In a highly anticipated judgment [90.pdf (saflii.org)], the Supreme Court of Appeal found that a firm of attorneys was not liable for failing to warn a purchaser of the property of the risk of cyber fraud.

The dispute arose out of a conveyancing transaction in which the purchaser’s email account had been hacked by unknown fraudsters. The fraudsters had intercepted email communications from a conveyancing attorney who had been appointed by the seller in a property transaction. The fraudsters intercepted legitimate emails from the conveyancer and replaced these emails with forged emails emanating from email addresses designed to look almost identical to the conveyancer’s address. The purpose was to trick the purchaser into paying a substantial sum of money, intended to be paid to the conveyancing attorneys’ trust account, into a different bank account. The fraud was sophisticated and was successful in deceiving the purchaser.

A previous judgment of the High Court (Ruling on conveyancer’s liability for cyber fraud losses | Financial Institutions Legal Snapshot) had found that the conveyancing attorneys were liable in delict to compensate the purchaser for pure economic loss as a result of their failure to warn the purchaser of the risk of business email compromise.

On appeal, the SCA highlighted certain key facts of this matter, including:

  • When paying the initial deposit, a few months prior to the fraud, the purchaser had been warned by the estate agent of the risk of business email compromise and had heeded that warning by telephonically verifying the account details prior to making payment;
  • There was no attorney-client relationship between the purchaser and the conveyancing attorneys;
  • There had been no compromise of the conveyancing attorneys’ IT system, rather the purchaser’s own email account had been infiltrated by the fraudsters;
  • The purchaser had weighed up the payment options and had decided at a late stage to change the method of payment from bank guarantee to cash transfer; and
  • The purchaser could have easily avoided the loss by verifying the bank details telephonically with the conveyancing attorneys.

The SCA highlighted that in order for there to be liability in delict, the element of wrongfulness must be present. Conduct which causes pure economic loss is not assumed to be wrongful nor is conduct in the form of an omission.  Wrongfulness will only be met were considerations of legal and public policy require that liability should flow from negligent omissions or conduct causing pure economic loss.  The court noted that this case dealt with both an omission and pure economic loss and found that there was no wrongfulness and therefore no basis for delictual liability.

The SCA held that the High Court’s finding that a failure of the conveyancing attorney to warn the purchaser attracts liability has profound implications not only for the attorneys’ profession but to all creditors who send their bank details by email to their debtors.  The SCA held that the High Court was wrong in extending liability for pure economic loss to these circumstances because of a real risk of indeterminate liability.  The purchaser was required to take responsibility for her failure to protect themselves against a known risk. They were therefore not a person vulnerable to risk and there was no reason to shift the responsibility for their loss to the conveyancing attorney. 

The judgment provides clarity and is a welcome correction to a High Court judgment which had stretched the boundaries of delictual liability too far.  Nevertheless, the safeguards and cyber security measures put in place by conveyancers and the recipients of electronic payments remain essential protection mechanisms and should not be discarded.  The judgment is a helpful reminder that the responsibility to guard against cyber fraud is mutual.  Purchasers and any persons making electronic payments should also educate themselves about the risk of cyber fraud and take care when making electronic payments.