This is the first of a series of articles addressing the legal obligation to establish and maintain proper information security aimed at avoiding unauthorised access to and protecting the confidentiality of client information. The LSSA has consulted with experts relating to BEC and will also be engaging with the Fidelity Fund, SABRIC, major vendors of attorneys’ software and information and communication technology service providers to provide more comprehensive information addressing information security and avoiding or mitigating losses occasioned by BEC.
Among the scams that have increased exponentially in recent years is what is termed “Business eMail compromise” (“BEC”). It is estimated that in 2018 global losses attributable to BEC will exceed $9 billion (approximately R121 billion).
South Africa, partly due to its failure to properly introduce and enforce legislation governing the protection of personal information and the failure of entities and or persons processing personal information to implement appropriate security measures, are easy targets for cyber criminals. South Africans are contributing significantly to BEC losses and one of the attack vectors is against attorneys and their clients. This article examines the nature of this cybercrime and the liability and potential liability of attorneys.
In an article ‘Business Email compromise: The Secret Billion Dollar Threat’ published in the information security journal “Tripwire” on the 27th February 2018 it is stated that:
“Often in the shadow of more extravagant, media-friendly super hacks or ransom ware compromises, BEC is leading the line on both the number of attack victims and the direct losses encountered by businesses.”
The attack is not a sophisticated technology attack. It is a simple fraud that leverages social engineering tactics to deceive a recipient into typically making a payment to a bank account controlled by criminals.
The scope of this article does not allow us to deal with all of the modus operandi that may be applied, nor the different nuances of this type of attack. Suffice to say that a number of attorneys have been duped into paying money (very often money held in trust for clients) to criminals; whilst clients have been duped into paying money (in some cases large sums of money typically due by the client in conveyancing transactions) into accounts controlled by the criminals.
As with any social engineering attack, the success of the attack depends largely on being able to masquerade credibly as the party to whom the payment is due. The attacks are exceptionally well thought through and structured. They are not a scattergun approach hoping that a victim will be recklessly negligent or stupid, but rather adopt an analytical consideration of communications passing between the parties enabling the criminals to insert an appropriate communication that is in context with the expected communications and would probably deceive the most reasonable recipient into believing the communication is legitimate. The communications replicate the letterheads, logos and information identical in almost every aspect to what a client may expect from the attorney, save for the bank account details, which are bank accounts controlled by the criminals. The eMail addresses are carefully constructed and it can be extremely difficult to detect a variation from the eMail address normally used by the addressor . For instance, the character I may be replaced by the numeral 1. A very similar name may be used to that of an attorney’s staff member communicating with the client with minor variations in spelling. A punctuation mark may be added or omitted in the eMail address. Even to careful recipients of the communication the eMail’s credibility is typically re-enforced by the context and timing of the communication.
The reaction of attorneys where a client has made a payment into an incorrect banking account is often that the client was negligent. A closer examination, however, may reveal that the attorney may be negligent if the attorney has not properly safeguarded information processed by the attorney or the information and communications technologies used in processing the information. Failure to implement appropriate information security may render the attorney guilty of contributory negligence. Indeed, the failure in security may be the primary or proximate cause of the loss suffered by the client.
Although the requirement for cyber competence and security has been in place in many jurisdictions and is mandated and enforced by Bar Associations and Law Societies around the world, there is no similar requirement placed on South African attorneys. With a few shining exceptions, South African attorneys do not pay much attention to information security. The result is often that information processed and communicated by attorneys is insecure and is easily accessed by criminals. There are several contributory factors:
As a result of these failures the attorney may not discharge the corporate responsibility to establish and maintain information security as required in terms of the Companies Act read with King IV or to establish the technical and organisational measures to prevent unauthorised access, loss or destruction of information. This obligation is an express stipulation of the Protection of Personal Information Act, requiring that processors of personal information establish and maintain appropriate technical and organisational measures to protect the confidentiality and integrity of personal information. These failures are, it is submitted, also a failure to comply with the professional duty of attorneys to ensure that their clients’ information remains secure and confidential.
Against this background it is critical that attorneys fulfil their duty of care to clients by advising them of the potential for BEC. The communications must ensure that the client understands their responsibility to diligently ensure that payments are made to the correct bank account. In addition, attorneys must also understand that in order to avoid potential civil and criminal liability they too must fulfil their responsibility to establish and maintain a proper information security management system to protect their own information and that of their clients.