How omission of basic email authentication controls may create delictual risk
In our previous blog, “Where Delict and Cyber Security Meet”, we explained the importance for businesses, policymakers and individuals alike to examine how delict principles apply in the digital realm. Here we provide a scenario analysis of how a delict may take shape:
Scenario Overview
Email remains one of the most exploited channels for cybercrime. In fact, it’s estimated that 91% of all cyber-attacks begin with an email. DMARC is an email authentication protocol designed to reduce the risk of domain spoofing, which is commonly associated with phishing, ransomware, and Business Email Compromise. DMARC is always used together with SPF (Sender-Policy Framework) and DKIM (Domain Keys Identified Mail). The absence of a fully compliant DMARC policy can lead to serious consequences, as illustrated in this scenario.
The Incident
- The Email
Jane receives an email that appears to be from ABC Insurance Brokers (a Category 1 Financial Service Provider (FSP)), a reputable business she knows and trusts. The sender’s domain looks authentic, with no spelling errors or inconsistencies. Confident that the email is legitimate, Jane opens it. - The Attachment
The email contains an attachment to update the client’s details. By clicking and opening the document, malware is installed on her computer which exfiltrates her personal and client data, and also installs ransomware which locks all her files. - The Impersonation
Unknown to Jane, the email was not sent by ABC Insurance Brokers but by a cybercriminal spoofing their domain. ABC Insurance Brokers did not have a fully compliant DMARC policy in place, allowing the attacker to forge emails from the company’s legitimate communications.
The Legal Perspective: Delictual Liability
Jane considers legal action against ABC Insurance Brokers, arguing that their failure to implement a compliant DMARC policy was negligent and directly contributed to her harm. Here’s how the elements of delictual liability may apply:
- Conduct
ABC Insurance Brokers’ failure to implement a fully compliant DMARC policy may constitute an omission – a failure to act responsibly in safeguarding its domain from being spoofed. This omission could satisfy the “conduct” element of delict. - Wrongfulness
To establish wrongfulness, Jane must show that ABC Insurance Brokers’ omission violated a legal duty to protect its customers and stakeholders from foreseeable harm. In this case, Jane’s personal information and computer system was compromised. The question would be whether a legal duty existed to implement reasonable email authentication controls, given the known and documented risk of domain spoofing.
Potential regulations which might apply to this cyber incident include: Protection of Personal Information Act (POPIA), Financial Advisory and Intermediary Services (FAIS) Act, Joint Standard 2: Cybersecurity and Cyber Resilience Requirements For Financial Institutions, Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA), and the National Cybersecurity Policy Framework (NCPF). - Fault
Fault would be assessed based on negligence. Jane’s legal team could argue that ABC Insurance Brokers failed to exercise reasonable care by neglecting to implement a fully compliant DMARC policy, despite its well-known and widespread use in preventing domain spoofing. Given the widespread recognition of DMARC, SPF, and DKIM as standard email authentication mechanisms, a court could consider whether failure to implement them fell below a reasonable standard of care. - Harm
Potential harm could include measurable financial and operational losses, such as:
– Her business being disrupted, effectively rendering it unable to continue
– Paying the ransom and/or recovering data and systems
– Theft of funds
– Personal data being used maliciously
– Loss of existing clients and new business - Causation
The link between ABC Insurance Brokers’ omission (conduct) and Jane’s harm must be established. If a properly configured DMARC policy at enforcement level had been in place, the likelihood of successful domain spoofing would have been materially reduced. A court would then assess whether the omission contributed sufficiently to establish legal causation. In digital ecosystems, failure to implement widely accepted baseline controls may increasingly be scrutinised through the lens of legal duty and reasonable foreseeability.
Key Considerations for Businesses
This scenario highlights the legal (and reputational) risks businesses may face when they fail to secure their email domains adequately. Organisations can materially reduce spoofing risk by implementing DMARC with progressive policy enforcement, ideally reaching p=reject once legitimate senders are aligned. This will prevent unauthorized entities from sending emails on behalf of the company’s domain. For domain-owning organisations, DMARC has become one of the foundational email authentication controls.
Conclusion
This scenario analysis underscores the growing intersection of delict and cyber security. A failure to adopt reasonable preventive measures may expose an organisation to legal scrutiny where harm results. By understanding their legal obligations and proactively securing their digital infrastructure, businesses can avoid such liability. This will protect their stakeholders, and foster trust in their operations.
The cost of negligence in the digital age extends far beyond financial damages. It erodes credibility and exposes businesses to legal scrutiny. Implementing baseline authentication controls such as DMARC may increasingly be viewed as part of an organisation’s reasonable standard of care in digital communications.
Organisations should assess their email authentication posture and ensure alignment with evolving legal and regulatory expectations.
ARMD.digital provides structured DMARC implementation and visibility reporting to support this process.
