Every organisation has a duty of care to establish and maintain appropriate information security. The judgment in Hawarden vs ENS illustrates that no modern business can operate properly and lawfully without establishing and maintaining appropriate information security.
The facts of the business email compromise
ENS styles itself as the largest law firm in Africa. It attached a PDF letter to an email addressed to Hawarden containing its bank account details. The email was intercepted by criminals and bank details were changed before it reached Harwarden. Harwarden paid R5.5 million into what was ostensibly ENSās Bank account but was controlled by criminals and the money is forever lost. A classic and well-documented business email compromise.
Court ordered ENS to pay R5.5 million to Harwarden
Harwarden successfully sued ENS for payment of R5.5 million together with interest. She was also awarded a punitive costs order because ENS, contrary to its agreement with Harwardenās attorneys, discovered sensitive personal information irrelevant to the proceedings and published this in the trial bundle.
The basis of the courtās judgement is that ENS owed a general duty of care to Harwarden. ENS was aware of the risk of business email compromises and was in the best position to prevent the loss, but failed to protect Harwarden against the loss suffered.
The court found ENS information security was deficient and its staff poorly trained. ENS relied on the defence that the use of email and PDFs was a common practice by conveyancers, but the court found that this did not excuse ENS from its duty of care to Harwarden.
The principle applies to all organisations
The case relates to communications in a conveyancing transaction. But the principle applies to all businesses.
If a business processes or communicates personal or business information, it must safeguard the information appropriately.
Action you can take
Information security is an established and well-documented discipline. Michalsons works with information security experts and can help you to properly consider and implement appropriate information security, aligned with best practice guidelines. Find out how we can help you by reviewing our information security services.
Author: Mark Heyink, who acted as a consultant to Harwardenās attorneys and gave expert ICT law and information security evidence, at the trial.
