Judge John Rich late last month sided with Ocean Bank, ruling that the U.S. District Court in Maine should dismiss a complaint filed by Sanford, Maine-based Patco Construction Company.
Patco, a family-owned general contracting firm, sued its depository Ocean Bank, which is owned by People's United Bank, after discovering in May 2009 that cyber vandals had made $588,000 in unauthorized Automated Clearing House (ACH) transfers from its online bank account.
Ocean Bank blocked $243,000 of the transfers, and Patco -- which had used the ACH system for payroll deposits for employees but now writes paper checks since the breach -- sued the bank for the rest.
In the lawsuit, Patco contended that Ocean Bank acted with negligence and breached its contract when it failed to employ the proper security procedures to identify and stop all of the fraudulent transfers. As part of its argument, the construction firm alleged the bank failed to conduct a manual review of the suspicious transactions, which could have stopped the fraud, or have implemented stronger authentication controls.
Ocean Bank, however, argued that it fulfilled its responsibility to its customers to provide "commercially reasonable security" through the use of multifactor authentication, SSL encryption, anti-phishing services, transaction-based email alerting and cyber intelligence services. Moreover, the bank argued that the theft was only able to occur because the construction firm failed to protect its online banking credentials.
In the 70-page ruling, first reported Monday by Bankinfosecurity.com, Rich said Ocean Bank fulfilled its contractual obligation to provide commercially reasonable security, but acknowledged that the bank's defenses could have been better.
“The bank would have more effectively harnessed the power of its risk-profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions,” Judge Rich wrote in the ruling.
The case represents one of the first times a court has tried to define commercially reasonable security, Dave Navetta, partner at Denver-based security, privacy and technology firm InfoLawGroup, told SCMagazineUS.com on Wednesday. If accepted by the presiding judge, the ruling could set a precedent for the level of security banks are expected to provide to businesses.
Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com that banks are paying close attention to the ruling. She said she worries it could have a negative effect on security by giving banks a reason to relax their security controls.
“The large banks have the resources and are working to prevent fraud, and this is giving them reason to slow down,” she said.
Patco is just one of likely thousands of small or midsize businesses that have been victimized by corporate account takeovers in recent years, resulting in hundreds of millions of dollars in losses. In most cases, an employee tasked with overseeing the business' online bank account receives a socially engineered email that contains a password-logging trojan, such as Zeus.
Banks and SMBs also are eagerly awaiting the result of another potentially precedent-setting case.
Experi-Metal Inc. (EMI), a Sterling Heights, Mich.-based metal supply company, sued Dallas-based Comerica Bank in December 2009, accusing the institution of failing to detect 85 wire transfers that occurred over the course of several hours on Jan. 22, 2009. Through a slick phishing scam, attackers gained access to the banking credentials of EMI to wire nearly $600,000 to money mule accounts.
The lawsuit accuses the bank of lacking the controls to detect the fraud – EMI rarely transferred money from its account – in addition to grooming its customers to expect emails from the bank that ask it to click on links and enter credentials. Both sides are awaiting a verdict.