Customer Vs. Bank: Who is Liable for Fraud Losses?Comerica/EMI Case Raises Key Questions About Responsibility, Security
But now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.
"It will establish who is liable in the U.S. - the bank or the customer - for fraud losses that result from phishing," says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.
The lawsuit, filed by EMI in a Michigan circuit court, alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. In January 2009, an EMI employee opened and clicked on links within a phishing email that purported to be from Comerica. The email duped the employee into believing the bank needed to update its banking software. Subsequently, more than $550,000 was stolen from the company's bank accounts and sent overseas.
EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. The bank says its online security methods were reasonable "because they were in general used by other similarly situated customers of other banks." Now that this case is in the courts, observers say, several important questions will be debated re: trust, responsibility and security. Among them:
#1: How Much Trust is Lost?
Clearly, Comerica has lost EMI's trust, but how much further can this costly loss of confidence spread among banking customers - even at other institutions? "Cases like this, when they hit the courts and the press, work at a macro level to erode the trust of all banks by all customers, even affecting those institutions with good anti-phishing programs in place," says Javelin's Wills. "It will make it that much harder for all banks to migrate their customer base to the highly cost-effective (from an operational standpoint) online channel."
Anytime a company incurs a data breach that compromises personal information, the organization risks having its customers walk away for good. "That's why it's so important that, before an incident occurs, a company take proactive steps to implement a reasonable security program," says Alysa Hutnik, a lawyer at Kelley Drye & Warren, a Washington DC-based law firm that specializes in post-incident response. "Even after a breach, if a company handles the issue responsibly, those efforts can earn back trust bit by bit. But here, where a customer is out of pocket hundreds of thousands of dollars as a result of a breach and was compelled to file a lawsuit to redress the issue, yes, the trust is likely lost."
Because trust is so fundamental to banking institutions, they have to draw a distinct line, says Avivah Litan, an analyst at Gartner. "Either banks explicitly and visibly warn their customers that banking with them is not safe and that [customers] are held liable for hacking into their accounts through online banking," she says. "Or they assume liability."
#2: Is a Bank Liable For Phishing?
Should a bank be held liable for a customer's employee falling for a phishing email that supposedly represents the bank? The EMI/Comerica case highlights several hotly-debated issues.
On the plaintiff's side, the employee's vulnerability to the phishing attack raises the core question of 'What is sufficient training?,' says attorney Hutnik. Most employees have been warned about phishing attempts, but even the most robust training does not protect against occasional human error. Does this training need to occur more frequently, or is it a matter of customizing the training to the evolving and specific types of phishing attempts? If a company is going to be responsible under the law for employees' vulnerability to phishing attempts, Hutnik says, that's a pretty good incentive to increase training.
Can a bank be held liable? Some security experts say emphatically 'No.' "The bank clearly could have made better decisions on how to update security information," says Branden Williams, Director of the Security Consulting Practice at RSA, the security division of EMC. "But judging by the timelines, they may have been ahead of their time with offering multi-factor authentication for online business banking."
Williams quotes an old saying: "I'll open the door for you, but only you can walk through it." Comerica did open the door with its security updates, he says, but a simple training issue would have prevented the employee from walking through that door. "Companies that become complacent with security become easy targets."
#3: What is 'Reasonable Security'
In this case, was the bank's two-factor security token technology an unreasonable safeguard based on the information available at the time it was implemented by the company? Discovery and expert testimony on this point will be critical, says Hutnik. So too, will the surrounding facts on what information the bank provided to its customers about giving personal information online, or in response to an email alert, leading up to and after it transitioned away from the digital certificate security process.
Hutnik sees a third key issue, which is often a gap in many companies: What measures were in place to detect unauthorized, unusual activity involving this customer account, and did the bank act quickly enough in response to such detection? "All companies could benefit from evaluating and assessing how they compare the issues raised in this case against their own information security programs," she says.
David Navetta, a lawyer at the Information Law Group, a Colorado-based law firm, says one of the issues that will be key in this case is whether the bank has a legal duty to prevent these types of phishing attacks. And if so, whether the security measures it took were "reasonable" under the law. To the extent a bank has a general duty to protect client accounts, does that duty extend to preventing (or reducing the risk of) its customers from being duped by social engineering attacks such as phishing? "That will be the threshold legal question, and I don't know what the answer will ultimately be," he says.
Another point that Navetta says will be considered is "Reasonableness." Under the law for purposes of negligence, a defendant can avoid liability even if a plaintiff suffered harm, as long as the defendant did not breach its duty of care. "In this context, if the bank's security measures where 'reasonable' under the law, it would not be liable," Navetta says. "I think the fact that the bank used two-factor authentication will help its cause in this respect," he says. On the other hand, he adds, "Many security professionals I have spoken to/read have indicated that a phishing attack was a known weakness, or at least a theoretical weakness, of two-factor authentication."
Regulators Were 'Asleep at the Wheel'
While EMI and Comerica argue over liability, Gartner's Litan says the nation's legislators and banking regulators bear the bulk of the blame for such breaches. "It's their job to set the rules for soundness and safety of the U.S. banking system, and to enforce that the banks execute those rules," she says. "They are negligent here - in not passing legislation that protects business accounts (as Reg E protects consumer accounts) and in not enforcing security measures at the banks, as set forth by the FFIEC strong authentication guidance," Litan says.
Litan also has strong words for bank examiners. "Frankly, they are also asleep at the wheel," she says. "And the banks are taking advantage of the current legislative and regulatory environment by not proactively securing business accounts."
No matter the outcome, this case will set a precedent, predicts Rohyt Belani, CEO of the Intrepidus Group, a New York City-based security firm. Banks and other e-commerce providers need to take some of the responsibility to help their customers mitigate the risk associated with phishing attacks - especially those that exploit the institution's brands. "Just posting information about phishing on the login page doesn't cut it," Belani says. "I believe banks need to work on enhancing their authentication mechanisms, changing the way they communicate with their clients (not embedding active links, etc.), and educating the customers using techniques that are proven to reduce susceptibility.
"Banks should view it as a wake-up call and work on mitigating phishing attacks."