A blog by Thabani Njozela – Senior Legal Officer at World Wide Industrial and Systems Engineers
In 2023, Judge Mudau handed down a high court judgment in the matter of Judith Mary Hawarden v Edward Nathan Sonnenberg Inc (ENS), which found ENS liable for the financial loss suffered by Hawarden and ordered the firm to remunerate her in the amount of ZAR 5.5 million. However, in June 2024, on appeal, the Supreme Court of Appeal overturned this decision, which created a significant discourse around legal responsibility in an era of escalating cybercrime.
Background
Ms Hawarden, a senior citizen (pensioner), bought a property from the Davidge Pitts Family Trust for ZAR 6 million. The appointed estate agent, Pam Golding Properties (PGP), initially provided her with banking details via email, accompanied by a cautionary notice about cyber fraud, phishing, and email interception. Acting under the advice of the estate agent, Ms Hawarden confirmed the details telephonically before making her deposit payment of ZAR 500,000.
However, on 21 August 2019, she received a fraudulent email which on the face of it seemed to be from ENS and provided banking details for the balance of the purchase price. Unlike her earlier due diligence, she failed to verify these details with ENS directly and proceeded to transfer ZAR 5.5 million to the fraudulent account. By the time the fraud was discovered, the funds had been withdrawn, and recovery was impossible. Ms Hawarden subsequently sued ENS for failing to protect her from cyber fraud.
Legal Considerations
The most imperative question before the courts was: Who bears responsibility for safeguarding against cybercrime?
In determining liability, the law of delict requires that the following elements be established:
- Conduct – A wrongful act or omission by the defendant.
- Fault – Negligence or intent on the part of the defendant.
- Harm – A quantifiable loss suffered by the plaintiff.
- Causation – A direct link between the defendant’s conduct and the harm suffered.
The Supreme Court of Appeal ultimately held that ENS’ omission was not wrongful in the legal sense. Wrongfulness in the context of omissions arises only where legal or public policy considerations demand liability. The court found that Ms Hawarden had the means and knowledge to verify the banking details but failed to do so. Thus, shifting responsibility to ENS would create indeterminate liability, imposing an unreasonable burden on all legal practitioners.
Arguments from Both Sides
ENS (Plaintiff)
ENS argued that while attorneys owe clients a duty of care, this does not extend to protecting them from cyber fraud where reasonable precautions are within the client’s control. ENS maintained that:
- Cyber fraud is an evolving global threat that requires vigilance from all parties.
- Ms Hawarden had been expressly warned about email-based fraud in her initial dealings with PGP but failed to apply the same caution to ENS.
- The fraudulent email resulted from her email account being compromised, not ENS’ systems.
- Holding ENS liable would expose all conveyancers and legal professionals to similar claims, making them insurers against cyber fraud.
Ms Hawarden (Defendant)
Conversely, Ms Hawarden argued that:
- As an experienced legal firm, ENS should have implemented greater cybersecurity measures such as encrypted emails, multi-factor authentication, or alternative verification processes for banking details.
- ENS failed to warn her directly of the risks before the second, larger payment.
- The firm should have followed up with her to confirm receipt of funds promptly, which may have expedited fraud detection.
A Nietzschean Warning: The Abyss of Cybercrime
Friedrich Nietzsche once famously stated, “He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.”
Cybercrime represents a modern abyss, one which individuals and institutions must not recklessly stare without due caution. Digital fraudsters evolve with every new technological safeguard; thus, complacency is not merely negligence but an open invitation for exploitation. Nietzsche’s warning serves as a reminder that power without wisdom breeds downfall be it the power of knowledge, financial resources, or legal expertise.
This case exemplifies the moral and legal imperative for both individuals and institutions to assume responsibility. Lawyers and businesses must implement proactive cybersecurity measures, but individuals, too, must remain vigilant, acknowledging that no institution can ever fully safeguard against human error and deception.
Conclusion
The Hawarden v ENS case underscores the balance between professional duty and personal responsibility. The Supreme Court’s decision establishes a precedent that individuals must exercise reasonable caution in financial transactions. While legal and financial professionals should take active steps to secure their communications, clients must also recognise their role in verifying sensitive information.
Cybercrime is not merely a legal problem, it is a societal one. As digital threats grow more sophisticated, our defence must evolve in equal measure. To ignore this reality is to gaze blindly into Nietzsche’s abyss, hoping it does not consume us.
Ultimately, the burden of cybersecurity is not an isolated one, it is a shared duty requiring cooperation, education, and unwavering diligence from all parties involved.