TAKE HEED TO THE CALL: "ITS YOUR STACKS, PROTECT THEM"- THE COURT ORDER IN ENS & HAWARDEN SCA

I had previously written a case commentary when this matter was adjudicated upon by the High Court. But now we are here, part two, Supreme court of appeal given the responsibility to decide the fate of debtor and creditor not just in this matter but for social order in South Africa.

Factual Matrix

1. The Transaction and Initial Warning

Ms. Hawarden purchased a property for R6 million from the Davidge Pitts Family Trust in May 2019 . ENS acted as the conveyancers for the seller (the Trust), meaning Ms. Hawarden was not a direct client of ENS . Notably, at the start of the transaction, the estate agent (Pam Golding Properties) sent Ms. Hawarden a warning regarding cybercrime and advised her to telephonically verify banking details . Ms. Hawarden heeded this warning and successfully verified the deposit details telephonically .

2. The Cyber Fraud (Business Email Compromise)

Months later, on 20 August 2019, an ENS secretary, Ms. Maninakis, emailed Ms. Hawarden the guarantee requirements and ENS's correct banking details . However, cyber criminals had already infiltrated Ms. Hawarden’s email account . They intercepted the legitimate email and, on 21 August 2019, sent a fraudulent email purporting to be from Ms. Maninakis . This email contained altered banking details (belonging to the fraudsters) and a subtle change in the email address from africa to afirca .

3. The Failure to Verify

Ms. Hawarden elected to pay the R5.5 million balance via electronic transfer rather than a bank guarantee . While physically present at her bank (Standard Bank) to effect the transfer, she spoke telephonically with two ENS employees (Ms. Maninakis and Mr. Carrim) regarding interest rates and guarantees . Despite having these direct lines of communication open, she did not verify the bank account details with them . She proceeded to transfer R5.5 million into the fraudster's account . The funds were withdrawn and lost before the fraud was discovered .

Legal Analysis

The central legal issue was wrongfulness: whether ENS owed Ms. Hawarden a legal duty to prevent the loss caused by the hackers .

1. Principles of Pure Economic Loss

The court reiterated that causing "pure economic loss" (financial loss without physical damage) via an omission (failure to act) is not prima facie wrongful . For liability to attach, public and legal policy must require that the defendant compensates the plaintiff .

2. Policy Consideration: Risk of Indeterminate Liability

The SCA held that imposing a legal duty on ENS would create a "risk of liability in an indeterminate amount for an indeterminate time to an indeterminate class" . The court reasoned that if ENS were held liable, all creditors who send bank details by email would effectively be required to protect their debtors against the risk of interception, which is legally untenable .

3. Policy Consideration: Vulnerability to Risk

The most critical factor in the court's decision was the concept of vulnerability. A plaintiff is not "vulnerable to risk" if they could reasonably have taken steps to protect themselves .

• Availability of Protection: The court found that Ms. Hawarden had "ample means to protect herself" . She had been previously warned of the risk by the estate agent .

• Opportunity to Act: She could have verified the banking details while speaking to ENS employees or asked her own banker, Ms. Shabalala, to assist in verification .

• Conclusion: Because she could reasonably have avoided the risk by other means (a phone call), she was not vulnerable, and thus no legal duty should be imposed on ENS .

4. Causation Note

The court also noted that a warning from ENS might have been meaningless because the hackers were already "embedded" in Ms. Hawarden's email account by the time the relevant correspondence occurred .

The Court's Order

The SCA set aside the High Court's order and replaced it with the following :

Implications for Lived Realities

This judgment establishes a strict precedent regarding personal responsibility in the digital age. Here are the practical implications for individuals and businesses:

1. The "Verify or Perish" Standard

The judgment imposes a heavy burden on the payer. If you are making a payment—especially a large one—based on details received via email, you are expected to verify those details independently (e.g., via a phone call to a verified number) . Failure to do so likely means you must bear the loss yourself, as the law will view you as having had the means to protect yourself .

2. Limited Professional Liability for Third-Party

Professionals (attorneys, conveyancers) and creditors are generally not liable for losses suffered by non-clients due to cybercrime, provided the professional did not negligently cause the breach in their own systems. They are not the "insurers" of the public against cyber risks .

3. Cyber-Literacy is a Legal Expectation

The court effectively ruled that ignorance or negligence regarding cyber threats is not an excuse. Since warnings about Business Email Compromise (BEC) are now common (as seen with the estate agent's warning in this case), individuals are expected to be aware of these risks and act with caution .

4. Banking Protocol

The judgment highlights the role of banks. Ms. Hawarden was at her bank, with a bank employee, yet the fraud occurred. While the bank was not the defendant here, the court noted that Ms. Hawarden could have utilized the bank's resources to verify the destination account . This suggests that individuals should actively request bank staff to verify account holders when performing high-value transfers.