Gerber v PSG – A case discussion.
In a recent judgment, the local division of the Gauteng High Court in Johannesburg ordered PSG Wealth Financial Planning (Pty) Ltd to reimburse an investor, Mr. Gerber, more than R800,000 in cash after Gerber’s email account was hacked.
Gerber held investments with PSG in the total amount of R 855 413, which could be paid out in cash on his request. Gerber’s portfolio was managed by Mr Jonathan Fisher in his capacity as Gerber’s representative.
On 03 October 2019, there was an unusual request which appeared to come from Gerber’s email account, i.e., a cash payment in the amount of R250,000. It was something that he never requested before, seeing that the purpose of the investment was to fund retirement. The email also requested his banking details be changed from Nedbank to FNB. Fisher responded via email, stating that all was in order with the withdrawal and that it would take three days for the funds to be made available. He also asked for a current FNB statement showing the new banking details, but instead, he received a letter appearing to be from FNB with an official bank stamp in response. The letter stated that the FNB account was more than 17 years old and provided a mobile telephone number where the writer of the letter could be contacted.
Fisher instructed his assistant to send an email to PSG’s central client services, asking that Gerber’s ‘new account’ be verified and loaded so that the payment could be released. PSG’s Bank Verification Panel then released a document showing that the verification failed, because the identity attached to the account did not match the client details, the account was not more than three months old, and neither the phone number nor email address attached to the account was ‘valid’. Client services further indicated that FNB was not willing to confirm telephonically that the account belonged to Gerber.
Despite the above, Fisher instructed his assistant to send an email to Gerber to confirm that the account belonged to him and that the payment could be made. She received a response that all was in order and that the payment could be made into the nominated account. She then called Gerber and informed him that “the money” would be paid into his account on that day, to which he responded, “goed so”. He later testified that he believed the reference to be to internal transactions in his investment account.
On 15 October 2019, another request for an additional payment was received via email. The payment was again successfully made three days later, in the process wiping out most of Gerber’s investment.
The hackers then requested a statement showing all of Gerber’s investments, which was provided by the assistant, together with a statement of his wife’s portfolio. A request then followed for a withdrawal of R400,000 from his wife’s investment account. Fisher’s assistant then became suspicious, because the language and syntax of the email were not grammatically correct in Afrikaans. Fisher then called Mrs. Gerber and asked her about the request to liquidate R400,000. She of course knew nothing about it and referred Fisher to her husband. All parties then finally realised that they had been the victims of fraud.
Gerber subsequently launched an action against PSG to recover the lost monies, pleading that PSG was obliged to exercise the necessary skill, care and diligence to ensure that the monies held by it in trust did not fall prey to fraud, that it breached this obligation and that such breach led to his loss.
PSG’s defence was that there was a tacit term in the contract between them and Gerber which excluded their liability under circumstances where Gerber’s computer system was hacked due to his own negligence, seeing that he did not take all reasonable steps to protect his computer system against hacking. Secondly, they raised a defence in contract that it complied with the express terms of the agreement.
The Court held that a tacit term cannot be imported into a contract on any question to which the parties have applied their minds and for which they have made express provision in the contract. Given the fact that PSG’s obligation to protect their client against fraud was express, they, therefore, had to prove that this express duty is conditional on the client taking certain steps. The Court found that the alleged tacit term was not proved by PSG. The Court in any event remarked that Gerber did testify that his system was password protected and that he had an effective virus protection software installed, which evidence was not challenged by PSG. The court found the argument illogical that the Plaintiff was expected to assume responsibility for cyber-crime such as this, give the express duty of the Defendant to protect him against fraud in his dealings with the Defendant.
The Court then held that PSG also did not comply with the express terms of the agreement, seeing that they did not follow their own protocols in verifying the bank account.
The Court concluded that the contractual obligation of PSG to its clients was to have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that the clients will suffer financial loss through theft or fraud. These obligations must be construed in the context that cybercrime is universally recognised as a scourge. PSG did not establish that it complied with its contractual obligations to protect Gerber against cybercrime and was therefore ordered to refund Gerber, together with interest on the amount.
The judgment in this matter is welcomed and gives some comfort to consumers who invest their life’s savings with financial service providers. The sad reality is, as the Court remarked, that “hacking must be regarded as an inevitable and intractable scourge”. It will not abate. The public gives their money to prominent businesses and pays them fees and commissions to keep them safe.
By George Herbst | Director