Cybersecurity: Whose Responsibility Is It?

The world has changed drastically in the past three years; with the COVID-19 pandemic speeding up the process. The number of people working from home has increased significantly, in fact, the ability to work remotely is now used by some companies as an incentive to attract talent.¹

With remote work being at an all-time high, people communicate a lot via emails and other applications designed to facilitate remote work. Individuals and companies send invoices for services rendered by email. This practice has opened a window of opportunity for cybercriminals to intercept these communications and dupe people into paying funds into the criminal’s bank account rather than into the service provider’s bank account. This is known as business e-mail compromise (BEC) fraud.² Other types of cyberattacks include hacking, phishing and spear-phishing, ransomware, and fake law firm websites.²

With the aim of protecting both natural and juristic persons from such data breaches, South Africa promulgated a few laws. In 2020, South Africa already had policies and frameworks in place to regulate activities occurring in cyberspace. Statutes such as the Consumer Protection Act, 2008 (CPA), Promotion of Access to Information Act 2 of 2000 (PAIA) and Protection of Personal Information Act 4 of 2013 (POPIA) are some of the Acts that were promulgated to reinforce people’s right to privacy and ultimately, reduce the occurrence of data breaches.

Unfortunately, even with these measures in place, cybercrime is ever evolving and cyberattacks are on the rise. A recent case involving cybercrime is that of Fourie v Van der Spuy and De Jongh Inc and Others 2020 (1) SA 560 (GP). In this case, the Applicant (Fourie) claimed the payment of R1 744 599.45 from the Respondents.³ This amount was paid over to the trust account of the 1^st Respondent (a law firm representing the applicant) for the benefit of the Applicant. The 2^nd Respondent (a partner at the law first listed as 1^st Respondent) rendered services to the Applicant and was instructed to retain the funds until such time that the Applicant gave further instructions of what should be done with the money.³

Eventually, the Applicant sent instructions for the 2^nd Respondent to pay the abovementioned amount back into the account of the Applicant. The 2^nd Respondent made the payment but unbeknownst to her, a hacker intercepted the Applicant’s emails and sent the 2^nd Respondent their own banking details. Consequently, when the 2^nd Respondent paid the amount, it was actually paid into the bank account of the hacker and not the Applicant. The 2^nd Respondent argued that they had already made the payment and were not liable to pay the Applicant again. However, the judge stated that “The 2^nd Respondent was negligent and failed to exercise the requisite skill, knowledge and diligence expected of an average practising attorney and thus failed to discharge her fiduciary duty to the Applicant by transacting via e-mail whilst full-well knowing that fraud is prevalent in her profession and not employing any measures to ensure that neither she, nor the Applicant will fall victim to fraud.”³

The judge further stated that the “2^nd Respondent has failed to discharge her obligation to the Applicant to pay him. The 2^nd Respondent’s defence that a fraud occurred that released her from paying the Applicant is no defence as she is as principal obliged to account to the applicant for the funds, a duty 2^nd Respondent thus far has failed to discharge. It is irrelevant that emails similar to that of the Applicant was sent to her, the common law position pertaining to trust funds as set out above is clear. The duty of care, owed to a client and the mandate to pay as principal, point to the attorney as the one who, in this case, is liable.”³ The court ordered the 1^st and 2^nd Respondents to pay R1 744 599.45 to the Applicant. In this case, the court placed the responsibility of vigilance against cybercrime squarely on the shoulders of the partner of the law firm (2^nd Respondent). It is thus crucial for companies to employ risk mitigation measures to prevent such incidences from occurring.

In a similar case, Hawarden (the plaintiff) put in an offer for R6 million to purchase a house, she paid a deposit of R500 000 to the estate agency.^4,5 The conveyancer that was hired by the seller was ENS Inc. Hawarden received an email purporting to be from a conveyancing secretary at ENS which also included bank account details into which Hawarden was supposed to deposit the rest of the funds. Unfortunately, the email was from a hacker and not the ENS conveyancing secretary. The hacker had intercepted the secretary’s email and replaced the firm’s banking details with their own.^4,5 This is very similar to the earlier case of Fourie v Van der Spuy and De Jongh Inc. Even after this cybercrime was discovered, ENS asked Hawarden to make a payment to secure the sale of the property.^4,5

The judge stated that “ENS was at fault on the basis of negligent conduct. I am not inclined to agree with submissions made by counsel on behalf of ENS that Ms Hawarden must take responsibility for her failure to protect herself against the known risk of relying on banking details received by email. The defendant was an expert conveyancer and was facilitating and managing the transaction. Under these overall circumstances it not overly burdensome or unreasonable to impose liability on ENS. The risk of loss to Ms Hawarden was highly foreseeable by ENS. There is no risk of boundless liability as feared by ENS as the loss in this case is claimed by a single plaintiff and is finite in its extent. It is, accordingly, not unlimited or indeterminate.”⁴

The judge further stated that “The interests of the defendant as well as the society demand that a legal duty is recognised in this case. ENS is best placed to understand and prevent BEC. Individuals in society are generally not as well-placed to respond to the ever-evolving threat of cyber–crime, which is sophisticated and technical in nature.”⁴ In these two cases that we have discussed, the court placed the responsibility of cybersecurity on the law firms. This is a cautionary note for all businesses to be hypervigilant and to ensure that they do everything possible to prevent their clients from falling victim to cybercriminals. A heavier burden of proof will be placed on businesses to show that they have attempted everything reasonably possible to prevent the cybercrime from happening before this responsibility will be discharged by the courts.

Attorneys in particular have been targeted by cybercriminals. In 2017, a Risk Alert was released which warned practitioners about cybercrimes. It read “Cyber related risks are on the increase and attorneys must: ensure they have adequate risk mitigation/avoidance measures in place to deal with cyber related risks”.³ Attorneys pay professional indemnity insurance to insure against liability that may arise from the professional conduct as a practitioner.⁶ The risk alerts that the insurer issued have seemingly gone unheard as they have received 137 cybercrime claims since 2016.³ The insurer implemented a cybercrime exclusion clause in 2016. The clause reads “This policy does not cover any liability for compensation…arising out of cybercrime…”⁶

Here are suggested steps that one can take to mitigate the risks of BEC and other cybercrimes:

1. Have systems to verify banking details.
2. Employing the services of a cyber risk specialist and conducting regular vulnerability assessment.
3. Educating everyone in the organisation on cyber scams.
4. Educate your clients about cybercrimes.
5. Try and avoid sending sensitive information such as banking details via email. Out of interest, this is what the judge had to say in the Fourie case “Perhaps a time will come when monies will be transferred in the presence of a client, client will have to waive the nicety of EFT’s being done without client being present, alternatively client being phoned…”² The judge also remarked that perhaps it is about time that attorneys inform clients that they will not accept change in banking details via email.
6. Obtaining cyber insurance cover.^2,5

It goes without saying that one must scrutinise emails with sensitive information because in some cases, you may be able to tell when an email is fraudulent. For example, in the Hawarden matter, the cybercriminal had misspelled the ENS email address so instead of @ensafrica.com, they used @ensafirca.com.⁵ The change is very subtle but by looking very carefully at the details of one’s email, the occurrence of cybercrime could be reduced. Though the courts places responsibility on firms to protect clients from cybercriminals, ultimately, cybersecurity is the responsibility of everyone. All of us must exercise vigilance against cyberattacks, and use recommended measures to protect ourselves.

References:

1. https://www.uschamber.com/co/grow/thrive/what-is-a-digital-nomad
2. https://www.derebus.org.za/ongoing-cybercrime-threats/
3. https://www.saflii.org/za/cases/ZAGPPHC/2019/449.html
4. https://www.saflii.org/za/cases/ZAGPJHC/2023/14.html#:~:text=Held%20that%2C%20a%20duty%20of,that%20pdf%20attachments%20to%20emails
5. https://www.masthead.co.za/recent-cybercrime-judgment-impacts-businesses-that-email-bank-details-learn-how-to-protect-yourself-and-your-clients/
6. https://lpiif.co.za/wp-content/uploads/2023/07/Professional-Indemnity-Policy-2023-2024.pdf