The High Court in South Africa has ordered one of Africa’s largest law firms, ENSAfrica, to pay a property buyer the sum of South Africa Rand 5.5M ( about $310,000/1.17Bn UGX) being monies she lost to online fraudsters in a conveyancing (transfer of property) transaction handled by the firm.
On top of this money, the law firm was further nailed with “punitive” costs for harassing the property buyer by using her irrelevant personal information touching her grueling divorce plus costs for her lawyers.
Are We A Fit? Discover Partnerships With LegalReports Here.
Hackers in a form of online fraud commonly known as “Business Email Compromise (BEC) ” intercepted the law firm’s email communications with Judith Hawarden, a retired social activist who sought to buy property from a Family that instructed the law firm to handle the transfer of the property between the two parties.
The law firm had emailed its bank details contained in a PDF document to Ms. Hawarden so that she deposits the money on its account for the benefit of the firm’s client.
Unknown to both Hawarden and the law firm’s conveyancing secretary was the fact that their email communication had been compromised with hackers replacing the law firm’s bank account details with theirs.
And so Hawarden sent money meant to pay up for the property to the fraudsters.
High Court Judge, Phanuel Mudau faulted the law firm, as an “experienced conveyancer” for not warning Judith Hawarden about Business Email Compromise, a common occurrence in online business transactions especially in the conveyancing business – summarily finding the law firm negligent and responsible for causing the enormous economic loss.
One would imagine the law firm only owed a legal duty of care to its client, in this case the property seller, but Judge Mudau found that; in fact there exists such duty of care in a conveyancing transaction on a conveyancer (usually a lawyer/law firm) toward the other party at the end of the transaction to warn him/her of business email compromise.
” Viewed objectively, the plaintiff (Judith Hawarden) cannot be faulted for placing her trust in the defendant (ENSAfrica) who she knew was a very large and reputable law firm.
” On her version, which I accept and cannot fault, she did not think she needed to seek advice as she was dealing with a law firm whose reputation went before it.
” She, as indicated, gave credible and consistent evidence that the possibility of BEC did not occur to her and that she trusted the defendant. Under such circumstances, a duty clearly exists between a purchaser in a conveyancing transaction and the conveyancing attorney handling the transaction. ” Judge Mudau ruled, adding;
“I have no difficulty in finding that the defendant’s banking details were financially sensitive information regarding this matter and needed to be treated as such. I have no difficulty in concluding that the risk of BEC was foreseen by ENS. ENS is undoubtedly an experienced conveyancer which understood risks inherent in conveyancing transactions.”
Become A Partner With LegalReports. Learn More Here.
- Dentons Uganda Names Pearl Nyakabwa As Managing Partner
- ABMAK Associates Gets New Managing Partner
- Oil And Gas: KAA Adds Energy Law Expert As New Partner
More than anything else, this Court Judgement highlights the fecklessness with which we, users of electronic transmissions, including persons supposed to know better than the rest of us such as business leaders and lawyers, conduct our affairs including high stakes business transactions.
Forexample, during the Court’s consideration of this case, it became apparent that the person in charge of the transaction was herself ignorant about BEC and that the law firm had not integrated information security and integrity training among its induction of employees.
The firm’s Information Technology (IT) personnel appeared ignorant of “industry grade” tools that could have gone a long way in securing the transaction.
One such tool that the “joint team of experts” in the case vouched for was DomainKeys Indentified Mail (DKIM) used in conjuction with Sender Policy Framework (SPF).
With these, a notification would have been sent to the law firm that their email had been compromised because the attackers altered its email in that “ensafrica.com” became “ensafirca.com” – as you can see only those with a hawk-eye can detect the difference more so in a fast paced business transaction.
Nonetheless, email is an unsafe way of transmitting sensitive financial information, the experts unanimously agreed and all counselled a “telephonic” confirmation of the bank details would have been the easiest, cheapest and best option.
Something like: “Hey, Judith, please write down our bank details.”
Or; “Hey, Judith, please read me the bank account details you have.”
In a bid to dumb down the extent of its carelessness, ENSAfrica lined up fellow conveyancers who told Court that it was “practice” to send bank details via email as a PDF attachment.
In fact, ENSAfrica went ahead to tell Court that by finding it liable, the Court would expose so many conveyancers to similar suits.
Apparently, these conveyancers did not know a PDF document could be edited until the “joint team of experts” showed them how “simple it was to alter a PDF document.”
“I will after seeing this demonstration by you, look to more secure means to communicate this information in the future.” One of ENSAfrica’s witnesses told the Court.
What a reckoning moment!
Benjamin Ahikiiriza is a Legal Writer And Digital Communications & Marketing Specialist majoring in Lawyers, Law Firms And the larger Legal Sector.
Benjamin currently Works as the Director of Content and Business Development At LegalReports.