IN THE SMALL CLAIMS COURT OF NOVA SCOTIA
Citation: Jane Group Limited v. Heritage Gas Limited, 2022 NSSM 36
Claim No: SCCH 21-511522
BETWEEN:
Jane Group Limited
Claimant
-and-
Heritage Gas Limited
Defendant
Andrew Christophi appeared for the Claimant
Michael Richards appeared for the Defendant
Decision
This matter came before me for hearing by way of a Teams video call on July 12, 2022. 2022.
The claim arises out of an agreement between the parties, the payment terms of which are not in dispute, to share equally in the cost of the repair of a sidewalk after installation of a natural gas line. There is also no dispute that the amount involved (without taking into account interest or costs of this proceeding) was $5,700 plus HST (6,555.00), or that the arrangement was that the Defendant Heritage Gas would make this payment of their half, to the Claimant, Jane Group Limited.
So much is clear. The issue before me, however, is what does the law of contract say about the responsibilities of the parties, when the money in question was paid, by the Defendant, to an online hacker?
The Claimant says that the money is still owed. The Defendant says that the Claimant was in a better position to prevent the loss, and should therefore be held accountable for it.
Decision:
I find in favour of the Claimant Jane Group in this matter. While both parties were innocent victims of the hacker, there has been no evidence of negligence or other behaviour that would merit depriving the Claimant of the money owed by the Defendant.
My reasons follow.
The Chronology of Events:
The Claimant Jane Group owns the property located at 2600 Beech Street, Halifax, and recently constructed a five story building at the address. This led to the need to excavate the sidewalk along Beech Street and Chebucto Road, with associated impacts for Heritage Gas’s infrastructure. The parties agreed to share the cost of the restoration, and that work was completed by Jane Group on July 27, 2021.
Ms. Alison Coffin, who gave evidence for the Defendant, is the Manager of Engineering and Construction for Heritage Gas, and negotiated the agreement on price with Mr. Ramzi Tawil, President of Jane Group, who also testified before me.
On July 27, 2021, at 2:44 pm. Ms. Coffin sent an email to Mr. Tawil at rctawil@eastlnk.ca stating:
Good morning,
As discussed, please have your office send an invoice to Heritage Gas to my attention for $5700 plus HST. Billing contract is below. If you attach your EFT information we can pay it that way, or if not you will received a cheque in the mail (please include mailing address on the invoice).
Her evidence was that there was no verbal discussion with Mr. Tawil of having the payment made by cheque.
On July 27, 2021, an email was sent to Ms. Coffin, that the parties now agree was from an online hacker. I replicate it here in its entirety and as written, as this fraudulent document is key to the dispute between the parties:
From: Ramzi Tawil rctawil@eastlink.ca
Sent: Tuesday, July 27, 2021 1:59 PM
To: Allison Coffin: Pernell Walton
Subject: Sidewalk Restoration Cost Share – North/Chebucto Side of 2600 Beech Street
You can deposit a check directly into the account below at any TD Bank. as our preferred bank account, we would like payment to be made to the following account.
Account name : Owen Osaymore
Account number: 6726261
Transit number: 123092
Institution number: 004
Bank name : TD Bank
Bank address:
4555 Hurontario St U-C10, Mississauga, ON L4Z 3M1
Please email with a copy of the wire transfer confirmation for our records.
A second email, also from the hacker, with the same contact information was sent July 29, 2021 at 3:28 pm, stating:
Hello Allison,
Can you acknowledge that you got my last email with the payment details to deposit the $5700? If so, please confirm when the money will be sent.
Thank you.
Ramzi
Mr. Tawil was not aware of either of these emails at the time they were sent.
After these emails, Ms. Coffin mistakenly thought that she had received directions from Mr. Tawil on payment, but she still did not have the invoice requested in her July 27, 2021 email.
Accordingly, on July 29, 2021 at 3:34 pm, Ms. Coffin wrote:
Hi, Ramzi,
I have received your payment details, but I still require your office to send an invoice, including the HST number, so I can reimburse $5700 plus tax. It takes us about 4 weeks to process the payment to your account once we have the invoice.
Thank you, Allison
On July 29, 2021, at 3:53 pm, Ms. Coffin followed up with another email, in which she stated:
Hi, Ramzi,
Again, I still require your office to send an invoice, including the HST number, so I can reimburse $5700 plus tax. It takes us about 4 weeks to process the payment to your account once we have the invoice.
So I will advice [sic] you to send the invoice on time[no period]
Thank you,
Allison
July 29, 2021 was a Thursday leading into the August long weekend.
On August 2, 2021, at 7:47 pm, an email from bills@rcjane.ca was sent, stating:
Hi, Allison,
This is what you requested, if any questions arise don’t hesitate to call me.
Thank you,
Ramzi Tawill
President
Jane Group Limited
That email attached an invoice dated July 30, 2021, stating a balance owing of $6555.00.
At the bottom the invoice stated:
Please mail cheque to: Jane Group Ltd.
47 Walcot Run
Halifax, NS
B3N 0A5
Ms. Coffin responded August 2, 2021 at 8:01 pm:
Thank you! This is exactly what I need and is in for payment.
Allison
On August 30, 2021 at 5:13 pm Ms. Catherine Tawil, Secretary Treasurer for Jane Group, who also testified at the hearing before me, wrote to finance at Heritage Gas copying Ms. Coffin:
Hi
The company received a payment receipt from Heritage Gas (see attached) but not the funds. An invoice was created from Jane Group Ltd. requesting the funds be sent by cheque. I called Allison Coffin an hour ago, and decided to e-mail you this ASAP. We did not give the EFT information to you but requested a cheque. I have checked our bank account for Jane Group and there wasn't any EFT sent on August 25th or up to today from Heritage Gas. I would recommend you check this out, and see where you got the information to send these funds. I chatted with Ramzi and he confirmed he did not speak to anyone regarding the EFT information (as he does not work in the accountant department).
Please call me at 902-880-7725, my name is Catherine and I am the treasurer of the company.
And so, it appears that the hacker intercepted the July 27, 2021 email from Ms. Coffin to Mr. Tawil in which she requested banking information for the transaction. The hacker then sent information regarding a fraudulent bank account for the money to be deposited to that same day, and sent a follow up email on July 29, 2021 creating a sense of urgency to get the money sent.
Ms. Coffin than replied. It is likely that both Mr. Tawil and the hacker could see the exchange of emails, and Ms. Coffin told Mr. Tawil and that she needed the invoice to process the transaction. It appears that Mr. Tawil was unaware of the hacker having sent the banking information, and so his office sent the invoice, with a note on the bottom saying that Jane Group wanted the money paid by cheque. Ms. Coffin confirmed receipt of the invoice, but was under the impression she had received banking information for the deposit, despite the stipulation of payment by cheque in Mr. Tawil’s August 2, 2021 email.
Reasons for Decision:
I find that the evidence supports that the money owed to the Claimant Jane Group was paid to an online hacker. No evidence was provided of any further evidence of the identity of this individual. It seems that that money is now gone forever. Is the Defendant required to pay it again?
Mr. Christohi, on behalf of the Claimant Jane Group, says that they are. He points to a number of spacing issues and errors in the fraudulent email, which he says should have alerted Ms. Coffin to the deception. He also says that the August 2, 2022 email asking for a cheque, should have triggered a follow-up by Heritage Gas which would have exposed the fraud.
For his part, Mr. Richards says that the evidence supports that it was Jane Group that was hacked. Their security being at fault, Heritage Gas should not be held liable for having followed the instructions they were given. Invoices often say “by cheque” even though payment methods have evolved.
The parties were able to locate a limited amount of case law which dealt with the results of hacking:
Mr. Christophi for the Claimant relies upon the case of Community Savings Credit Union v. U.A., 2001 BCSC 413, for the proposition that a proposed contract which requires a party to depart from ordinary business practices requires the party to inquire as to the authority of the in this case third party agent.
He therefore submitted that there was a positive duty on the part of Heritage Gas to inquire into the discrepancy between the banking information received and the directions, payment by cheque, provided by the invoice. He claims that Heritage Gas as the originator of the transfer was in the best position to recognize what he described as the “red flags” in the hacker’s emails, specifically the spacing and typographical spacing errors. He further says that as Heritage Gas specifically disregarded the directions of Jane Group in not sending a check as requested, and there being no evidence of willful misconduct or dishonesty on the part of the claimant, the responsibility for the loss, and therefore the responsibility to make Jane Group whole, lies with the Defendant.
The Defendant relies upon Marvco Color Research Ltd v. Harris et al.[1982] 2 SCR 744.
The relevant facts of that case are that in an action for foreclosure, the respondents had executed certain mortgage documents without reading them, and now claimed non est factum (a latin phrase that loosely translates as “the signing was not my conscious action and so I am not responsible”) as a defence. Mr. Richards quoted in particular paragraph 24 of the decision, which states:
In my view, with all due respect to those who have expressed views to the contrary, the dissenting view of Cartwright J. (as he then was) in Prudential, supra, correctly enunciated the principles of the law of non est factum. In the result the defendants-respondents are barred by reason of their carelessness from pleading that their minds did not follow their hands when executing the mortgage so as to be able to plead that the mortgage is not binding upon them. The rationale of the rule is simple and clear. As between an innocent party (the appellant) and the respondents, the law must take into account the fact that the appellant was completely innocent of any negligence, carelessness or wrongdoing, whereas the respondents by their careless conduct have made it possible for the wrongdoers to inflict a loss. As between the appellant and the respondents, simple justice requires that the party, who by the application of reasonable care was in a position to avoid a loss to any of the parties, should bear any loss that results when the only alternative available to the courts would be to place the loss upon the innocent appellant. In the final analysis, therefore, the question raised cannot be put more aptly than in the words of Cartwright J. in Prudential, supra, at p. 929: “…which of two innocent parties is to suffer for the fraud of a third”. The two parties are innocent in the sense that they were not guilty of wrongdoing as against any other person, but as between the two innocent parties there remains a distinction significant in the law, namely that the respondents, by their carelessness, have exposed the innocent appellant to risk of loss, and even though no duty in law was owed by the respondents to the appellant to safeguard the appellant from such loss, nonetheless the law must take this discarded opportunity into account. [my emphasis added]
Mr. Mitchell ascribed the loss of the money to the Claimant Jane Group’s “carelessness”. He says that it was Jane Group’s email that was compromised, and that Jane Group’s cybersecurity (or lack thereof) was the cause of the breach.
That being the case, Mr. Mitchell says that Jane Group should bear the loss incurred.
In the course of reviewing these cases, I located an Ontario Small Claims Court decision, St. Lawrence Testing and Inspection Co. Ltd. V. Lanark Leeds Distribution Ltd. And Mark Schokking (“St. Lawrence”) 2019 CANLII 69697 (ON SCSM). The case dealing with what the Deputy Judge described as “innocent victims of a cybercrime”, I referred it to the parties and gave an opportunity for submissions. Those having been received August 15, 2021, I now add this authority to my review.
Tthe facts St. Lawrence in question are substantially similar to what occured in this case. The Plaintiff, through their legal representative, McDonald Duncan LLP, sued for an unpaid balance for environmental assessment services. An agreement was reached, and by the terms of that agreement the defendant was to pay $7000 into the trust account of the of McDonald Duncan LLP.
What actually happened was that a hacker sent alternative payment information to the Defendant, and the money in question was therefore paid to the hacker. McDonald Duncan LLP contacted the Alberta Credit Union and the police, as well as encouraging, the Defendant contacted the bank themselves.
McDonald Duncan LLP also had their computer IT service conduct a review which confirmed that it was MacDonald Duncan LLP that has been hacked, by diverting emails to an exterior third party e-mail account. The computer security advisor was not able to locate any other breaches at McDonald Duncan LLP, and was also not able to find any reason for the breach as the password being used was considered “strong”.
The speculation was but it had been achieved either by “phishing” (having a user click on an infected link to the hacker in an email) or by what's described as the “brute force” approach, which means trying passwords until you succeed in the correct one, although that seemed unlikely given the strength of the password being used. The decision maker in this case described what I consider to be a helpful test in circumstances where, as in the case before him, the identity of the party that had been hacked was known:
56. As noted at the outset of these reasons, the issue in this case can be restated as follows: Where a computer fraudster assumes control of Victim A’s email account and, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?
57. In my view, the answer is “no”, unless:
a. Victim A and Victim B are parties to a contract which (i) authorizes Victim B to rely on email instructions from Victim A and, (ii) assuming compliance with the terms of the contract, shifts liability for a loss resulting from fraudulent payment instructions to Victim A;
b. There is evidence of willful misconduct or dishonesty by Victim A; or
c. There is negligence on the part of Victim A.
Condition a, in which a contract authorizes one victim to depend upon the email instructions given, comes from a case considered by the Deputy Judge, Du v. Jameson Bank ONSC 2422 (Canlii), an Ontario Superior Court application in which summary judgement was granted upon the grounds that the Plaintiff had “contracted out” of any ability to sue the Defendant upon being hacked, in the agreement entered into.
In the Saint Lawrence case, the decision maker concluded that there had not been a contract authorizing the Defendant to rely entirely upon e-mail instructions from the Plaintiff as in Du. That being the case, and finding neither willful misconduct, dishonesty or negligence on the part of the Plaintiff, he issued judgment for the Plaintiff in the amount sent originally required under the settlement agreement.
The Claimant says that this case supports their decision, while the Defendant says it does not, and refers again to the Marvco analysis.
Both Marvco and St. Lawrence require the same thing, that is, some evidence which supports negligence or misconduct on the part of an innocent party.
None of the witnesses testifying before me gave evidence of what if any corporate security investigations followed this attack, other than to say that they had security.
This was surprising in that both parties would have reason to fear that their payment platforms had been compromised.
Taking all the evidence together, I do not consider that there is any evidence before me to indicate culpability on the part of either party with respect to why this happened. There was no “smoking gun” regarding a security lapse by the Plaintiff. I do not think that there were sufficient “red flags” in the banking information provided to have caused concern, and I agree with Ms. Coffin that an invoice saying “by cheque” could be seen as a standard form, not a direction, cheques being all but archaic at this point.
However, without blameworthy conduct that can be ascribed to the Claimant, the cursory case law available confirms that the case must be decisioned in their favour.
The facts confirm that the Claimant did not receive the money that they were entitled to. Therefore, I conclude that the Claimant is entitled to payment of the $5700 plus HST ($6555.00).
I take note of the fact that this appears to be a novel area in Nova Scotia, and I therefore consider this to be an appropriate case to decline to award interest or costs.
I thank counsel for both parties for their patience and assistance in canvassing the law in this matter, and an order shall issue accordingly.
Dated at Halifax, on the 5th day of September, 2022
Dale Darling, QC
Small Claims Court Adjudicator