Defining Reasonable SecurityAre Courts Reviewing Fraud Cases Within Historical Context?
Last month, an appellate court in Boston reversed a lower court's ruling that favored a bank in a legal dispute over a 2009 account takeover incident (see PATCO ACH Fraud Ruling Reversed.)
See Also: You've Got BEC!
Was that appellate ruling fair? Based on the security practices that most banking institutions used in 2009, probably not. The case exemplifies the challenges courts - and the attorneys arguing both sides - face in resolving cases involving ACH and wire fraud. The key issue? How to define "reasonable" security - and how that definition changes over time.
Deciding these cases based on how we define reasonable security is dangerous. What's considered reasonable today might not be considered reasonable tomorrow.
The appellate court decision dealt with an ongoing legal dispute between Maine-based PATCO Construction Inc. and the former Ocean Bank, now People's United Bank, over a series of bogus ACH/wire transactions that in May 2009 drained more than $580,000 from PATCO's online account.
In May 2011, a U.S. District Court denied PATCO's motion for a jury trial on the issue of whether the bank should be held financially liable for the breach. Although the court noted Ocean Bank's security could have been better, it determined that PATCO agreed the bank's security was reasonable when it signed its online banking contract.
The federal appeals court disagreed, and on July 3 ruled Ocean Bank's security procedures were "commercially unreasonable," reversing the district court's decision. The court further recommended that the two parties pursue an out-of-court settlement of the case.
What the Ruling Means?
I've spoken with several financial security and legal experts who offer widely varying perspectives about the appellate court ruling.
Joseph Burton, an information security and cybercrime attorney at the law firm Duane Morris, says the ruling could be a win for banks in the long run, suggesting it hints at the fact that commercial customers bear some responsibility for ensuring their own online security.
"It opens the possibility that you could have a circumstance where you had a commercially unreasonable procedure that was used by the bank, but liability might not be on the bank, because there may be responsibilities that the customer of the bank has," Burton says.
But Scott Vernick, a data security/privacy and attorney at the law firm Fox Rothschild, says he doesn't expect the ruling to have much impact.
Vernick says the ruling highlights points about Ocean Bank's security practices that other banks should heed - such as why the bank developed a risk profile for PATCO that it never reviewed, as well as how the bank failed to adequately use risk scoring to more closely monitor high-risk accounts. But he doesn't deem the appellate court's review of security reasonableness, based on Article 4-A of the Uniform Commercial Code, to be quite so impactful.
Under Article 4-A, a bank typically bears the risk of loss when unauthorized funds transfers are approved. The bank may shift that risk by proving the commercial reasonableness of its security, or by proving the payment was approved on good faith.
"It's hard for me to say necessarily that you are going to see a wave of lawsuits against banks," Vernick says. "If you see it, you'll see it because it would be hard for a bank today to argue that they are not aware of the any number of cyberthreats that are out there."
Why the Ruling Matters
Regardless, the ruling marks the first time we've seen a federal court's review of a legal dispute involving fraud linked to account takeover. And that, on its own, makes this case special.
But deciding these cases based on how we define reasonable security is dangerous. What's considered reasonable today might not be considered reasonable tomorrow.
Bill Nelson, who heads up the Financial Services Information Sharing and Analysis Center, was involved with some of the early Article 4-A discussions about reasonable security. He makes a good point, and one I think the court failed to consider in the PATCO case: Reasonable security changes over time.
A few years ago, authentication based on username and password, with challenge questions and/or identifying cookies during the session, was "commercially reasonable," he contends. Today, however, that approach is widely considered inadequate.
In the PATCO reversal, the appellate court judged the reasonableness of Ocean Bank's security based on today's standards, not standards deemed reasonable in May 2009. The industry did not really even take notice of account takeover fraud until late 2009, after the Federal Bureau of Investigation identified it as a serious threat.
I'm not saying Ocean Bank should have been let off the hook for not taking advantage of the fraud-detection systems it had in place. Why invest in solutions if you aren't going to use them? And by solutions such as transactional risk monitoring, commercial customers have every right to assume the bank is, in fact, monitoring those accounts.
But the form of authentication - log-in and password, plus challenge questions - that Ocean Bank relied on was standard at the time PATCO's account took a hit. As we move forward, I hope the courts carefully consider the timing of an incident when determining whether a bank followed reasonable security practices.
Nevertheless, the ruling offers important lessons for banks: If you have a system that flags high-risk transactions, use it. And if you have systems in place that sound alarms when transactional limits are suspicious, take advantage. It's worse to have systems in place and not use them than to not have the systems at all.