The settlement reached between Village View Escrow and Professional Business Bank offers key insights into how incidents of fraud resulting from account takeover might be handled in the future.
Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, recently reached a settlement with the bank for an undisclosed amount, says Michelle Marsico, Village View's owner and president.
As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company says in a statement.
Julie Rogers and Kim Dincel, who represented Village View Escrow Inc. in a 2011 suit against Professional Business Bank, say legal creativity is making a difference in how courts and financial institutions view liability.
"Try and think outside the box and be creative in the pleadings," says Dincel in an interview with Information Security Media Group's Tracy Kitten [transcript below]. "Every case has some different aspects to it, and those aspects, if they're played up correctly or developed correctly, can lead to the potential for a recovery for the client."
In the Village View case, attorneys turned to Article 4A of the Uniform Commercial Code, which governs how financial institutions handle incidents of wire-transfer fraud.
In their complaint against Professional Business Bank, Rogers and Dincel argued the escrow company's case based on UCC standards for California, where Village View is based. But they also referenced case law from other jurisdictions, as well as unpublished cases. "The court in California wasn't bound to follow the law of any unpublished decision or out-of-state decision, but it could consider it in its analysis, and we believe it played a role in how we proceeded in our case," Rogers said.
While the case was settled, Rogers and Dincel say existing case-law decisions handed down in the PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank cases likely convinced the bank to settle.
"We have different jurisdictions handling almost the same, if not very similar, fact patterns in different ways," Rogers says. "It's really important as cases are analyzed in the future."
Moving forward, she says courts need to be presented with new and creative causes of action, "so that proper recovery for the proper plaintiff can be accomplished."
During this interview, Rogers and Dincel discuss the recent settlement, as well as:
- Why the FFIEC Authentication Guidance won't benefit a plaintiff in an account takeover argument;
- How the UCC is setting the bar for future legal disputes;
- Why thinking outside made a difference in the Village View case.
During her time with San Jose, Calif.-based Silicon Valley Law Group, Bonnel-Rogers has represented victims of cybercrime and has advised and consulted business professionals regarding cybercrime prevention and liability. Bonnel-Rogers also is part of a network of cyberactivists who exchange information and develop relevant material regarding cybercrime law and legislation. She holds a Juris Doctor from University of San Francisco School of Law and a bachelor's degree from Santa Clara University. Dincel is a shareholder at Silicon Valley Law Group, where his practice focuses on long-term healthcare litigation, construction-defect litigation, business litigation, estate litigation, personal-injury defense, maritime law, trade-secret misappropriation, employee embezzlement, and contract and real estate matters. Dincel holds a J.D. from Loyola Law School in Los Angeles and a bachelor's degree from the California Maritime Academy.
Village View Settlement
TRACY KITTEN: Last week, Village View announced that it had reached a settlement with Professional Business Bank in a case that revolved around a March 2010 incident of corporate account takeover that resulted in a nearly $400,000 fraud loss. Can you give our audience some background about what actually happened?
KIM DINCEL: To start off, Village View is a small escrow company in Southern California and they would handle different transactions as any escrow company would on primarily residential sales. At different times their account, which was at Professional Business Bank, could have anywhere from half a million to several million dollars in the account. What happened over the course of two days is that somehow cyber thieves were able to breach their security, either at the bank or at Village View, and access the Village View account and they drained at that point in time a half a million dollars out in 26 wire transfers. It occurred over two days.
When Village View was finally able to realize what was happening, they contacted the bank and the bank immediately put a freeze on the account. The bank then went about trying to recover the funds by contacting the financial institution where the wire transfers had gone directly, and Michelle Marsico of Village View actually tried to contact the individuals to get a return of the funds directly from the individuals.
The way this kind of works is that the cyber thieves, who we found out later were located in Eastern Europe and the Middle East, would basically have what we call mules available in the states. Mules were individuals for the most part who really didn't know what they were getting into. They were somewhat conned into assisting with a business venture - or so they thought - and transferring funds. The wire transfer orders would go out to the mules. The mules would then get the money into their account and then would take the money out of that account and send them out by Western Union to locations in the Middle East and Eastern Europe. Where the bank was successful in getting all the financial institutions before those funds were taken out, they were able to get some funds back and then Michelle Marsico was able to contact the individual mules and convince them also to return the funds. A lot of times the mules would not do what they were doing or that these were actually stolen funds, and they would be cooperative. Sometimes they would not be.
Suit Against Professional Business Bank
KITTEN: I would like to go to you for a second. Could you give us some background and talk a little bit about the premise of the suit against Professional Business Bank? Why did Village View believe that it wasn't responsible for the fraud losses?
JULIE ROGERS: The premise of all wire transfer fraud cases against financial institutions is governed by Article 4A of the Uniform Commercial Code. The Uniform Commercial Code is a federal code that has been adopted by various states, in fact all the states, some verbatim, some slightly in different versions. California adopted the UCC by way of Division 11 of the California Commercial Code so we filed an action under Division 11 of the California Commercial Code here in California on behalf of Village View Escrow. Village View Escrow contends that it did everything it was capable of doing as a small business owner to guard against the cyber fraud and that the bank was in a much better position and had access to much more information and technology and security methods to guard its funds.
Multifactor Authentication and Reasonable Security
KITTEN: Now the complaint filed by Village View against Professional Business Bank claims the bank was not in conformance with the FFIEC's existing standards for multi-factor authentication, nor was its security reasonable, and some of this of course ties into the UCC. Can you explain a little bit about the multi-factor authentication questions as well as reasonable security?
ROGERS: Simply stated, the FFIEC indicates that the best security that can be employed by the bank is a multi-factor security method. What we argued is that what the bank had employed was a layered single-factor authentication as opposed to a multi-factor authentication. The bank disagreed and contended that it did in fact have multi-factor. This was a point of contention throughout the lawsuit up and until the case was settled.
KITTEN: Let's talk about the Uniform Commercial Code. What role did the Uniform Commercial Code play in your argument on reasonable security?
ROGERS: The UCC Article 4A has been adopted by the state, in Division 11 of the California Commercial Code is what we filed under. They marry each other. Division 11 has a two-pronged test that determines liability for financial institutions in cases of wire transfer fraud. The two-prong test is whether or not the bank security was deemed commercially reasonable and a second prong is whether or not the bank accepted the payment orders in good faith. So we alleged two separate causes of action under those two separate prongs.
KITTEN: As you've noted Julie, the UCC does vary from state to state even if it's just a slight variation. Given that Village View is located in California, is there anything about the California version of the UCC that may have benefited your argument in a way that may have been difficult to argue in another state?
ROGERS: This is kind of a new and emerging area of law and for that reason there's not a lot of case law out there in any state. In California, there wasn't a lot to go on. So what we did in this case is while we filed under Division 11 of the California Commercial Code, what we did is try to persuade the court through submission of cases from other jurisdictions, as well as unpublished cases, which isn't typically done in litigation but in this case we deemed it necessary so that the court could see how other courts around the country were handling it. The court in California wasn't bound to follow the law of any unpublished decision or any out-of-state decision, but it could consider it in its analysis, and we believe it played a role in how we proceeded in our case.
KITTEN: That's a great point and it's a nice segway to my next question, which basically revolves around the fact that we don't have a lot of legal precedents to turn to when it comes to cases of ACH and wire fraud. In fact, the two leading precedents the industry often discusses involve Experi-Metal vs. Comerica Bank and PATCO Construction vs. Ocean Bank, but in both of those cases the outcomes offered conflicting perspectives. How were those cases considered in the settlement preceding reached between Village View and Professional Business Bank, if at all?
ROGERS: Both cases came up and both cases were used and raised by both sides in this case. EMI had a successful recovery on behalf of the plaintiff, the business owner in that case, and what they were successful in is pursuing a claim under the good faith prong of Article 4A of the Uniform Commercial Code. PATCO did not have a favorable recovery for its plaintiff and it tried to pursue recovery under the commercial reasonableness aspect of the Uniform Commercial Code to Article 4A. So you can see that because this is a new and emerging area of law, we have inconsistent decisions. We have different jurisdictions handling almost the same, if not very similar, fact patterns in different ways, and for that reason it's really important as cases are analyzed in the future and moving forward that all the bases are covered, that all viable causes of action and even new and creative causes of action are put before the courts so that proper recovery for the proper plaintiff can be accomplished.
KITTEN: Now as part of the settlement, Village View was reimbursed all the funds that were lost. Do you think that's unique and do you think the settlement will serve as an example for future cases?
ROGERS: I'm proud to say it's unique because one of the idiosyncrasies of the UCC and its adopted provisions by the state is that it limits recovery to the plaintiff in cases of wire transfer frauds to the actual amount lost, plus interest only. So any consequential damages, any attorney fees and any costs are precluded under the UCC. As a result of that, once a small business has been hit by a wire transfer fraud and they've lost, say, a half a million dollars to cyber thieves, they're not in a financial position to bankroll a lawsuit. By the UCC limiting the avenues of recovery, it makes it very untenable for a plaintiff to file a lawsuit against a bank, which is much better equipped to handle lawsuits.
In our case, we had an amazing client who was willing to put in the time and the effort and work right along side with us as we pursued the bank. We had some creative strategies that worked to our advantage in this case and we were able to recover not only what was actually lost plus interest, but then some extra on top of that. So it's a unique case and we're hoping it's going to provide some incentive for other plaintiffs to come forward and have their cases heard.
Future ACH/Wire Fraud Cases
KITTEN: Before we close, what would you like to share from a legal perspective about the future role FFIEC and UCC interpretations are likely to play as courts rule on these types of fraud cases?
DINCEL: I would say - in kind of a more global approach to it - it's really important for attorneys that are handling these types of cases to not get bogged down in simply the UCC, but to try and think outside the box and be creative in the pleadings with their case. Every case has some different aspects to it, and those aspects, if they're played up correctly or developed correctly, can lead to the potential for a recovery for the client that goes outside of the UCC.
ROGERS: I'll add, just to distinguish the FFIEC from the UCC, that the FFIEC is just a guideline, or recommendations, and the PATCO case is a good example where the court says these are good suggestions, but these aren't standards that we're going to hold banks accountable to. Meanwhile, the UCC is non-negotiable and it's binding on everyone, and the two prongs of commercial reasonableness and the good faith prong, those are things that are the basis for the litigation moving forward in cyber theft. The two shouldn't be confused and should be distinguished accordingly. One is a recommendation and the other one is the law.