Are legal practitioners proficient in the conduct of their business?

In the recent case of Fourie v Van der Spuy and De Jongh Inc and Others (GP) (unreported case no 65609/2019, 30-8-2019) (Klein AJ) it was found that the legal practitioners were negligent, when they relied on an e-mail providing bank account details into which money held by the legal practitioners in trust was to be paid. The e-mail had been intercepted and the bank details changed to those of an account controlled by cybercriminals.

The judgment has a wider implication. Indeed, Leach JA (Nugent and Pillay JJA, Southwood and Erasmus AJJA concurring) in Margalit v Standard Bank of South Africa Ltd and Another 2013 (2) SA 466 (SCA) at para 23 quoted De Villiers CJ in Van der Spuy v Pillans 1875 Buch 133 at 135 as saying:

‘Every attorney is supposed to be reasonably proficient in his calling, and if he does not bestow sufficient care and attention, in the conduct of business entrusted to him, he is liable; and where this is proved the court will give damages against him.’

The question that this begs is whether legal practitioners who use modern information and communication technologies in the conduct of their business are ‘reasonably proficient in their calling’? As a practitioner who has dealt with information and communication technologies and the law that is evolving to address both the enormous benefits the information revolution holds, but also the abuse that may be catastrophic to unsuspecting victims, my view is that with a few shining exceptions the answer to this question must be a resounding no.

In 1996 I approached the Executive Council of the Association of Law Societies (as it was then known) to address this issue. At the time, I was dismissed and since then sporadic efforts have been made by the profession to ensure that attorneys are educated in the use and risks of modern technologies. These efforts have been all too few and have lacked the ‘political will’ and support of the leaders of the profession. Despite it being a requirement around the world that legal practitioners be cyber-capable, in South Africa we have chosen to be blind to the reality of the 21st century.

The business e-mail compromises referred to above, cost the legal practitioners in the case R 1,75 million. The Legal Practitioners’ Indemnity Insurance Fund NPC advises that it has repudiated claims in excess of R 90 million since the exclusion of cyber-liability. In my dealings with the profession relating to education, both at academic institutions and in practical legal training, the excuse that has been made in dismissing suggestions to ensure proper training has often been one of cost. As the saying goes ‘if you think education is expensive, try ignorance’. Indeed, R 90 million would have bought a whole lot of training.

Will the profession learn and take positive steps to rectify its own lack of proficiency, or will we doggedly cling on to 19th and 20th century practices? Those who are unwilling or unable to embrace the future will ultimately not only harm themselves, but also their clients, and of course the profession.

Mark Heyink BA LLB (Wits) H Dip Company Law (Wits) is a legal practitioner
at Mark Heyink Information Attorney in Johannesburg.

Response from the Legal Practitioners’ Indemnity Insurance Fund NPC

The Legal Practitioners’ Indemnity Insurance Fund NPC (LPIIF) has read the letter from Mark Heyink ‘Are legal practitioners proficient in the conduct of their business?’

The LPIIF supports the point made that legal practitioners must be aware of new and emerging risk areas, such as cyber risk. In recent years, legal practitioners around the world have increasingly been the target of cybercrime. Legal practitioners in South Africa have also suffered losses as a result of cyber risks. In considering the risks in the operating environment of a legal practice and developing appropriate internal controls and other risk mitigation measures, cyber risk must be one of the risks considered. The education program for legal practitioners and their support staff must include cyber risk (and all other emerging risks). Rule 54.13 of the Legal Practice Council Rules places an obligation that, before making any payment of any amount due to a client, legal practitioners must verify the banking details of the client and any subsequent changes to the banking details. Adherence to this rule will mitigate the risk of payments into fraudulent or phishing accounts. Adequately addressing all risks will protect legal practitioners, their clients and all other stakeholders.

This article was first published in De Rebus in 2019 (Dec) DR 4.