A Maine bank will take the unusual measure of reimbursing a small construction company whose accounts were emptied of nearly $600,000 by hackers.
Last year, a U.S. District Court found that Ocean Bank, a community-based financial institution now owned by People's United Bank, was not at fault when its customer, Patco Construction, a family-owned developer in Sanford, Maine, lost $589,000 from its accounts after crooks had infected at least one company computer with the Zeus trojan, allowing them to steal bank login credentials.
However, a federal appeals court reversed the decision in July, ruling that the security measures implemented by the bank were "commercially unreasonable" to protect its business customers.
The two parties agreed to settle out of court. Under the terms filed on Nov. 6, People's United Bank will pay Patco $345,000 and an additional $45,000 in interest.
Daniel Mitchell, Patco's attorney, told SCMagazine.com on Friday that the settlement is a classic David versus Goliath story and, more importantly, may set a precedent for future cases.
“What it does signal is that there are circumstances where commercial customers can prevail in these instances,” Mitchell said. “We tend to think that banks have pretty minimal responsibilities in these cases. But with this, it shows it really depends on the facts of the case.”
In the appeals decision in July, the judge found that the bank should have been able to detect and stop the fraudulent transactions that drained the money from Patco's commercial accounts. The security solutions that were in place did detect the transactions as "unusually high-risk" because they were inconsistent with the timing, value and geographic locations of Patco's normal account activity. However, the bank did not notify Patco, and instead allowed the transfers to process.
Mitchell said that while many high-profile cases of this nature haven't “made their way up” in the court system, this case creates a point of reference.
“They've got a guidepost now that they didn't have before, and I think the courts will probably reuse it and rely on it,” Mitchell said. "It's only natural to assume there will be more cases like this in the future. This is certainly not a well-developed area of the law as far as court decisions."
Bill Wansley, senior vice president at consulting firm Booz Allen Hamilton, told SCMagazine.com on Friday that the settlement could change the way financial institutions define their roles regarding their responsibility to protect consumers targeted by hackers.
“I talk to a lot of financial services clients, and they think that it's the government's responsibility,” Wansley said of guidelines for cyber incidents and safety. “The fact is, those institutions are holding personally identifiable information (PII) of their customers – and the customers hold the bank responsible.”
The recently published Federal Financial Institutions Examination Council (FFIEC) guidelines around authentication does offer new guidance to banks. As expected, the supplement specifically speaks to the widespread scourge of corporate bank account takeovers. Over the last several years, U.S. organizations, mostly of the small and midsize variety, have lost hundreds of millions of dollars because their accounts were hijacked by adversaries to steal funds by initiating fraudulent ACH transactions or wire transfers.
Still, however, banks are not legally required to reimburse business customers that lose money to fraud, unlike consumer accounts, according to Regulation E of the Electronic Funds Transfer Act.