Introduction

Taking adequate security measures to prevent unauthorized persons from entering a system or mailbox is a legal obligation that we know from, among others, the GDPR, the Trade Secrets Protection Act and the Network and Information Systems Security Act.

We know that regulators can impose fines for non-compliance. What is less known is that judges are increasingly taking this into account in their judgment on liability issues: adequate security is part of the duty of care. Failure to take adequate precautions to prevent unauthorized access to a mailbox can be costly to a company.

Case Hascor / Devante

An example of this is a judgment of the Supreme Court in the Hascor / Devante case. Hascor ordered a quantity of chrome from Devante for the price of $363,394.13. Hascor received three different emails in succession for this delivery with shipping documents and an invoice, the latter of which included an invoice with a changed bank account number. Hascor paid in accordance with the last invoice received. When purchasing a second batch of chrome, it became clear to Hascor that the e-mails with the invoices had not been sent by Devante. After this discovery, Hascor was able to have the second payment reversed by the bank. However, the first payment had already been received incorrectly due to fraud. The question arose whether or not Hascor had paid Devante in liberating terms for the first delivery of chrome.

The Arnhem-Leeuwarden Court of Appeal ruled that this was the case. Devante therefore missed out on $363,394.13. Devante has appealed against this to the Supreme Court. However, Hascor felt that it had paid in a liberating manner because it could legitimately assume that the bank account number mentioned on the false invoice concerned Devante’s bank account. She also felt that the circumstance that a fraudster had apparently gained access to the email traffic between parties by hacking into Devante’s system should be borne by Devante. The Supreme Court agreed. In short, the decisive factor in her judgment was the fact that Devante had not taken sufficient adequate precautions to prevent a third party from impersonating Devante. This is consistent with an earlier ruling of the Supreme Court in the Kamerman / Aro Lease case: the person who (unconsciously or consciously) has given someone else the opportunity to use his e-mail address is generally responsible for the use that that third party makes. of that address.

What do we learn from this? Ensure adequate security and don’t give fraudsters a chance!

Need to know more?

Call or email mr. dr. A.W. (Anne-Wil) Duthler via 070 306 00 33 or a.w.duthler@firstlawyers.nl.