On 16 January 2023, the Gauteng High Court ruled that a conveyancing attorney had a legal duty towards a property purchaser to implement adequate precautions and provide adequate warnings to protect the purchaser against her own email accounts being compromised by cyber fraud and was liable in delict for the purchaser’s loss for failing to do so. The judgment can be found here.
In a judgment that will be concerning to anyone dealing with electronic payments, the court accepted the purchaser’s argument that email is not secure and sending bank details by email is inherently dangerous. The court was of the view that implementing technical measures to transmit bank details by a secure portal accessed by two-factor authentication was appropriate to avert fraud, despite the fact that the evidence indicated that this was largely not common practice at the time. The court warned that if email is to be used to transmit bank details, it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings that are securely communicated.
The dispute arose out of a conveyancing transaction in which the purchaser’s email account had been hacked by unknown fraudsters. The fraudsters had intercepted email communications from a conveyancing attorney who had been appointed by the seller in a property transaction. The fraudsters intercepted legitimate emails from the conveyancer and replaced these emails with forged emails emanating from email addresses designed to look almost identical to the conveyancer’s address. The purpose was to trick the purchaser into paying a substantial sum of money, intended to be paid to the conveyancing attorney’s trust account, into a different bank account. The fraud was sophisticated and was successful in deceiving the purchaser.
The conveyancer strongly denied all liability to the purchaser and mounted a vigorous defence. After hearing evidence from both parties, including the evidence of conveyancing and technical experts, the court found the conveyancer to be liable in delict to compensate the purchaser for the money paid to the fraudster. Despite the fact that it was only the purchaser’s email account that was hacked and that the purchaser had made a substantial payment without noticing the incorrect address and without telephonically confirming the bank details, the court was of the view that the purchaser could not be faulted for placing their trust in the conveyancing attorneys. The court accordingly rejected the conveyancer’s alternative argument that the purchaser was herself contributorily negligent.
It is to be noted that this is a delictual case for pure economic loss arising out of an omission, which does not usually result in delictual liability. However, the Court stretched the boundaries of delictual liability in holding that considerations of legal and public policy demand that a legal duty, and consequent delictual liability, is recognised in the case of conveyancing attorneys in this factual situation. One of the key considerations, said the court, is that attorneys are better placed than individuals to respond to the ever-evolving threat of cyber crime.
This judgment will almost certainly be the subject of an appeal to a higher court. On appeal, a higher court will have an opportunity to reconsider the important and complex issues raised by this judgment and reach a different conclusion.