---

IN THE SOUTH GAUTENG HIGH COURT

(JOHANNESBURG)

REPORTABLE

CASE NUMBER: A3044/2010

DATE: 18/11/2010

In the matter between:

NASHUA MOBILE (PTY) LTD........................................Appellant / Defendant a quo

and

GC PALE CC t/a Invasive Plant Solutions.........................Respondent / Plaintiff a quo

_____________________________________________________________________

JUDGEMENT

_____________________________________________________________________

NGALWANA AJ

Introduction

[1] This is an appeal against the order of the additional magistrate who presided in the civil court for the district of Randburg. The order was handed down on 3 December 2009.

[2] In this judgment I shall, for the sake of convenience, refer to the appellant as “the defendant” and to the respondent as “the plaintiff”.

[3] The plaintiff had instituted a delictual action against the defendant¹ for losses suffered when unauthorised money transfers were effected out of the plaintiff’s internet bank account by a person (unknown to the plaintiff and unauthorised by it to do so) who managed to obtain from the defendant a SIM card (through a process known as “SIM swap”) containing the cell-phone number of an employee of the plaintiff.

[4] The bank account out of which these unauthorised transactions were effected was held with Nedbank. The plaintiff was at all material times the defendant’s customer and had numerous cell-phone contracts with the defendant.

[5] The defendant, by notice of motion and founding affidavit, also seeks condonation for the late filing of the record and late prosecution of this appeal. The plaintiff filed opposing papers resisting the condonation application, and in turn sought condonation for the late filing of its opposing papers. At the hearing of the appeal, counsel sensibly agreed that indulgence be granted in both instances and that no costs be ordered in either.

[6] Other issues have been raised concerning the admissibility of certain documents and whether or not the defendant’s staff who negligently acquiesced in the unauthorised request for a SIM swap did so in the course and scope of their employment. This line was not pursued in argument and so I say nothing further thereon. In any event, because of the view I take of this matter it is not necessary to decide those issues.

[7] This court knows of no similar case that has previously been decided by our courts, and counsel has pointed us to none, particularly in relation to the cell-phone industry.

The Facts

[8] The salient facts are largely common cause. The defendant called no witnesses and adduced no evidence in resisting the plaintiff’s claim. The version put up by the plaintiff’s three witnesses was not challenged. Thus, on the uncontested evidence the following facts emerge.

[9] Early in January 2008² a man walked into a Nashua Mobile outlet in Musgrave, Durban, and requested a SIM-card for a cell-phone number 082 804 9505. It was given to him. That cell-phone number belonged to a Hilda Barnard (“Barnard”) who worked for the plaintiff in George. She had registered it with Nedbank, George, as the number through which her internet banking transactions on the plaintiff’s bank account would be verified and notified. The man in question was unknown to her and the plaintiff.

[10] On Thursday 10 January 2008 amounts in excess of R160 000 were fraudulently transferred from the plaintiff’s Nedbank account (through a series of internet banking transactions) to beneficiaries unknown to Barnard and the plaintiff. (I pause here to point out that according to a Nedbank employee who testified for the plaintiff (“Albertyn”), a Nedbank accountholder would require a reference number, sent by the bank by SMS exclusively to the registered cell-phone number, in order to complete an internet banking transaction involving (a) the addition of a new payment beneficiary, (b) amendment of details of an existing payment beneficiary, and (c) making a once-off payment to a new beneficiary.)

[11] Since the fraudulent internet banking transactions involved, on the face of it, once-off payments to new beneficiaries, the first of these SMS reference numbers was sent by Nedbank to Barnard’s cell-phone number at 18h43 on 10 January 2008 according to a statement of facts that was admitted into evidence by agreement between the parties. By that time, Barnard was at home where she did not have access to a land line telephone. She noticed that she could not make calls on her cell-phone but thought nothing of it.

[12] At about 08h00 the following morning (Friday 11 January 2008) she called the defendant from her work telephone land line to ascertain why she could not make calls from her cell-phone. She was told by one Tyrone that a SIM swap had been authorised on her cell-phone number the previous day.

[13] When her boss (“Kuyler”) asked her around 09h00 that morning to make an internet payment out of the plaintiff’s Nedbank account to a new beneficiary, she was not able to access the account. Kuyler then called the George Nedbank branch, was invited to a meeting, and was informed that the details he required to access the internet account had been fraudulently altered and that some R160 940 had been transferred out of the plaintiff’s account. The bank managed to recover or reverse R24 786.19 of the fraudulent transfers. Kuyler reported the matter to the police.

[14] On Thursday 17 January 2008 Kuyler wrote a letter to Nedbank expressing a suspicion that Nedbank employees may be involved in the fraudulent transactions and demanding full reimbursement as a matter of urgency. He also advised that he would take action against the defendant for negligence.

[15] It is not clear what became of the demand against Nedbank because a summons was issued out of the Randburg Magistrates Court only against the defendant for R100 000, the balance of R36 153.81 having been abandoned in order to bring the claim within the jurisdiction of that Court.

The Cause of Action

[16] In its particulars of claim the plaintiff alleged that

[16.1] at all material times it had various cell-phone contracts with the defendant that were of full force and effect;

[16.2] one of those contracts was used by an employee of the plaintiff called Hilda Barnard;³

[16.3] the defendant owed it a duty of care not to effect unauthorised changes to the operation of the cell-phone under that contract;

[16.4] it was within the defendant’s power under that contract to prevent the fraudulent replacement of a SIM card in relation thereto;

[16.5] the defendant knew or ought reasonably to have known that the plaintiff relied on it to exercise reasonable care and skill in the replacement of a SIM card in relation to the contract;

[16.6] the defendant failed to adhere to the duty of care that it owed to the plaintiff by virtue of the contractual relationship in that it failed to ensure that the person obtaining the replacement SIM card was the rightful possessor of all rights to the cell-phone number to which that SIM card relates. This was unlawful and negligent.

The Evidence

[17] As has already been pointed out, the plaintiff adduced the evidence of three witnesses (Albertyn, Kuyler and Barnard) and the written statement of one witness (Fairhurst) which was admitted by agreement.

[18] Albertyn, a Nedbank employee who was head of internet and cell-phone banking, testified that a “hypothetical fraudster” would require more than just the accountholder’s SIM card to access the targeted Nedbank account through the internet. He would also require the accountholder’s profile number, PIN number and password.

[19] He also testified that the SIM card, to which is allocated one cell-phone number, is a vehicle through which the bank either confirms or authenticates internet banking transactions with the accountholder by SMS. This occurs only in three instances: (a) when a new payment beneficiary is added to the account through the bank’s internet banking website, (b) when the details of an existing payment beneficiary are amended, and (c) when a once-off internet payment is made to a new beneficiary. But, as I understand his evidence, before performing any one of these transactions the “hypothetical fraudster” would first need to gain access to the accountholder’s bank account through the Nedbank website. That access is gained by a combination of the accountholder’s profile number, PIN number and password.

[20] This combination can be obtained by the “hypothetical fraudster” through a stratagem known as “phishing”. Albertyn explains how it works in these terms:

“[F]raudsters will … send out an e-mail to a base of clients and they pretend to be the bank. So the e-mail would appear as if it is from … Nedbank, and it will say something to the effect that we need to update our security systems or the system indicates that your records are out of date, and it usually has some sort of threat to say if you do not do it by the end of the day you are not going to have access to your internet banking. … It appears to be an e-mail sent from the bank and there will usually be a link inside that e-mail and the e-mail will say please click on this link to update your details. The customer who is not vigilant will click on that and will be taken to a website that is not the bank’s. It will appear as if it is the bank’s, but it will actually be the fraudster’s website. They [the victims] will then proceed to enter their personal information and that will fall into the hands of the fraudster, and then in that way they have stolen your on-line identity.

…

MR KUJAWA: So in that way they could get hold of a customer’s profile number, PIN number and password. - - That is correct.”

[21] Kuyler, the owner and sole member of the business,⁴ confirmed under cross examination that one would require all four items in order to gain access to the plaintiff’s internet Nedbank account and that a SIM card on its own would not afford that access.

“MR KUJAWA: [W]ould you agree with me that for somebody to access your bank account and remove money from your bank account they would need … your profile number, your PIN, your password and a SIM card. - - Correct.

…

MR KUJAWA: Okay. So in other words to withdraw money, all four of those elements would be required, not just the one. If they just had your SIM card but they did not have the other details, they could not do nothing with it [sic]. -- That is correct, they could not yes.”

[22] Barnard, Kuyler’s secretary who is the only other person who has access to the plaintiff’s Nedbank account and, according to Kuyler, “hanteer al die banksake”, denied receiving an e-mail of the kind described by Albertyn but could not explain how the fraudster gained access to the plaintiff’s Nedbank account and siphoned off over R160 000 from it through the Nedbank website.

Is Delictual Liability Competent?

[23] The case that was advanced at the trial centred on delictual liability despite the averment in the particulars of claim of the existence of a contract.⁵

[24] At the commencement of counsel’s address in argument on appeal, they were both asked to consider the effect, if any, of the majority judgment in Lillicrap, Wassenaar and Partners v Pilkington Brothers (SA) (Pty) Ltd 1985 (1) SA 475 (A) on the facts of this case.

[25] Counsel for the defendant, unsurprisingly, leapt up and submitted that this case can be disposed of on the strength of Lillicrap. Plaintiff’s counsel on the other hand contended for a different approach, arguing strongly that Lillicrap sits uncomfortably with the facts of this case. He preferred a later judgment of the Supreme Court of Appeal in Holtzhausen v ABSA Bank Ltd 2008 (5) SA 630 (SCA) for the proposition that our law does acknowledge a concurrence of actions where the same set of facts can give rise to a claim for both delictual and contractual damages, and permits the plaintiff in such a case to choose which he wishes to pursue.

[26] In my view, while the proposition is correct that the same set of facts can conceivably give rise simultaneously to a claim for damages in delict and in contract, I do not believe that this is such a case. Lillicrap decided that a claim in delict is not competent where the negligence relied upon arises from a breach of a contractual term.⁶ In that case the respondent did not contend that the appellant would have been under a duty to exercise diligence if no contract had been concluded requiring it to perform professional services.⁷ In other words, no right that existed independently of the contract was infringed. In Holtzhausen, on the other hand, the plaintiff's case was that the defendant had infringed a right which he (the plaintiff) had independently of the contract.⁸

[27] In this case, the defendant would not have owed the plaintiff any duty of care if it did not have a cell-phone contractual relationship with the plaintiff. In fact, that is precisely what the plaintiff pleaded in its particulars of claim.⁹ The manner in which the cause of action is couched demonstrates clearly that the delictual claim derives from a failure to adhere to a duty of care that is owed by reason of a contractual relationship between the parties that is of full force and effect.¹⁰ In argument, counsel for the plaintiff was at pains to impress upon us that the defendant should reasonably have foreseen the loss occurring because the details of the person to whom it negligently gave a SIM card did not match those contained in plaintiff’s subscriber application form that formed part of the contract.

[28] It is thus clear that the facts of this case fall more readily in the Lillicrap than in the Holtzhausen divide. Because the right that the plaintiff seeks to assert does not arise independently of its contract with the defendant, the option of suing for damages in delict is not open to it.

[29] On that ground the appeal should succeed and the magistrate’s order set aside and substituted with an order dismissing the claim.

[30] But even if I am wrong in this regard, the plaintiff has in my view not succeeded in establishing that the defendant was the cause of its loss in any event. This is the issue I now consider.

Has the Causal Link Been Established?

[31] The appeal was argued on the basis that even if the defendant were negligent, the plaintiff’s claim must fail. I thus approach this aspect of the case on the assumption (and nothing more) that negligence has been established.

[32] If, as Albertyn and Kuyler testified, no access can be gained to the plaintiff’s account via the internet through SIM card alone, then it seems to me that the defendant’s negligent omission cannot reasonably be said to be the proximate cause of the plaintiff’s loss. In the absence of any explanation as regards how the fraudster could have obtained the plaintiff’s or Barbara’s profile number, PIN number and password, then the only logical answer would seem to me to be that either Barnard or Kuyler (the only people at plaintiff who have access to the account) did receive the e-mail and clicked on the link described by Albertyn (but genuinely do not recall), or the fraudster received a helping hand either inside the bank or inside the plaintiff from someone or people who had that information. The only other explanation, postulated by Albertyn but promptly dismissed by him as being unlikely, is that the fraudster was “extremely lucky” to be able to guess the profile number, PIN number and password together.

[33] The fact that the negligence of the defendant led to the issue of a false SIM card does not explain how the fraudster obtained knowledge of the other three elements. No proof was supplied by the plaintiff that the defendant was in any way involved in or responsible for the fraudster obtaining knowledge of the other three elements. Thus, even if the defendant negligently issued the SIM card without properly checking its data with that of the fraudster, the question remains unanswered as regards how he obtained the correct knowledge of the other three elements.  The absence of this link is in my view the soft underbelly in the plaintiff’s case. To impute delictual liability on the defendant when there are persons at large who helped the fraudster complete the puzzle with the other three elements that are necessary to perpetrate the fraud would in my view be palpably unfair or unreasonable. Contenders may include the bank, as Kuyler himself suspected at one stage, and we are not told what changed his mind.

[34] As regards foresee-ability of the loss by the defendant, counsel for the plaintiff conceded (as he must) that the negligent issue of a SIM swap to a stranger would not always lead to a loss of the kind here in issue. He maintained, however, that the defendant must have foreseen that the fraudster could obtain the other three elements in one or other fashion (including phishing) and be able to complete the fraudulent transactions on the plaintiff’s internet bank account using the SIM card. This in my view demonstrates the remoteness of the loss from the negligent omission by the defendant. If the defendant’s negligence requires another negligent or fraudulent conduct by an unknown third party to trigger the loss, then one cannot say that the initial negligence caused the plaintiff’s loss.

[35] But even if the negligent supply of the SIM card to the fraudster can be said to have contributed to the plaintiff’s loss, negligent omission does not give rise to delictual liability unless it is also wrongful.¹¹ Wrongfulness in these circumstances is established only where the imposition of liability for the negligent omission in the circumstances of the case is reasonable.¹² Reasonableness in this context describes the imposition of liability and not the negligent omission. In other words, the question is not whether or not the defendant, in light of the duty of care it owed to the plaintiff, acted reasonably in authorising the SIM swap to a stranger; it is rather whether the imposition of liability on the defendant in the circumstances of this case is reasonable.¹³ This is a public policy consideration.

[36] On the facts of this, the loss to the plaintiff is simply too remote from the negligent omission to impute a delictual liability on the defendant.

Conclusion

[37] In the result, the appeal must succeed in my view and I make the following order:

1. The appeal is upheld with costs.

2. The order of the magistrate is set aside and therefor is substituted the following

“The plaintiff’s claim is dismissed with costs as on exception.”

Dated on this the day of November 2010 at Johannesburg.

__________________________

V Ngalwana

Acting Judge of the High Court

I agree

____________________________

CJ CLAASSEN

JUDGE OF THE HIGH COURT

It is so ordered.

Appearances

For the appellant: Adv RMW KUJAWA

Instructed by: Simpson-Masenamela’s (Fourways)

For the respondent: Adv H VAN TONDER

Instructed by: Marinus van Jaarsveld Attorneys (Randburg)

Date of hearing: 15 November 2010

Date of Judgment: 18 November 2010

---