LIABILITY FOR CYBER CRIME EMERGING FROM BUSINESS EMAIL COMPROMISE

The modern-day method of invoicing customers and clients has adapted from paper to electronic because more and more reliability is placed on the ease of electronic communication. Similarly, as the ease of this convenience grows, so too does the risk of fraud and cyber-crimes relating to electronic communications. Yet, these risks have not been given sufficient weight against the convenience offered.

Business Email Compromise (otherwise known as BEC) is a well-known risk in the information systems industry and affects everyone that relies on electronic communications, especially those that use it as its primary method of communicating with the external world (clients, customers, and other third parties). BEC refers to the act of unauthorized interception of electronic communications (usually a hacker or fraudster) and the unauthorized modification of said electronic communications for unlawful means. The most common way BEC affects society and businesses is where an email refers to payment by electronic transfer and the bank details themselves are altered to reflect one not belonging to the legitimate sender.

What liability is expected on a business where its client or customer falls victim to such an email? Is there a reasonable prospect of success for a victim to legally claim financial loss suffered from the business, or is it considered an acceptable or tolerable risk of conducting business with which the customer bears that risk? This question has become even more relevant with the inception of the recently promulgated Cyber Crimes Act.

On 16 January 2023, the Johannesburg High Court delivered a judgment dealing with (amongst other things) the duty of care that is expected on law firms (especially large firms and conveyancing practices) where BEC is not given proper appreciation. In this case, the law firm (ENS) was held accountable and thus financially liable for damages suffered by a purchaser (the victim) upon having been “called upon” to make payment of the purchase price for an immovable property through the receipt of an invoice she received which she believed emanated from ENS. However, this email was not actually sent by ENS to the purchaser. Upon closer inspection and after the fact, it was noted that the email address was not that of the intended sender at ENS but bore a striking resemblance to it. Furthermore, the bank details listed as being the account details for ENS were not that of ENS and belonged to the third party fraudster whom had intercepted and modified the email without authorisation. Notwithstanding, the and with the Parties being none the wiser, the purchaser made the requested payment in terms of said invoice. Upon realising the true sequence of events, the purchaser sued ENS for the value of her payment (R5.5 million) and did so successfully.

The Court was of the view that a duty of care is required and ought to have been exercised by ENS to ensure the purchaser was made of aware of the risks of BEC despite the fact that it has become an industry norm for invoicing to be handled via electronic means. When dealing with accountability, the Court therefore placed the risk onto ENS and not the purchaser because the preferred method of handling invoicing (i.e. through electronic means) was at the behest of ENS:

“[ENS] failed to safely communicate its bank details using technical safety measures … [the purchaser] depended on [ENS] to act professionally… I have no difficulty in finding that the firm’s banking details were financially sensitive information and needed to be treated as such, that the risk of BEC was foreseen by [ENS]….and that sending bank details by email is inherently dangerous.”

Foresight and cognisance of risk, in the case of a relationship placing trust in the organisation, was deemed necessarily inherent. Whilst this judgment related to a specific conveyancing transaction handled by a large law firm, it is highly probably that a similar light will be cast in respect of other businesses transactions in a general scope.

It is strongly recommended that businesses (especially large ones) procure specific cyber-risk insurance for this type of liability, given its growing prominence. In a technological age like today, it is impossible to completely eradicate risks to information security on all levels. However, being cognisant of this does not imply that due care and due diligence in respect of globally-understood cyber-crime related risks should be neglected or overshadowed. Businesses should also not be so quick to assume that the risk lies with the recipient, customer, or third party in the event that an incident occurs. Risk mitigation must become a standard practise and is therefore an absolute necessity when it comes to BEC. To avoid liability on the scale as was applied by the Court above, every business conducting its transactions via electronic means must have a risk mitigation plan in place, appropriate risk policies, along with clear and coordinated risk procedures to reduce exposure and/or the threat or vulnerability that comes with cyber-crimes on the business and its customers.

Leave a comment

Your email address will not be published. Required fields are marked *

×