
The Appeal Court has overturned a recent cyber crime ruling – what are the implications for companies under the POPI Act?
On 10 June 2024, the Supreme Court of Appeal (SCA) overturned a High Court decision that had significant ramifications for Edward Nathan Sonnenbergs (ENSAfrica), a leading South African law firm. The High Court had initially ruled that ENS was liable for R5.5 million stolen by fraudsters who manipulated e-mails sent from the firm. This case, brought by Judith Hawarden, who fell victim to a Business E-mail Compromise (BEC) scam, was a profound test of the legal implications for companies and their obligations under the Protection of Personal Information Act (POPI Act).
Judith Hawarden purchased a property and transferred R5.5 million to what she believed was ENS’s bank account. However, the e-mail containing the payment instructions was intercepted and altered by fraudsters, redirecting the funds to their account. Initially, the Gauteng High Court found ENS liable, citing the firm’s failure to warn Hawarden about the risks of BEC and inadequate security measures. The court imposed punitive costs on ENS, emphasising the firm’s duty of care even though Hawarden was not its direct client.
However, the SCA, in a unanimous decision, overturned the High Court’s ruling. The appeal, led by Acting Judge Fathima Dawood, emphasised that extending liability to ENS would have broader, unpredictable consequences for all creditors who send their bank details via e-mail. The court highlighted several key points:
- No Legal Duty to Warn: The SCA ruled that ENS did not have a legal duty to warn Hawarden about the risks of BEC or to protect her from e-mail fraud. This was particularly pertinent as Hawarden had been previously warned by her estate agent, Pam Golding Properties, about the risks of cyber fraud.
- Responsibility to Verify: The court noted that Hawarden had the means and knowledge to verify ENS’s bank account details, as she had done with the estate agent earlier. Her failure to verify the details was a critical factor in the ruling.
- Indeterminate Liability: Extending liability to ENS could create a scenario of indeterminate liability, where creditors might be held responsible for fraudulent activities beyond their control. This could lead to unreasonable and extensive legal obligations for all businesses and professionals.
Implications for Companies under the POPI Act
The SCA’s decision has significant implications for companies, particularly regarding their compliance with the POPI Act. The POPI Act requires organisations to implement appropriate measures to protect personal information against loss, damage, and unlawful access. There are the key takeaways from this ruling for companies:
- Heightened Security Measures: While the ruling absolves ENS of liability, it underscores the importance of robust cybersecurity measures. Companies must ensure that their communication channels, especially e-mails containing sensitive information, are secure. This includes using encrypted e-mails, secure portals, and multi-factor authentication to prevent interception.
- Clear Communication Protocols: Companies should establish and communicate clear protocols for verifying sensitive information. Clients and customers must be educated on the risks of cyber fraud and the steps they should take to verify communications, especially involving financial transactions. This proactive approach can mitigate risks and ensure compliance with the POPI Act.
- Documentation and Warnings: The decision highlights the necessity of documented warnings about cyber risks. Similar to the warnings provided by Pam Golding Properties, companies should include disclaimers and advisories in their communications to alert clients about potential fraud risks and encourage verification of account details.
- Client Responsibility: The ruling reinforces that clients also have a role in protecting themselves. Companies should encourage clients to verify any instructions received via email through direct, independent communication channels.
The SCA’s ruling in favour of ENS sets a precedent that limits the extent of liability for companies in cases of cyber fraud involving third-party interactions. However, it also serves as a reminder of the critical need for stringent cybersecurity measures and clear communication protocols.
For companies required to comply with the POPI Act, this ruling should be a catalyst to review and strengthen their data protection strategies, ensuring both compliance and the safety of their clients’ information. By doing so, companies can protect themselves from potential liabilities while fostering a secure environment for their business transactions.
By Gaby Meintjes | Director