In the Fourie case, the client of a law firm (the Applicant) applied to the High Court seeking an order for damages against two practicing attorneys and their law firm (the Respondents) after one of the attorneys (the Attorney) had erroneously transferred the Applicant’s funds out of the law firm’s trust account and into several bank accounts held by one or more unknown hackers.
The Attorney had previously acted for the Applicant and was holding the funds in the law firm’s trust account for the benefit of the Applicant, who had instructed the Attorney to retain the funds on his behalf. The Attorney subsequently received a number of emails purportedly sent from the email address of the Applicant, informing her of the “Applicant’s” new banking details and instructing payment of the funds into a number of bank accounts. The Attorney paid the funds as instructed, without verifying the new banking details with the Applicant. It was only after the Attorney had transferred the funds into the new bank accounts that it was discovered that one or more unknown hackers had hacked the Applicant’s email and provided the details of their own bank accounts – wherein the funds had erroneously been deposited by the Attorney.
The High Court said that “[t]he [Attorney] was negligent and failed to exercise the requisite skill, knowledge and diligence expected of an average practicing attorney and thus failed to discharge her fiduciary duty to the Applicant by transacting via e-mail whilst full-well knowing that fraud is prevalent in her profession and not employing any measures to ensure that neither she, nor the Applicant will fall victim to fraud.” The court rejected the Attorney’s defence that a fraud had been perpetrated which had released her from her duty to account to her client, and concluded that the Attorney was, in fact, liable for her negligence. The Respondents were held jointly and severally liable for the loss suffered by the Applicant, with the High Court ordering the Respondents to pay the loss suffered by the Applicant over to the Applicant with interest.
While the Fourie case primarily dealt with the principles concerning the nature of trust accounts and an attorney’s duty of care owed to his/her client, it highlights the potential damage that can be caused by cyber criminals. Given the nature of cybercrimes, it is unfortunate that the victims of these crimes are forced to litigate against each other while the actual cyber criminals get away with the money! These injustices will, however, be addressed with the South African National Assembly having passed the Cybercrimes Bill of 2018 (B 6B—2017) (the Cybercrimes Bill) in November 2018. The Cybercrimes Bill (although not yet enacted into law) aims to criminalise both hacking and cyber fraud – two separate offences which the hackers in the Fourie case would potentially have been charged with had they been identified and subjected to investigation by the South African Police Services (SAPS). The offence of hacking (referred to in the Cybercrimes Bill as “unlawful access”) carries a penalty on conviction of a fine (unspecified) and/or imprisonment for a period not exceeding five years whilst a conviction on a charge of cyber fraud grants the court a discretion to impose a penalty that it deems appropriate under section 276 of the Criminal Procedure Act 51 of 1977.
Given the inadequacy of the current regulatory regime applicable to cybercrimes in South Africa, the Cybercrimes Bill is a beacon of hope for victims of cybercrime such as the Applicant and the Respondents in the Fourie case. The enforcement of such law by the SAPS and prosecuting authorities (once the Cybercrimes Bill is enacted) will, however, be pivotal in bringing cyber criminals to justice.