When cyber criminals hit—Is the bank liable for your loss?
Earlier this summer Comerica Bank was found liable for more than a half-million dollars in a case involving one of its commercial customers, Experi-Metal Inc., which lost money when the bank approved a series of fraudulent wire transfers. The decision in the case—one of the first to go to trial involving such cyber fraud—has been closely watched as the courts grapple with several cases involving bank security breaches in cyberspace.
“The heart of these cases is the determination of the adequacy of the banks’ security controls,” said Hoyt L. Kesterson II, security architect for Terra Verde Services, moderating an ABA-CLE program, “Whose Fault Is It That I Didn't Know It Wasn't You? How to Represent Your Client in a Cyber Authentication Case.”
Kesterson explained that unlike consumer accounts, business accounts have no insurance or government-backed protection against cyber criminals, whose methods of siphoning funds have become increasingly sophisticated, involving malware such as key loggers and phishing emails.
Without the protections afforded to consumer accounts, businesses are suing their banks to recover their lost funds.
“The heart of these cases is the determination of the adequacy of the banks’ security controls,” said Hoyt L. Kesterson II.
According to panelist Joseph M. Burton of Duane Morris LLP, in Experi-Metal v. Comerica Bank, the plaintiff’s claim against the bank was based on the Uniform Commercial Code and whether or not the security in place was “commercially reasonable” under the UCC.
Several other cyber crime cases—Patco Construction v. Peoples United Bank and Plains Capital Bank v. Hillary Machinery, among them—involve similar determinations of what constitutes commercially reasonable security measures, as outlined in 4A-202, part C, of the UCC.
Most of these cases involve the banks’ use of one-factor authentication, a security measure that requires users to secure their accounts with only their user name and password. “That will become an issue in these cases—whether one factor is sufficient or reasonable as a security measure,” said Burton, “or whether or not two factors or more are necessary.”
Back to top
While plaintiffs argue the inadequacy of bank security, the banks insist that they aren’t liable for the losses because they’re the customers’ fault. “In all of these cases, it’s not that someone penetrated the bank’s security and diverted the funds. In every case it’s because the customer lost control of his credentials in some way, and as such, allowed the bad guys to masquerade as the customer,” said Kesterson. “It’s a hard [argument] to fight sometimes.”
In the Peoples United Bank case and a few others, banks are trying to shift the responsibility for security to plaintiffs through the language they use in their customer contracts. Some contracts outline that the bank is not liable for unauthorized payments or transfers that occur before its customers notify it of possible unauthorized use of their accounts.
Burton believes that in cases involving the UCC, it’s difficult, if not impossible, to contract around security issues. Courts will unlikely be swayed by the use of contract language, given the rationale for the existence of the UCC, he said.
“If you ask, ‘Who’s in the better position to secure an account?’ It’s the bank. They are in the position of having the expertise, the resources,” Burton continued. “It’s difficult to make the argument that the individual business or customer can do better than the bank.”
In addition to arguments related to security, plaintiff lawyers in some cases have raised other provisions of the UCC, such as those involving “good faith.” In his bench opinion on the Comerica case, U.S. District Judge Patrick Duggan wrote that, “A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this court could find otherwise.”
“We all know there’s considerable technical experience in behavior monitoring of account users,” said Kesterson, pointing out that credit card companies routinely signal account holders on suspicious transactions. “The financial industry has to answer, why is it that one side of the industry has these controls in place, but the other doesn’t?”
“Over the last several years, there has been a lot of effort to try to generate a standard of conduct in the area of data breach and loss,” said Burton. As more cases are decided, litigants and defendants hope to get the guidance that has been sorely missing.
“Whose Fault Is It That I Didn't Know It Wasn't You? How to Represent Your Client in a Cyber Authentication Case” was sponsored by the Section of Science & Technology Law and the Center for CLE.
Back to top