A federal appeals court has reversed a lower court's decision, ruling that the security measures implemented by a Main bank were "commercially unreasonable" to protect its business customers.
In 2011, a U.S. District Court found that Ocean Bank, at the time of the theft an independent southern Maine-based community bank, was not at fault for the fact that its customer, Patco Construction, a family-owned developer in Sanford, Maine, lost nearly $589,000 from its accounts after cyber criminals had infected at least one company computer with the Zeus trojan.
The fraudulent transfers occurred over one week in May 2009, despite the fact the bank's security systems had flagged six related transactions as "high risk" and possibly fraudulent. Patco managed to recover $243,000 of the lost funds, but was unable to reclaim the rest under this ruling.
But last week, the First Court of Appeals in Boston disagreed with the original decision and ruled in favor of Patco. The security systems the bank had in place were "commercially unreasonable" because they failed to stop transactions that were for larger amounts than usual, to unknown recipients and initiated from unknown IP addresses, the three-judge panel said.
Now the question is what the ruling will mean going forward for mom-and-pop companies like Patco, whose bank accounts have been raided with reckless abandon by cyber criminals over the past several years, but which have found little recourse within the justice system. Current law only lends liability protection to consumers if their bank accounts are hijacked to make unauthorized transfers.
The Patco ruling is specific to this case and is likely binding only in the jurisdiction of the particular district court, Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazine.com on Monday.
"There are no black-and-white guidelines anyone can take away from this judgement other than to not provide and rely on just the measures Ocean Bank was providing at the time," she said.
Ocean Bank, which has since been acquired by People's United Bank, should have been able to detect and stop the fraudulent transactions that drained the money from Patco's commercial accounts, the appeals judges said in the court's 43-page decision. The security systems detected the transactions as "unusually high-risk" because they were inconsistent with the timing, value and geographic locations of Patco's normal account activity. However, the bank did not notify Patco, and instead allowed the payments to go through.
"Because it had the capacity to do all of those things yet failed to do so, we cannot conclude that its security system was commercially reasonable," the judges wrote.
Ocean Bank's own risk-scoring engine flagged the fraudulent transactions, but the bank ignored the alerts, the judges said.
However, the appeals decision doesn't mean Patco will get all its money back, as the court just reversed a portion of the earlier ruling and remanded the case back to the district court for further hearings to determine which responsibilities Patco may have had to protect itself. The judges also recommended the parties settle the case out of court.
The court didn't make this a cut-and-dry decision by blaming all the missteps on Ocean Bank, David Jevans, CTO of IronKey, a Sunnyvale, Calif.-based security company, told SCMagazine.com on Monday.
"They didn't say outright that it is not the customer's fault," Jevans said.
In fact, the court decision did not clarify the responsibilities of the customer and the bank when it comes to security, Peter Tapling, president and CEO of Authentify, a Chicago -based company that provides authentication solutions, told SCMagazine.com on Monday.
This decision will result in customers being "less reserved" about pursuing the legal course of action in case of cyber theft, Tapling said. And new contracts between bank and corporate customer likely will spell out in greater detail than years past who would be responsible in cases of account takeovers.
The hope is that small banks that rely on third-party processors will become much more security aware and they will put more pressure on their providers to provide stronger security, Litan added.
Ocean Bank, for example, contracted with a company called Jack Henry & Associates to provide its online banking platform, court documents show.
The district court had originally found the bank had complied with Federal Financial Institutions Examinations Council (FFIEC) security guidelines. The FFIEC rules, set in 2005, discuss two-factor authentication mechanisms to secure online transactions and mostly speak to phishing. The council last updated its guidelines in 2011 to reflect current threats, such as those enabled by banking trojans.