What is 'Reasonable Security?'
Attorneys Offer Insight on Fraud Litigation Trends
Recent high-profile court cases involving banks and their defrauded commercial customers highlight a growing reliance by judges on regulatory oversight during litigation, says attorney David Navetta.
"What we did see was a heavy reliance on regulatory guidance," Navetta, co-founder of the Information Law Group, says in an interview with Information Security Media Group [transcript below].
"The FFIEC had put out regulatory guidance on online banking and what kind of security controls needed to be in place, including multifactor authentication, back-end fraud detection types of controls," he says.
"The courts really relied heavily on what that guidance said to establish what they thought the standard of care should have been and used that guidance to essentially set up that standard of care," Navetta explains.
In a panel interview along with Ronald Raether and Lisa Sotto, these attorneys discuss:
- Fraud litigation trends;
- Lawsuit winners and losers;
- What to look for in 2013's fraud cases.
About the participants:
David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.
Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.
Lisa Sotto is managing partner for New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.
The remaining installments of this series focus on:
- The legal merits of 'hack back';
- Regulators dictating privacy;
- Breach response best-practices;
- Top security/privacy issues of 2013.
ACH Fraud Settlements
TOM FIELD: David, I would like to start with some of the ACH fraud settlements and decisions we've seen over the course of 2012, because there were some significant ones. What has been the impact of these decisions?
DAVID NAVETTA: At the end of the day, Ron mentioned something about lawsuits going past the damage-pleading phase of the equation and it was starting to get into issues of causation and what's reasonable security. The ACH fraud cases and settlements really have jumped to that point because in those cases there's no issue of damages. Most of the time there's a loss of actual money from a small business's bank account because of some sort of security incident. We skip past damages and we get to the concept under the UCC-4A-202 of what's commercially reasonable security in the online banking context.
The impact of these cases in my view is they give us the first kind of demonstration of how courts are going to actually look at the concept of reasonable security. I think that's important because, as both Lisa and Ron have indicated, the data breach cases involving personal information are getting past that damage-pleading phase and we will be addressing this very issue of what the duty of care was with respect to protecting that personal information. We got a good preview of that in a slightly different context with these cases.
Now what was interesting in the cases were a couple of things. First of all, from reading them, in my view, there was a lack of comfort level with IT-related issues. A couple of the cases, in kind of tracking the rationale for certain decisions or proclamations about something like two-factor authentication, for instance, one of the courts, I think in PATCO, the magistrate's decision looked at two-factor authentication, which really was kind of an ineffective version of two-factor authentication, could be argued not to even be two-factor authentication, and said that was good and that it related and corresponded to what the regulators had said.
Then, the Experi-Metal case, where they had true two-factor authentication, the courts kind of went the other way and said that was not adequate on some level. We had kind of a split there in terms of the rationale.
The other thing in terms of beyond judges and their ability to understand these issues, what we did see was a heavy reliance on regulatory guidance. In this case, the FFIEC had put out regulatory guidance on online banking and what kind of security controls need to be in place, including multifactor authentication, back-end fraud detection types of controls. The courts really relied heavily on what that guidance said to establish what they thought the standard of care should have been and used that guidance to essentially set up that standard of care and then make their rulings. It highlighted both of those issues: the judges, their understanding and their methodology for looking at the concept of reasonable security, as well as how heavily they relied on regulatory guidance and the importance of that regulatory guidance in a litigation context.
Institutions vs. Customers
FIELD: David, in your perspective, we've pitted financial institutions against business customers and the settlements have favored each at different times. Who's winning? Is it the banking institution or the business customer that's coming out ahead?
NAVETTA: So far in the lawsuits, I think the business customer appears to be winning. That said, there are a lot of these situations with online banking fraud that never get reported that are settled behind closed doors that we don't hear about, and so it's hard to say who's ultimately winning.
But when it comes to court, so far we have three big decisions ultimately - PATCO, EMI, and another one, Choice Escrow against BancorpSouth. In all three cases, the banks have lost and the customer has won. In Experi-Metal and PATCO, they actually lifted the concept of commercially reasonable security and in both cases the failure to have fraud detection in place to catch the money going out the door was positive and it led to a ruling.
In the other case, the banks actually tried to use their contract language, I believe an indemnification clause, that required the customer to identify the bank losses and the court ruled that UCC-4A-202 preempted or nullified that indemnification clause. The protections afforded by potential contracts between the bank and the business customer were not effective in that case. One area where I think a lot of banks were feeling comfortable is that if they had good contracts in place with respect to limits of liability and identification, that even if there was a security incident they could rely on those and at least that one case in district court seemed to nullify that concept.
It was interesting because in the Experi-Metal case, the court in the lower court ruling indicated that there was commercially reasonable security in place because the business customer agreed in their contract that the bank's security was commercially reasonable at the outset, and they ruled on that and they felt that was efficient to establish reasonable security. They didn't even look at the actual security. They wouldn't let experts testify on that because it was in the contract. The question is based on a decision I just mentioned a second ago. Would an agreement between a bank and a customer where that security was commercially reasonable be nullified by UCC-4A-202? I don't know, but it certainly seems possible based on that decision.
Class Certification Issues
RON RAETHER: The litigation question is of interest especially now that we're getting past the pleading stage and we're getting into discovery. In looking at the other issues that are going to come up in litigation, especially in the context of those suits being brought by consumers for the loss of their data, as opposed to the cases between the two businesses being victimized, in the case of the consumer, now that we're past the pleading stage it will be interesting to see how the judges will deal with class certification issues.
As of today, in the litigation context, you have to be class certified on that issue. When you look at the decisions that are coming out of the courts and the basis on which they're finding standing and adequate pleading of damages and causation, most frequently they are looking at individualized circumstances. For example, a plaintiff is able to identify the fact that they've been a victim of identity theft or ... able to provide the courts with an addition that the identity theft had to be as a consequence of the breach because they personally have not been engaged on any other online activity, any other electronic transfers. The only cause of their identity theft had to be the breach. The breach is the subject of the complaint. Why is that important in the class context? Well, in order to sustain a class there has to be common answers to common questions for the court to be able to certify class. If the basis for surviving a motion to dismiss is these individualized circumstances, I think that will make it challenging for plaintiffs to be able to certify class.
On the other side of it, there's this issue with regard to settlement. And I think David mentioned that often times there's no real pecuniary harm to the majority of the class, but often times these cases involve large classes - sometimes hundreds of thousands, sometimes millions, and sometimes a hundred million people. The task of having to settle those types of cases given the enormity of the class can be overwhelming and sometimes prohibitive. If you're going to try to pay each class member even a dollar, if you're talking about a hundred-million-person class, that $100 million settlement becomes prohibitive in terms of the company thinking about a means to try to settle that case.
What we've seen are attempts to try to settle by creating a cy-près fund, somehow establishing a way of providing a benefit to the class without actually paying money to the class. Recently, we had a judge out of the Northern District of California with respect to a settlement involving Facebook [with] that type of structure, creating a cy-près, which is a third-party that does something for the benefit of the public and most often in the case of a class action it's their engagements on conduct that's beneficial to the class members.
For example, in a breach case, it might be an entity that assists consumers that have been victimized by breaches. So you give them the money. They're able to use that money presumably to the benefit of the class. In this Facebook case, what the courts said is that type of structure, creating a cy-près, doesn't provide sufficient consideration to the class to justify any settlement in the release. That really creates a problem for companies trying to settle when on the one hand, if you pay any amount of money to the class, 1) it looks small - a dollar a person - 2) if you pay to a hundred million people, the cost of settling becomes prohibitive generally. Then, on the other hand, if you try to come up with a creative way of being able to resolve the case, provide some consideration to the class, you have these courts and you have these interest groups that are pushing the courts to reject those types of settlements. So I think all of those factors combined will make litigation interesting to follow in the years to come.
FFIEC Authentication Guidance
FIELD: David, one of the things that we saw emerge in 2011, certainly take effect in 2012, is the FFIEC Authentication Guidance supplement. Given that financial institutions have taken some steps, made some investments and they have had their efforts evaluated by the regulators, in terms of online authentication and fraud prevention are we better off now than we were a year ago?
NAVETTA: The 2011 guidance was interesting because they accidentally leaked a version of that in the midst of the PATCO and the Experi-Metal cases which hadn't really been decided yet, or maybe one of them had decided. I wasn't clear whether the lawsuits were driving the regulators to make changes to their guidance or vice versa. What I ended up seeing at the end of the day was a guidance document that kind of reflected a lot of the rationale and the decision-making of the judges in the cases that were being adjudicated right while the regulators were making the new guidance document up.
Now whether we're better off or not better off, I'm not sure. I think at the end of the day, the combination of the new guidance from the FFIEC, as well as the decisions in PATCO and Experi-Metal, really raised the profile of these cases and really raised the profile and the necessity of complying with regulatory guidance. Whether guidance may have had an optional type of feel to it or something that they could look at but they didn't have to do it on a mandatory basis, I think many banks now look at it in a much different way after the release of the new guidance, especially in conjunction with those lawsuits that are out there.