A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines.
Sanford, Maine based Patco Construction sued Ocean Bank in 2009, alleging poor security after a $588,000 cyber heist. Patco sued to recover its losses, arguing in part that the bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Patco’s motion for summary judgment and granting the bank’s motion.
On Thursday, the judge presiding over the lawsuit affirmed that recommended decision (PDF), ruling that no further proceedings were necessary. Patco’s attorney Dan Mitchell said the company has 30 days to file an appeal, but that it hasn’t yet decided whether to challenge the decision.
The decision comes as commercial account takeover victims in other states are challenging banks over the security of their online banking platforms. In June, a Michigan court ruled that Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business. In July, A California real estate escrow company that lost more than $465,000 in an online banking heist last year sued its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract.
These cases are being tried decided at the trial level in different federal districts. They are not “case law.” Case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made. Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them. Establishing a uniform national standard for judging all cases involving cyber theft would require a decision by the U.S. Supreme Court. Banks and organizations may not be willing to carry their appeals to this level, fearing that a national standard may not be in their best economic interests.
KrebsOnSecurity will continue to follow these cases and to bring you updates on new developments as they happen. Stay tuned.