Date Issued: May 3, 2022

File: SC-2021-007654

Type: Small Claims

Civil Resolution Tribunal

Indexed as: Pegg v. Donnelly dba Donnelly Skylights, 2022 BCCRT 512

Between:

NICHOLAS PEGG and KIM PEGG

ApplicantS

And:

LARRY DONNELLY (Doing Business As DONNELLY SKYLIGHTS)

Respondent

REASONS FOR DECISION
Tribunal Member:	Chad McCarthy

INTRODUCTION

1.      This dispute is about responsibility for a fraudulent email money transfer request. The applicants, Nicholas Pegg and Kim Pegg, hired the respondent, Larry Donnelly (doing business as Donnelly Skylights), to install skylights in their home. The applicants sent a deposit via email money transfer, as requested in what appeared to be a Donnelly Skylights email message. Mr. Donnelly says he never requested or received a deposit, and the parties agree that an unknown third party sent the request and received the deposit. The applicants say Mr. Donnelly failed to properly secure his computers and email accounts, and they claim $2,175 for the missing deposit money they sent in response to the email. Mr. Donnelly says the fraudulent email did not originate from his computers or email accounts, and he owes nothing.

2.      Mr. Pegg represents the applicants in this dispute. Mr. Donnelly is self-represented.

JURISDICTION AND PROCEDURE

3.      These are the formal written reasons of the Civil Resolution Tribunal (CRT), which has jurisdiction over small claims brought under section 118 of the Civil Resolution Tribunal Act (CRTA). Section 2 of the CRTA states that the CRT’s mandate is to provide dispute resolution services accessibly, quickly, economically, informally, and flexibly. In resolving disputes, the CRT must apply principles of law and fairness, and recognize any relationships between the dispute’s parties that will likely continue after the CRT process has ended.

4.      Section 39 of the CRTA says the CRT has discretion to decide the format of the hearing, including by writing, telephone, videoconferencing, email, or a combination of these. Here, I find that I am able to properly assess and weigh the documentary evidence and submissions before me. Further, bearing in mind the CRT’s mandate that includes proportionality and a speedy resolution of disputes, I find that an oral hearing is not necessary in the interests of justice.

5.      Section 42 of the CRTA says the CRT may accept as evidence information that it considers relevant, necessary, and appropriate, whether or not the information would be admissible in a court of law. The CRT may also ask questions of the parties and witnesses and inform itself in any other way it considers appropriate.

6.      Where permitted by section 118 of the CRTA, in resolving this dispute the CRT may order a party to do or stop doing something, pay money or make an order that includes any terms or conditions the CRT considers appropriate.

ISSUE

7.      The issue in this dispute is whether Mr. Donnelly is responsible for the fraudulent email request and the misdirected payment, and if so, does he owe the applicants $2,175 in damages?

EVIDENCE AND ANALYSIS

8.      In a civil proceeding like this one, the applicants must prove their claims on a balance of probabilities, meaning “more likely than not.” I have read all the parties’ submissions and evidence but refer only to the evidence and arguments that I find relevant to provide context for my decision.

9.      On August 5, 2021, Mr. Donnelly emailed the applicants 2 estimates for a skylight installation, from his email address ending “@shaw.ca”. The applicants accepted estimate #4639 on August 6, 2021, by an email response to Mr. Donnelly’s email address. Both Mr. Donnelly’s email and estimate #4639 said, “Please be advised that we do NOT normally require a deposit however this may become necessary on custom orders.” The estimate undisputedly was not for a custom order.

10.   Later on August 6, 2021, the applicants received an email that appeared to be a reply from Mr. Donnelly’s email address. It had the same subject line as the applicants’ acceptance email earlier that day, and included the content of that email in its body. The email began “Hi Kim,” and offered to book the installation upon receiving a 50% deposit payment to confirm the date. The email asked that the “down payment” be sent by e-transfer to an email address whose first part matched Mr. Donnelly’s email address, but ended with “@outlook.com”. The email was signed Larry Donnelly, Donnelly Skylights. However, Mr. Donnelly says he did not send that email and he did not require a deposit for the applicants’ project. Neither party disputes that Mr. Donnelly does not control the email address ending in “@outlook.com”.

11.   On August 8, 2021, the applicants sent $2,175 by e-transfer as the email instructed, which is consistent with an e-transfer confirmation in evidence. I note that this is approximately, but not exactly, half of the estimate #4639 total amount of $4,342.80. The applicants did not confirm an exact dollar amount with Mr. Donnelly. The applicants also emailed Mr. Donnelly at his usual “@shaw.ca” address that they had sent the deposit, although it was a Sunday and Mr. Donnelly’s business was closed. Mr. Donnelly says he never received that email.

12.   The applicants say that on August 10, 2021 their bank asked for a confirmation of the e-transfer because it was possibly fraudulent. According to the applicants, the bank determined that the e-transfer funds had been routed to a third party email address that was not Mr. Donnelly’s or the address given in the payment request email. The parties agree that the unknown third party had somehow sent the payment request email, which was fraudulent. Mr. Donnelly did not receive the deposit money, and as noted refuses to pay the applicants $2,175 in compensation.

13.   The parties undisputedly abandoned the skylight project over the deposit payment issue. The applicants say Mr. Donnelly owes them $2,175 for the missing deposit money. I find the applicants claim, essentially, that the third party obtained the deposit money because Mr. Donnelly allegedly negligently failed to secure his computer and email systems from being used for the fraudulent email.

14.   To prove negligence, I find the applicants must prove that Mr. Donnelly owed them a duty of care, that he failed to meet the applicable standard of care, and that this failure resulted in reasonably foreseeable damage to the applicants (see Mustapha v. Culligan of Canada Ltd., 2008 SCC 27).

15.   I find that Mr. Donnelly owed a duty of care to his customers, including the applicants. The parties provided few submissions about the applicable standard of care. In the circumstances, I find the standard of care was for Mr. Donnelly to reasonably secure his computer and email systems when using them for customer communications and payments. Whether Mr. Donnelly failed to do so depends on what occurred and how the third party sent the email.

16.   The applicants say Mr. Donnelly admitted his computers and email had been “hacked”. Mr. Donnelly emailed on August 31, 2021 that a computer expert had checked his computers, informed him that he had been “hacked”, and that the fraudulent email had not come from his office but from a foreign source. However, that computer expert’s report, which I return to below, said that there was no evidence of any system intrusion, hijacking, malware, or viruses. In the circumstances, I find that Mr. Donnelly did not admit that his computers or email account had been accessed by a third party, much less because of a security failure. I find he likely meant that the computer expert had found the email was fraudulent and had been sent from a foreign source.

17.   The applicants also say that both Mr. Donnelly and his accountant admitted on telephone calls that the fraudulent email was present in a “sent” folder in Mr. Donnelly’s email system. Mr. Donnelly does not comment on whether the fraudulent email was present in an email system folder, but as noted he denies sending it and the applicants do not allege that he sent or authorized it. Given that Mr. Donnelly does not directly deny it, I find a copy of the fraudulent email was likely present somewhere in his email system. However, as further explained below, I find that does not necessarily prove how or when the email appeared in Mr. Donnelly’s email folders, that it was sent to the applicants from Mr. Donnelly’s email account, or that he failed to reasonably secure his computer or email systems.

18.   Mr. Donnelly hired Jacques Major of My Computer Guy to investigate the email and security issue. According to Mr. Major’s submitted report, he is a computer systems technician with “rudimentary expertise” in information technology security. The applicants do not argue that Mr. Major was unqualified to provide an expert opinion on these topics. Under the CRT’s rules, I find Mr. Major is qualified by experience to provide expert evidence on computer and email system administration, which I find includes explaining basic email security features and issues. I find the evidence does not show that Mr. Major is qualified to provide an expert opinion on more advanced information technology security topics, but I find nothing turns on that. Below, I refer only to Mr. Major’s evidence that I find he is qualified to provide as an expert.

19.   Mr. Major said that he scanned all of Mr. Donnelly’s office computers for viruses and malware using a variety of tools, and found no evidence of system intrusion, malware, or viruses. He also investigated Mr. Donnelly’s email applications, and checked both sent and deleted emails on the computers and online, and found no evidence of intrusion or hijacking. Mr. Major did not comment on how the third party could have obtained the content from the applicants’ August 6, 2021 acceptance email that was included in the fraudulent email sent to the applicants later that day.

20.   Mr. Major said that Mr. Donnelly’s email address had likely been “compromised or spoofed,” and that the fraudulent email was a “spoofed” email. His report indicated that spoofing an email address involved pretending to be that address, typically using a separate non-traceable email service and an independent email server to communicate messages as if the attacker was the actual owner of that email address. Mr. Major said that Mr. Donnelly’s email provider used a protocol that lacked authentication and was vulnerable to such abuse, because free software existed that could allow another user to “access” any sender’s email address.

21.   Given Mr. Major’s evidence, I find that Mr. Donnelly’s email address was likely spoofed without his knowledge by the third party. On the evidence before me, I find it likely such spoofing allowed the third party to communicate email messages with the applicants while pretending to be Mr. Donnelly at his usual email address. The evidence before me does not show that this would have required a computer or email security lapse by Mr. Donnelly.

22.   Further, I find that the question of what would constitute reasonable computer and email security, and whether Mr. Donnelly provided it, are subjects beyond ordinary knowledge and experience, and require expert evidence to prove (see Bergen v. Guliker, 2015 BCCA 283 at paragraph 124). The applicants submitted no expert evidence. I find Mr. Major’s expert evidence does not identify any lapses in Mr. Donnelly’s computer or email security and supports a finding that his email address was spoofed without his knowledge and in the absence of any security shortcomings.

23.   Even if I had found that the third party gained access to Mr. Donnelly’s computer systems or email accounts and used them to send the fraudulent email (which I do not), I find the evidence fails to show that a security lapse by Mr. Donnelly likely enabled that access, as opposed to another flaw or shortcoming in his computer or email systems. Neither party argued that a computer or email system is immune to security threats in the absence of user error.

24.   Having weighed the evidence, I find that the applicants have not proved that Mr. Donnelly failed to reasonably secure his computer and email systems. So, I find the applicants have not met their burden of proving that Mr. Donnelly failed to meet the applicable standard of care. The evidence does not establish that Mr. Donnelly was negligent. I dismiss the applicants’ claim for $2,175.

CRT Fees and Expenses

25.   Under section 49 of the CRTA, and the CRT rules, the CRT will generally order an unsuccessful party to reimburse a successful party for CRT fees and reasonable dispute-related expenses. I see no reason in this case not to follow that general rule. The applicants were unsuccessful, Mr. Donnelly paid no CRT fees, and neither party claimed CRT dispute-related expenses. So, I order no reimbursements.

ORDER

26.   I dismiss the applicants’ claims, and this dispute.