Fraud Litigation: Role of Regulation

Attorney: Courts Show Dependence on Guidance

By , January 25, 2013.
Fraud Litigation: Role of Regulation

Recent high-profile court cases involving banks and their defrauded commercial customers highlight a growing reliance by judges on regulatory oversight during litigation, says attorney David Navetta.

See Also: Malware & Spear Phishing: How to Defend the Enterprise

These cases involving ACH fraud include: PATCO v. Peoples United; Experi-Metal v. Comerica; and Village View Escrow v. Professional Business Bank.

"What we did see was a heavy reliance on regulatory guidance," Navetta, co-founder of the Information Law Group, says in an interview with Information Security Media Group [transcript below].

"The FFIEC had put out regulatory guidance on online banking and what kind of security controls needed to be in place, including multifactor authentication, back-end fraud detection types of controls," he says.

"The courts really relied heavily on what that guidance said to establish what they thought the standard of care should have been and used that guidance to essentially set up that standard of care," Navetta explains.

In a panel interview along with Ronald Raether and Lisa Sotto, these attorneys discuss:

  • Fraud litigation trends;
  • Lawsuit winners and losers;
  • What to look for in 2013's fraud cases.

About the participants:

David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.

Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.

Lisa Sotto is managing partner for New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.

The remaining installments of this series focus on:

ACH Fraud Settlements

TOM FIELD: David, I would like to start with some of the ACH fraud settlements and decisions we've seen over the course of 2012, because there were some significant ones. What has been the impact of these decisions?

DAVID NAVETTA: At the end of the day, Ron mentioned something about lawsuits going past the damage-pleading phase of the equation and it was starting to get into issues of causation and what's reasonable security. The ACH fraud cases and settlements really have jumped to that point because in those cases there's no issue of damages. Most of the time there's a loss of actual money from a small business's bank account because of some sort of security incident. We skip past damages and we get to the concept under the UCC-4A-202 of what's commercially reasonable security in the online banking context.

The impact of these cases in my view is they give us the first kind of demonstration of how courts are going to actually look at the concept of reasonable security. I think that's important because, as both Lisa and Ron have indicated, the data breach cases involving personal information are getting past that damage-pleading phase and we will be addressing this very issue of what the duty of care was with respect to protecting that personal information. We got a good preview of that in a slightly different context with these cases.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Apple Pay: Fraudsters Exploit Authentication

New exploits linked to Apple Pay aren't compromising the mobile device's security, but instead are...

Latest Tweets and Mentions

ARTICLE Apple Pay: Fraudsters Exploit Authentication

New exploits linked to Apple Pay aren't compromising the mobile device's security, but instead are...

The ISMG Network