Bank Vs. Customer: War of Words Heats Up Comerica, EMI Bicker Through Court Filings in Fraud Case
In May, one of the year's biggest conflicts came to a close with the announcement of a settlement between PlainsCapital Bank and Hillary Machinery - the customer sued by the bank in the wake of ACH fraud.

But what about the other high-profile case between a bank and its customer? What's become of the dispute between Dallas-based Comerica Bank and Michigan's Experi-Metal Inc., which sued the bank last December, claiming that the bank exposed its customers to phishing attacks?

Comerica in April filed a motion for summary judgment, saying "This is a case that should never have been filed."

Since then the two parties have exchanged testy legal responses. EMI fired back at Comerica, sniping "This is a motion that should never have been filed." And then the bank responded to EMI's response, saying "Experi-Metal has tried to muddy the facts to avoid summary judgment."

The motion, comments and original lawsuit are pending before a Michigan circuit court, and observers say this could be the case that truly attempts to settle the question of "What is reasonable security?" between banks and business customers.

"The summary judgment briefs reflect considerable investment in discovery and strategy by both parties," says Alysa Hutnik, a lawyer specializing in information security and privacy law at Washington, D.C.-based Kelley Drye. This war of words, Hutnik says, reflects "at least the possibility that the parties are willing to fight it out."

Customer vs. Bank

The EMI lawsuit, which garnered widespread attention in the industry, alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures.

EMI contends that Comerica's actions opened its online bank account to a successful phishing attack where more than $550,000 was stolen from the company's bank accounts and sent overseas.

Comerica, in its motion for summary judgment, places the blame squarely upon EMI. "It is undisputed that Experi-Metal gave its online banking login ID, PIN, password and account information to criminals in response to an internet 'phishing' scam," the motion states. "The applicable law and the parties' agreements establish, as a matter of law, that Experi-Metal is responsible for that loss and not Comerica Bank."

Letter of the Law

The key words are "parties' agreements," says fraud expert Avivah Litan, a Gartner analyst, who says the case may come down to the terms of the contract that was binding between Comerica and Experi-Metal at the time of the theft. According to the court filings, there is a disagreement between the two parties as to whether Experi-Metal legally agreed to move its money through Comerica's TMC Web wire transfer service.

"It will boil down to whether or not Comerica has a legally binding contract with Experi-Metal to move the company's money through the TMC Web wire transfer service," Litan says.

David Navetta, an attorney specializing in information security law, says that so far the dialogue in the case has little to do with actual security, and more to do with procedural issues around security acceptance, contracting and the Uniform Commercial Code (UCC). Navetta says on some level the issue of commercially reasonable security will have to be addressed by the court either on this motion for summary judgment or later in proceedings.

The two opposing sides may need to wait at least until after the oral arguments to try and glean the court's leanings, Navetta says. Then the parties can assess the advantages of settling before a ruling, or proceeding to trial.

Larger Issues Ignored?

Attorneys Hutnik and Navetta agree that, at this point in the case, the issues focus less on what is reasonable security, and more on legal procedural issues and whether there was sufficiently clear notice of updates to the contractual agreement. How the court decides those issues will ultimately determine whether there is closer examination on the issue of whether the bank's security safeguards were in fact reasonable, Hutnik says.

If the case gets to that stage, there will be much more scrutiny and battle of the experts on the factual issues of whether two-factor authentication was reasonable at the time of the fraud.

The risk, observers say, is that this case really could come down to narrow discussions of contractual issues, ignoring larger arguments about regulatory oversight and who ultimately is responsible when a banking customer is defrauded.

"If these larger issues were addressed, I believe it would become clear that banks need to assume the responsibility and need to raise the bar considerably to provide 'reasonable security procedures' as stipulated by UCC," says Gartner's Litan. Banking regulators have been negligent, she says, "by not stepping in and enforcing the FFIEC guidance, which stipulates that banks must assess their electronic banking risks and implement controls commensurate with that risk."

Rohyt Belani, CEO, Intrepidus Group, a security training company, says "Regulators have been asleep at the switch." Just recommending multi-factor authentication is not enough security, as it wasn't able to prevent the corporate account takeover via phishing attack. "The FFIEC needs to look at phishing as a human issue more so than one that can be solely addressed by technology such as two-factor authentication," he says.

Current regulations fall short on the awareness and education requirements, Belani says. Most of these requirements are vague and easily circumvented by subjecting employees to a single PowerPoint slide once a year. The required countermeasures to combat phishing via education and measure susceptibility of employees/customers need to be spelled out clearly by regulatory bodies.

However the case is decided, it is likely to set a precedent for similar disputes. Comerica, in its motion for summary judgment, makes clear its position.

"Experi-Metal was responsible for this security breach," the motion says. "Consistent with Michigan law and common sense, Experi-Metal cannot shift responsibility for its resulting loss to Comerica."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network