On 10 June 2024 in the matter of Edward Nathan Sonnenberg Inc v Hawarden (Neutral citation:
[2024] ZASCA 90 (10 June 2024)), the Supreme Court of Appeal (the SCA) overturned a judgment
and order of the Gauteng Division of the High Court, Johannesburg, which had serious and far-
reaching implications for the attorneys’ profession, estate agents and all creditors who send their
bank account details by email to their debtors/clients.
The effect of the preceding High Court judgment was that all creditors who send their bank account
details by email to their debtors owed a legal duty to those debtors to protect them against the risk
of the debtors’ payments to the creditors from being intercepted by cyber criminals. The SCA
disagreed with this approach in the context of the facts of this particular case.
In May 2019, a Mrs Hawarden (the purchaser) concluded an agreement for the purchase of an
immovable property from the seller thereof. Shortly thereafter, the estate agent sent the purchaser
an email to pay the deposit into the estate agent’s trust account. Significantly, the estate agent’s
email also contained a notice to the purchaser warning her of the risk of cybercrime and advised
her to call the estate agent to verify the banking details before paying the deposit. The purchaser took note of the warning and first verified the estate agent’s bank account details before paying the deposit;
Unbeknown to the purchaser and the attorneys instructed by the seller to attend to the transfer of
the property (the conveyancing attorneys), the purchaser’s email had been hacked by a
cybercriminal. Consequently, after the initial email from the conveyancing attorneys to the estate
agent (to which the purchaser was copied), all relevant emails between the conveyancing
attorneys and the purchaser were intercepted by the cybercriminal. As a consequence, the
purchaser paid the balance of the purchase price into a bank account controlled by the
cybercriminal instead of the conveyancing attorneys’ trust account;
The fraud was only discovered one week after the purchaser had made payment of the balance of
the purchase price into the bank account controlled by the cybercriminal.
The aggrieved purchaser instituted an action against the conveyancing attorneys for the recovery
of the balance of the purchase price. She claimed that the conveyancing attorneys owed her a
legal duty to, amongst other things:
exercise that degree of skill and care by a reasonable conveyancer, who specialise in the preparation of deeds documents, to advise her that it was safer to secure the balance of the purchase price by way of a bank guarantee issued in favour of the seller in accordance with the offer to purchase.
warn the purchaser of the danger of “business email compromise” (BEC) and the increase in BEC type fraud;
alert the purchaser to the fact that criminals may try to induce her to make payments into a bank account controlled by the criminals instead of the conveyancing attorney’s bank account;
advise the purchaser that frauds of that nature are typically carried out by using emails or letters that appear to be materially identical to letters or emails sent to her by the conveyancing attorneys;
warn the purchaser, before making any payments to the conveying attorneys, to ensure that she verified that the account into which payment will be made is a legitimate bank account of the conveyancing attorneys;
advise the purchaser that if she was not certain of the correctness of bank account, that she may contact the conveyancing attorneys who will assist in confirming the correct bank account details;
implement adequate security measures such as protection of emails and attachments thereto;
load the conveyancing attorneys trust account as a public beneficiary in the online banking systems of the banks with which they had bank accounts; and
use secure portals so that users log in by means of a two or multifactor authentication foraccess.
The purchaser was also of the view that considerations of public and legal policy in accordance
with constitutional norms imposed a legal duty on the conveyancing attorneys and held the
conveyancing attorneys liable in delict for the damages suffered by her in breach of that legal duty.
In its judgment, the SCA confined itself to whether or not the purchaser had in particular
established the wrongfulness element for a delictual claim arising out of omission causing pure
economic loss and did not deem it necessary to deal with all of the requirements placed in issued
by the conveyancing attorneys.
Referring to the decisions in Home Thought Development (Pty) Ltd v Ekurhuleni Metropolitan
Municipality [2017] ZA SCA 77 and Halomisa Investments Holdings (RAF) Ltd and Another v
Kirkinis and Others [2020] SA SCA 83, the SCA held that South African law does not generally
hold persons liable in delict for loss caused to others by omission.
The SCA, quoting the judgment Hawekwa Youth Camp and Another v Byrne [2009] ZA SCA 156
held that “… negligent conduct in the form of an omission is not required as prima facie wrongful.
Its wrongfulness depends on the existence of a legal duty. The imposition of this legal duty is a
matter for judicial determination, involving criteria of public and legal policy consistent with
constitutional norms. In the result, negligent omission causing loss will only be regarded as
wrongful and therefore actionable if public or legal policy consideration require that such
omissions, if negligent, should attract legal liability for the resulting damages”.
When considering the issue of wrongfulness, the SCA had regard to the following facts:
- the purchaser was not a client of the conveyancing attorneys at the relevant time and
therefore when the purchaser’s loss occurred there was no attorney–client relationship
between her and the conveyancing attorneys;
- the loss suffered by the purchaser was not the result of any failing of the conveyancing
attorneys’ system but rather because a cybercriminal had hacked and compromised the
purchaser’s email account (not the conveyancing attorney’s email account) and fraudulently
diverted the purchaser’s payment of the balance of the purchase price into a bank account
controlled by the cybercriminal;
- the estate agent’s letter to the purchaser had warned her about that very risk and that the
purchaser had heeded the estate agent’s warning and verified the estate agent’s bank
account details when she made payment of the deposit. The purchaser, however, failed to
do the same thing a few months later when it was time for her to make payment to the
conveyancing attorneys and she was unable to explain her failure to do so;
- in terms of the offer to purchase, the payment of the balance of the purchase price could
have been secured by the purchaser furnishing a bank guarantee for the amount. However,
the purchaser chose rather to make payment of the balance of the purchase price by way
of EFT. She did so in the bank and with the assistance of her banker after having
discussed telephonically the payment with two representatives of the conveyancing
attorneys. She could, therefore, have obtained the assistance of her bankers to verify the
conveyancing attorney’s bank account but she could not explain her failure to do so; and
a warning by the conveyancing attorneys to the purchaser of the risk of BEC would have
been meaningless because by that time the cybercriminal had already hacked and
compromised the purchaser’s email account.
Accordingly, the SCA held that the High Court’s judgment that all creditors in the position of the
conveyancing attorneys owed a legal duty to their debtors to protect them from a possibility of their
email’s accounts being hacked, was untenable. The SCA held further that the High Court should
have declined to extend liability in this case because of the danger of indeterminate liability.
Relying on the judgments in Country Cloud Trading CC v MEC, Department of Infrastructure
Development, Gauteng [2014] ZA CC 2008, Cape Empowerment Trust Limited v Fisher Hoffman
Sithole [2013] ZA SCA 2016 and Trustees for the Time Being of Two Oceans Aquarium Trust v
Kantey and Templer (Pty) Ltd [2005] ZA SCA 109, the SCA held that the purchaser could
reasonably have avoided the risk by verifying the account details of the conveyancing attorneys
with the conveyancing attorneys just as she had done with the estate agent when paying the
deposit or she could have had her own bank verify the bank account details. The purchaser
therefore had to take responsibility for her failure to protect herself against a known risk.
This judgment will come as a great relief not only to attorneys and estate agents but also to all
creditors who send their bank account details to their debtors by way of email.
However, a word of caution. Given the legal principles to be applied in matters such as this,
especially that the determination by a court will involve considerations “of public and legal policy
consistent with constitutional norms”, it is important to note that the facts of each matter will be
extremely important in the determination. The outcome may vary, depending on the facts of each
case.
In the circumstances, it is crucial that all creditors who send their bank account details to their
debtors take any and all means necessary to notify their debtors of the risk of the BEC and ways of
ameliorating that risk.
