A California escrow firm that sued its bank last year after losing nearly $400,000 in a 2010 cyberheist has secured a settlement that covers the loss and the company’s attorneys fees. The settlement is notable because such cases typically favor the banks, and litigating them is often prohibitively expensive for small- to mid-sized businesses victimized by these crimes.
In March 2010, organized computer crooks stole $465,000 from Redondo Beach, Calif. based Village View Escrow Inc., sending 26 consecutive wire transfers from Village View’s accounts to 20 individuals around the world who had no legitimate or previous business with the firm. The escrow firm clawed back some of the stolen funds — $72,000 — but that still left Village View with a $393,000 loss, forcing the company’s owner to take out a personal loan at 12 percent interest to cover the loss of customer funds).
In June 2011, Village View sued its financial institution —Professional Business Bank — arguing that the bank was negligent because it protected customer accounts solely with usernames and passwords. Last week, Village View announced that it had reached a settlement with its bank to recover more than just the full amount of the funds taken from the account plus interest for Village View Escrow.
Kim Dincel, a shareholder at Silicon Valley Law Group, which represented the plaintiffs, said the Uniform Commercial Code and its corresponding California Commercial Code limits the damages resulting from wire transfer fraud to only the actual amount of money lost plus interest – nothing more. Common law claims such as negligence, breach of contract and fraud, and the damages that attached to them, are generally precluded from being asserted by a victim of wire transfer fraud in a lawsuit involving wire transfer fraud, he added.
“Banks typically deny liability for the cyber-theft which forces small businesses to spend money they do not have on legal fees and regulatory expenses in order to recover a limited and defined set of damages under the Uniform Commercial Code (UCC),” Dincel said in a prepared statement released Monday.
The Bank of Manhattan, which acquired Professional Business Bank last month, did not return calls seeking comment.
I’ve written dozens of stories about cyberheist victims, yet few of those cases have bubbled up into full-fledged lawsuits. Those that did have produced mixed or inconclusive results. In the case of Experi-Metal vs. Comerica, the judge ruled that the bank failed to act “in good faith” when it processed almost 100 consecutive wire transfers initiated by the perpetrators of the break-in. The case of Patco vs. Ocean Bank, however, did not end so well for the plaintiffs, and produced a ruling that passwords and secret questions (which many experts consider indistinguishable from passwords) are reasonable security procedures for a bank to offer its commercial customers. In that case, the bank reportedly spent nearly twice the amount that Patco lost, just to avoid setting a precedent. Patco is appealing that ruling.
Escrow and title firms remain an attractive target for cyber thieves, probably because fraudulent transfers can be hidden in the daily banking activities of these firms, which frequently move large amounts of money around on any given day. At least two other cases brought by title and escrow firms remain outstanding.
Springfield, Mo. based Choice Escrow and Land Title LLC sued its bank — Tupelo, Miss. based BancorpSouth Inc — after a $440,000 ebanking robbery that occurred just one day before the attack on Village View. Jim Payne, Choice Escrow’s director of business development, said the company hopes to begin depositions in their case next month.
“It’s fairly typical for these banks to try to wear you out and confuse you,” Payne said. “They don’t take you seriously unless you let them know you’re willing to go all the way to trial with it.”
Sophisticated cyber attacks on small- to mid-sized businesses — and title and escrow firms in particular — have not subsided. In the past three months, I’ve spoken with two other title companies that suffered significant losses from cyber heists, including one in Maryland that saw nearly $1.7 million worth attempted fraudulent transfers (that firm ended up losing a little more than $500,000, and is currently in negotiations with its bank).
Experts say smaller financial institutions traditionally have outsourced security for their commercial banking platforms to third party firms, many of which are only now starting to offer more robust security solutions.
“We are are seeing more out of band security solutions being made available to banks, such device identification, browser application encapsulation (Trusteer, Quarri), and realtime HTML parsing [products] such as Silvertail,” said Charisse Castagnoli, a bank fraud expert and independent security consultant.
Castagnoli said that while she’s encouraged by the Village View settlement, it may have little, if any, effect on other outstanding cases nationwide.
“From a legal perspective, other cases don’t gain much from a settlement,” she said. “But it is encouraging that law firms are finally building expertise in this type of litigation.”
The FS-ISAC, a banking industry consortium, released a report earlier this month stating that although cyber attacks against banks and their customers are increasing, the losses from individual attacks have decreased. Even so, recent surveys indicate that many banks and credit unions still don’t understand how to comply with new banking industry security regulations, and question whether the new guidelines really address the right fraud-prevention needs.
It’s difficult to say whether the FS-ISAC’s findings are indeed indicative of decreased losses on the part of ebanking heist victims. But Castagnoli said that unless and until U.S. banks are required to report fraud losses to regulators in a form that is aggregated and published on a regular basis, the true scope of the losses from cyber fraud will remain a giant question mark.
“Until we get true disclosure, we’re not going to have good statistics to judge what the real risk is,” she said.