In the matter of ENS v Hawarden, the SCA overturned the judgment in the High Court in Gauteng, holding ENS liable for the loss suffered by Mrs Hawarden because of a business email compromise. The SCA’s finding is primarily based on a legal interpretation of pure economic loss. Mrs Hawarden’s attorneys intend to seek leave to appeal the judgment of the SCA.

We will not address the findings of the High Court or the SCA judgments. Our purpose for this post is rather to alert readers to the context of the underlying business email compromise and the basis on which the claim was made. We also address the privacy obligation to protect personal information communicated by email, as the Protection of Personal Information Act requires.

Context of ENS v Hawarden

The loss Mrs Hawarden suffered occurred on 22 August 2019, before the commencement of POPIA, on 1 July 2020. Had the incident occurred after the commencement Mrs Hawarden’s attorneys would have likely pleaded the claim differently, and reliance placed on the obligation of responsible parties to protect a data subjectā€™s constitutional right of privacy in their communications. This obligation is informed by section 19 of POPIA. It requires responsible parties to establish and maintain appropriate security safeguards aligned to generally accepted information security practices.

The High Court accepted the evidence that ENS, while it had addressed information security its efforts were deficient when measured against generally accepted information security practices and procedures. The High Court also found conveyancers have a duty to advise the client of the potential loss from a BEC, even if the client is not theirs. The SCAā€™s decision does not address these issues and in overturning of the High Court decision it concentrated on the issue of pure economic loss.

Privacy obligations – safeguarding personal information

POPIA removes any doubt of the responsible partyā€™s duty to comply with the conditions for the lawful processing of personal information. This includes the securing of the integrity and confidentiality of personal information. Email is an insecure method of communication (it was, long before the ENS/Hawarden business email compromise). Failing to safeguard against this known threat may lead to liability based on a breach of section 19 of POPIA. You must not interpret the decision of the SCA in ENS v Hawarden as changing the legislative obligation to safeguard personal information. As a responsible party, POPIA obligates you to safeguard personal information.

By Mark Heyink and Bronwen Seager.