In recent years, cyber crime has risen sharply. It was therefore only a matter of time before the courts had to deal with central issues relating to cyber crime on the internet.
Recently, the Swiss Federal Court had to judge two cases (see also part 1). The facts of these cases dealt with two different types of cyber crime.
The second case: e-mail hacking
This ruling (ruling 4A_9/2020 of the 9th of July 2020) had the following facts as its subject:
The Plaintiff in this dispute had an execution-only mandate with a Securities Dealer. In connection with this mandate he had signed an e-mail agreement. According to this agreement, the Plaintiff authorized the Securities Dealer to execute orders placed by e-mail. In particular, orders by e-mail shall be placed immediately and under all circumstances. The e-mail agreement also contained a disclaimer of liability in favor of the Securities Dealer.
In the following, the cyber criminals achieved to hack the e-mail of the Plaintiff and gained complete access to his e-mail account. So, they were able to read and delete his mails, but furthermore, to send e-mails under his address.
As a result, the cyber criminals placed nine fraudulent orders which were executed by the Securities Dealer. This ended up with another court case of cyber crime on the internet.
The key question
For a start, the Federal Supreme Court reminded that a disclaimer of liability can never include a disclaimer for intentional or grossly negligent carelessness. The key question therefore was, if the Securities Dealer acted in gross negligence when executing the fraudulently e-mails. If yes, the disclaimer clause wouldn’t apply and the Securities Dealer would be liable for the damages.
The ruling of the Swiss Federal Supreme Court
The Federal Court ruled against the Plaintiff (and in favor of the Securities Dealer). The following circumstances were decisive for the Federal Court:
i. The cyber criminals sent all fraudulent e-mails from the Plaintiff’s e-mail account. Therefore, the Securities Dealer didn’t have to be suspicious with regard to the sender of the e-mail.
ii. The content of the fraudulent e-mails did not deviate in terms of writing style, spelling etc. from the e-mails actually written by the Plaintiff in the past. On the contrary, the Federal Supreme Court pointed out that the cyber criminals obviously knew how to imitate the Plaintiff’s writing style.
iii. The cyber criminals addressed all these placement orders to a well-known British bank. They did not send the money to a faraway or exotic bank.
iv. According to the agreement between the Securities Dealer and the Plaintiff, the Securities Dealer wasn’t obliged to verify the identity of the beneficiary.
v. The cyber criminals marked one transfer in the height of GBP 100,000.00 as an “urgent business deal”. They even justified this order – again by a fraudulent misuse of the Plaintiff’s e-mail account. Hence, the Securities Dealer had no reason to doubt the severity of the placement order.
vi. Last but not least, the Federal Supreme Court stated that also the frequency and amount of the transfers didn’t give reason enough to blame the Securities Dealer for gross negligence. There were six transfers within approximately one month, in the total of GBP 357’000.-.
Conclusion with regard to cyber crime on the internet
The Federal Supreme Court didn’t find the six payment orders in the amount of totally GBP 357’000.- within roughly one month to be suspicious. This point of view is understandable considering the circumstances. Nevertheless, another person might see this (rightly) differently.
In the end, it was the harsh disclaimer of liability that broke the Plaintiff’s neck and saved the Securities Dealer from damages. Namely the wording, which allowed the Securities Dealer to execute all payment orders placed by e-mail immediately and under all circumstances. Considering that a disclaimer for some part equals a free pass for the Securities Dealer, to execute all e-mails, this case is alarming. Yet, with the regard to the legal situation, the result is right – at least justifiable.
The lesson to be drawn from this is that particular caution must be exercised, when thinking about agreeing to a contract that contains a harsh disclaimer of liability.