From CompliNEWS | Financial Service Intelligence Watch
Policies alone insufficient to ward off fraud liability
Legalbrief Today
‘Emails and disclaimers alerting clients to the dangers of business emails being compromised and other cyber fraud will not be enough to ward off liability. Businesses will have to assume their clients are not aware of the risks.’ Emile Myburgh, an attorney practising in Johannesburg and São Paulo, says the reality of life for businesses following Gauteng High Court (Johannesburg) Judge Phanuel Mudau’s ruling last week in Hawarden v ENS (see Case Law Briefs in Legalbrief Today) is: if you send out your banking details in unprotected formats (pdf, Word) – without taking additional steps to ensure your emails are not compromised – you are likely acting negligently and could be liable for damages your clients may suffer if they pay money into fraudulent accounts. In his opinion piece in Business Day, Myburgh says in a ‘David v Goliath victory,’ Mudau ordered ENS (the conveyancing attorneys in the property deal) to pay Judith Hawarden (the buyer) R5.5m which she paid into a fraudulent bank account, plus her costs. ‘During the trial, ENS made much of the fact that it had policies in place to warn people of the risks of business emails becoming compromised, that Pam Golding Properties (the estate agent) had also warned Hawarden, and that her bank (Standard Bank) often sent her emails warning of the risks – all in an attempt to lay the blame for the erroneous payment on her. None of that swayed the judge, who was severely critical of ENS’ witnesses.’
Myburgh notes the judge highlighted various deficiencies in ENS’ policies and the manner in which it handled the Hawarden matter. ‘The court ruled that ENS owed a duty of care to Hawarden to ensure she did not fall victim to such a scam, a duty it had failed to perform and was the direct cause of her loss. It thus had to pay for it.’ Hawarden, Myburgh adds, testified that she had no knowledge of the risks involved and that ENS did not advise her of these at the time she made the electronic funds transfer to ENS’ trust account. Says Myburgh: ‘The effect of this court decision is that any business that sends its bank details in an unsecured manner to a debtor may be held liable for that debtor’s losses if the debtor falls victim to such fraud.’ He notes expert witnesses testified about the various ‘straightforward and secure’ possibilities available to avoid business email compromise events – two factor authentications and secure portals to exchange information. ‘They also testified about readily available tools that can prevent the unauthorised use of a sender’s email domain, such as sender policy frameworks; domain keys identified mail; and domain-based message authentication, reporting & conformance protocol – tools which ENS did not use in Hawarden’s case.’