Legal ruling on email hacking and payments

Are You at Risk of Paying Twice? Today, I want to go back to 2 recent court rulings in Germany regarding encryption and data protection. Key Takeaways from the Court Decisions 1. OLG Schleswig-Holstein Decision (2024) (B2C; GDPR applied):   - The court ruled that a payment made by a customer to a third party's account, due to unauthorized changes made to an invoice sent by email, does not fulfill the payment obligation under § 362(2) BGB. However, the customer can try to invoke a counterclaim for damages under Article 82(2) of the GDPR against the contractor in case of insufficient data protection measures as required by Art. 5, 24 and 32 GDPR.   - The court emphasized that mere transport encryption (like TLS) is inadequate for protecting sensitive data. For sensitive information, end-to-end encryption is considered necessary, reflecting the heightened standards imposed by the GDPR. 2. OLG Karlsruhe Decision (2023) (B2B; GDPR not applied):   - The court stated that there are no specific legal requirements for security measures when sending emails in pure commercial transactions without PII. The nature and extent of necessary security measures should be determined by the reasonable security expectations within the relevant industry.   - If a creditor fails to implement sufficient security measures resulting in a payment being made to a fraudulent account, the creditor may still retain the right to claim the owed amount. However, the debtor may counterclaim for damages if there was a breach of security obligations. However, prooving this could be difficult. Practical Advice for Businesses For Sellers: Implement Strong Security Measures: For invoices (at least of significant value), it is crucial to protect them with end-to-end encryption or at least use a strong password for the zipped PDF-file. For Buyers: Verify Payment Details: Always double-check the bank details before making any payments, especially if you receive revised invoices. Contact the seller directly through known channels if you notice discrepancies. OLG Schleswig-Holstein, Judgment of December 18, 2024 – Az.: 12 U 9/24 OLG Karlsruhe, Judgment of July 27, 2023 – Az.: 19 U 83/22

On the (lack of) agency in an email address, and its relevance in cases of fraud:- A recent appeal on costs – unusually, a successful one – included some interesting insights into the underlying, unreported claim. In M&S Restorations v Santander [2024] EWHC 2724 (KB), Dexter Dias J granted an appeal against a costs order made by a Circuit Judge following trial. The claim was made by a company against its bank, following the bank’s compliance with emailed instructions from fraudsters to make payments out of the company’s account. The judgment explains that the bank received an email from the account of the company’s director, directing it to make certain payments. The bank complied with this instruction. However, the instruction was given by fraudsters who (it was said) had hacked the director’s email account. The bank was liable to reimburse its customer for the sums paid out of its account. A few points of general interest arise: (1) Play the person, not the email address. The bank sought to argue that this was a case of impersonation, where (presumably) the bank considered itself entitled to rely on emails sent from the genuine email address of the company’s director. However, on well-understood principles of agency law, an email address does not have any authority. The question is whether the person sending the email had relevant authority on behalf of the customer. Plainly, a third party fraudster does not. (2) Keep claims simple. Both judges, at first instance and on appeal, explained that this was a straightforward case of breach of mandate. However, the claimant had needlessly complicated the case by raising alternative claims for breach of the Payment Services Regulations 2009, breach of contract, breach of contractual or tortious duties of care, breach of the Quincecare duty, and breach of the duty not to facilitate fraud. These claims were not relevant and the Claimant’s decision to advance them had negative costs consequences for it. (3) Don't assume system breach. It was stated that the director’s emails were hacked, suggesting that the fraudster used the genuine email account. From my experience of other cases, parties often believe that an email account has been compromised, but sometimes what has instead happened is that the email has been ‘spoofed’  - this is a relatively easy way of making an email from account A appear as though it has been sent by account B. I cannot say whether or not this happened in this instance, but raise it as a point to investigate in any situation of an apparent email ‘hack’.