In Safi v Gascoigne, Safi sued Gascoigne Randon and Associates, a conveyancing firm, for a loss of R889,308.50 from a business email compromise (BEC). 

Who should care about this judgment and why?

  • The public because they need to be aware of the risks of BEC scams and the importance of verifying payment details before transferring funds.

  • Private and public bodies because they need to understand their legal obligations under data protection laws like POPIA and the Companies Act to secure personal information and prevent cyber threats.
  • Banks and financial institutions because they should implement measures to prevent fraudulent transactions and protect customers from BEC scams.
  • Law firms and legal practitioners that receive and handle clients’ monies need to have information security strategies in place to prevent the interception of sensitive information.

What could you do about it?

  • Join our programmes to learn about cybersecurity and data protection and determine your obligations under the law.
  • Conduct an information security assessment to evaluate your current security measures.
  • Reach out to the Michalsons team for assistance with your information security requirements.

Our insights on the judgment

This case is important because it highlights BEC’s risks to consumers and organisations and the importance of organisations adhering to data protection laws like the Protection of Personal Information Act (POPIA) to safeguard personal information and mitigate cyber threats. Safi’s argument that Gascoigne had a legal duty under the Companies Act and POPIA to secure personal information and prevent such incidents, raises questions about an organisation’s liability for losses resulting from cyber threats like BEC. Similarly, the court in the Hawarden v ENS concluded that organisations that do not have adequate information security measures could be held liable for any financial loss suffered by their clients. Clients should pay attention to this case because it may have implications for their own legal obligations and potential liability for losses resulting from cyber threats. Organisations may need to review their policies and procedures to ensure compliance with data protection laws like POPIA and take appropriate measures to prevent cyber threats like BEC. Additionally, individuals should be aware of the risks of BEC and take steps to verify payment details before transferring funds.

Digest

Facts

Safi received an email from what purported to be Gascoigne’s employee requesting payment into a specified bank account. However, a hacker intercepted the email and changed the bank account details. Safi transferred the funds to the hacker’s account, resulting in a financial loss to Safi. Safi then sought compensation from Gascoigne, arguing that they had a legal duty under the Companies Act and POPIA to secure personal information and take appropriate measures to prevent such incidents. However, Gascoigne objected, claiming that the particulars of the claim lacked clarity and failed to establish a cause of action. This case highlights the risks of BEC scams and the importance of organisations adhering to data protection laws like POPIA to safeguard personal information and mitigate cyber threats.

Reasoning

In its decision, the court stated that it would be short-sighted and conservative for companies to believe they don’t have a responsibility to protect their clients from cyber attacks like BEC or the breach of client information. Such an approach goes against the objectives of POPIA, especially when Safi’s information and privacy were compromised through Gascoigne’s IT portal. In this case, Gascoigne failed to establish and maintain a proper information management security system, supporting Safi’s argument in the main application.

Order

  • The court dismissed Gascoigne’s arguments and awarded costs to Safi.

Details of Safi v Gascoigne

  • Universal citation: [2023] ZAGPJHC 259
  • Case number: 23052/2022
  • Full name: Jerome Rueben Safi v Gascoigne Randon and Associates

Please note: The summary of this judgment is not intended for a general audience. It is specifically drafted for the members of the Michalsons Programmes.