In Hawarden v Edward Nathan Sonnenbergs (ENS), Hawarden succeeded in suing ENS for the loss of R5.5 million because of a Business Email Compromise (BEC). Hawarden was ENS’ client.  The court said that ENS owed a general duty of care to Hawarden. As a law firm, ENS was aware of the risk of business email compromises. The court held that ENS was therefore well placed to prevent the loss, but they failed to protect Hawarden against the loss she suffered. The court also found that ENS did not have adequate information security measures in place.

ENS will be taking this matter on appeal to the Supreme Court of Appeal.

Who should care about this judgment and why?

  • Organisations that use email to communicate banking details because this judgment confirms that you have a duty of care to secure information. This includes instances when you are sending invoices. 
  • Clients and customers who receive banking details via email because you need to be aware of the possibility of a BEC occurring and what to expect from the people you’re doing business with.

What could you do about it?

Our insights on the judgment

This judgment is important because it sets a minimum standard for the transfer of sensitive or confidential information. It also sheds some light on the consequences of not having adequate information security measures in place. One of the key issues that this judgment highlights is that information security is a business issue. Having adequate information security measures in place is futile if your organisation does not promote a culture of awareness about the risks of several types of cybercrimes.

Increase in cybercrime demands vigilance

Every year, cybercriminals are becoming more sophisticated in their attacks. It is therefore necessary for organisations to boost their information security efforts to curb cyber-attacks. In data protection generally, when you process personal data, you have a duty to protect that data from harm. In the context of this judgment, when you are sending data to enable someone to transact online, you have a duty to ensure that you secure that process. If you fail to put security measures in place, you leave your organisation vulnerable to cyberattacks. An attack from a cyber-criminal can have devastating consequences for your business. For example:

  • Your business and your brand could suffer from irreparable reputational damage.
  • You could lose your business because of an exorbitant fine from an authority because of your negligence.
  • You could lose valuable customers because they no longer trust your brand.
  • Loss of revenue.
  • You may not be able to attract new customers.

Digest 

Facts 

Hawarden signed an offer to purchase a property for R6 million. She then paid a R500 000 deposit into the real estate agency’s trust account. She noted the agency’s BEC warning and consequently confirmed the banking details telephonically prior to making payment.  

However, Hawarden did not do this before paying the outstanding amount to the law firm responsible for the transfer of the property. The firm emailed Hawarden to tell her how to make payment. Hackers subsequently intercepted this email in a BEC attack and changed the banking details. Hawarden paid R5.5 million into the hacker’s account because of this change. The bank was unable to recover Hawarden’s money. 

Hawarden then sued the law firm for the loss that she suffered. She claimed that they had a duty of care toward her to protect her against BEC because they were aware of the risks. She claimed that the law firm should have warned her about the risk of BEC and should have shared the banking details in a secure manner before she paid the money.

Reasoning

The court had to consider two questions in coming to their decision. The first was whether the law firm owed Hawarden a duty of care. This duty of care would require the firm to use a secure method to communicate bank details. The firm would also have to warn Hawarden about BEC.  The second question was whether the law firm failed to meet this duty of care by not using a secure portal, warning Hawarden about the risks of BEC or taking other steps to protect Hawarden against the known threat of BEC.

In answering the first question the court found that the law firm owed a duty of care. The law firm is better positioned than Hawarden to take the necessary steps to safeguard against instances of BEC. It was not unreasonable for Hawarden to trust the law firm based on its reputation and to have the expectation that they are experts in conveyancing, where this type of cybercrime is rife.

The law firm failed to live up to the duty of care owed to Hawarden by not taking steps to safeguard against BEC. This was a well-known threat with existing solutions readily available. By not making use of a secure portal to communicate sensitive information or putting in place a multistep verification process, the firm acted negligently.

Order

  • The court ordered ENS to pay R5.5 million to Hawarden.
  • The court ordered ENS to cover costs, including the costs of expert witnesses.

Details of Hawarden v ENS

  • Universal citation: [2023] ZAGPJHC 14
  • Case number: 13849/2020
  • Full name: Hawarden v Edward Nathan Sonnenbergs Inc

Please note: The summary of this judgment is not intended for a general audience. It is specifically drafted for the members of the Michalsons Data Protection programme.