A deputy judge is calling for passage of clear laws on which innocent party should bear responsibility for financial losses related to cyberfraud.

In calling for legislation, Ontario Deputy Judge Shane Kelford said it's clear the law has yet to catch up with a growing problem.

"In reviewing legal commentary on computer fraud, this is clearly an area that would benefit from legislation," Kelford said in a recent decision. "(Legislation should) establish clear principles and guidelines for the allocation of liability in the event of computer frauds, which are increasing in number."

The case in small claims court in Perth, Ont., arose out of a settlement between two parties that required one side, Mark Schokking, to pay the other $7,000.

Settlement terms stated that Schokking had to transfer the money into a specific trust account with the Bank of Montreal belonging to the law firm representing the payee, St. Lawrence Testing and Inspection.

Before Schokking paid up, someone somehow hacked the email account of the law firm's paralegal, Debra Baker, who was acting for St. Lawrence. The hacker then emailed instructions that appeared to come from Baker telling Schokking to transfer the money to a completely different account, which he did and the money disappeared.

Schokking asked the court to declare that he had fulfilled his end of the settlement contract and no longer owed St. Lawrence anything. St. Lawrence countered that it had not received any money and asked the court to order Schokking to pay up.

"Both parties are innocent," Kelford said in his decision. "Unfortunately, one of them must bear the loss."

In his decision, the deputy judge noted the fraudster had instructed Schokking via Baker's email to send the money to a credit union in Medicine Hat, Alta., instead of to the Bank of Montreal trust account in Ontario. The name on the new account was for someone with no connection to the law firm.

The email also carried the line purportedly from Baker: "My daughter-in-law is having a baby as we speak, and I will be leaving for Toronto tomorrow. Please provide the funds to our account provided."

At trial, Schokking's lawyer suggested his client had no reason to question the payment instructions that came from Baker's law-firm email account and referenced the birth of her granddaughter.

Kelford disagreed. The bogus instructions contradicted those in the formal settlement, and changed the payee from the law firm trust account in Ontario to one of an unknown third party in Alberta, the deputy judge said.

"With the benefit of hindsight, reviewing the continuing email exchanges between Schokking and the fraudster ... is much like watching a train wreck," Kelford said.

Despite the dearth of legal decisions in Canada, the U.S. and U.K. to help decide the case, Kelford found that Schokking had no right to rely on the scammer's email instructions and should have realized something was amiss when the payment instructions suddenly changed. He also found no negligence on the part of the hacked law firm or paralegal.

Ultimately, Kelford concluded that Schokking had failed to pay St. Lawrence as agreed and ordered him to do so. Kelford awarded no costs given the "novelty of the issue" and the absence of bad faith.

Keep reading