intercepted by a cybercriminal. The cybercriminal forged a letter setting out the guarantee requirements and the necessary banking details. Hawarden later contacted ENS telephonically asking whether she could elect to transfer the outstanding amount directly to ENS if the bank was unable to furnish the guarantee in time. ENS confirmed that this was possible and agreed to send her the documents confirming the relevant banking details.
ENS sent the email containing the documents with the banking details and a notice from FNB warning people of the dangers of cybercrimes. This email was intercepted by the cybercriminal. The cybercriminal altered the bank details on the documents and deleted the warning notice. Hawarden unknowingly received the forged documents and made the payment using the banking details provided in the email. She did not confirm the banking details telephonically before making the payment.
Hawarden emailed proof of payment to ENS, but a cybercriminal intercepted this email, altered the proof to reflect the correct banking details, and informed ENS that the payment would reflect within 24-48 hours. This fraud continued undetected for several days while Hawarden and ENS communicated. Eventually, ENS informed Hawarden that they had not received the payment. The cybercriminal intercepted this email as well, falsely explained there was an issue with the payment, claimed the money had been returned to Hawarden’s account, and instructed her to redo the payment. Meanwhile, the cybercriminal withdrew Hawarden’s money from their bank account, and the bank was unable to retrieve the stolen funds.
Reasoning
The SCA did not consider all the elements needed for a claim of pure economic loss arising from an omission. The court limited its analysis to whether Hawarden established the element of wrongfulness necessary for a delictual liability claim. The SCA reviewed the existing case law and found that South African law does not recognize a general right to compensation for pure economic loss. The SCA further found that an omission is not necessarily wrongful on its own. There must have been an existing legal duty breached by the omission.
In its reasoning, the SCA noted the following key facts:
- ENS and Hawarden were not in an attorney-client relationship.
- The real estate agency had warned Hawarden of the risk of cybercrime. She followed their advice by confirming banking details telephonically but failed to do this when making the payment to ENS, despite calling them while at the bank.
- A hacker had breached Hawarden’s email.
- The hacker had detailed the notice warning Hawarden of potential cybercrimes.
The SCA found that it was untenable for ENS to take further steps to mitigate against the risk of cybercrimes and that ENS had not acted wrongfully.
The SCA stated that by finding in favour of Hawarden the high court created a legal duty on all other creditors who send banking details via email. By extension, this legal duty would require these parties to mitigate against risk outside of their realm of control. The SCA was of the view that the high court should have ādeclined to extend liability in this case because of the real danger of indeterminate liability.ā
The SCA assessed the Constitutional Court’s position on āvulnerability of riskā. The Constitutional court’s position is that if there were steps a person could have taken to protect themselves from harm, but didn’t, they should not be able to claim for pure economic loss. They found that Hawarden was sufficiently aware of the risk and had previously taken steps to mitigate but then failed to take those same steps when effecting payment to ENS.
In finding in favour of ENS, the SCA stated that;
‘In all of this, sight must not be lost as well of the fact that after weighing up her options she elected, whilst at the bank, to forego a bank guarantee for a cash transfer. As she had ample means available to her, she must in the circumstances take responsibility for her failure to protect herself against a known risk. There can thus be no reason to shift responsibility for her loss to ENS. It follows that Ms Hawarden ought to have failed before the high court. Consequently, the appeal must succeed.’
Order
- The SCA upheld the appeal and set aside the high courtās order.
- The SCA substituted the high courtās order with its own order. The SCA dismissed Hawardenās claim with costs, including the costs of two counsels where used.
Details of Hawarden v ENS
- Universal citation: [2024] ZASCA 90
- Case number: 421/2023
- Full name: Edward Nathan Sonnenbergs Inc v Hawarden
Please note: The summary of this judgment is not intended for a general audience. It is specifically drafted for the members of the Michalsons Data Protection programme.
