A decision handed down by a federal appeals court this week may make it easier for small businesses owners victimized by cyberheists to successfully recover stolen funds by suing their bank.
The U.S. Federal Court of Appeals for the First Circuit has reversed a decision from Aug. 2011, which held that Ocean Bank (now People’s United) was not at fault for a $588,000 cyberheist in 2009 against one of its customers — Sanford, Me. based Patco Construction Co. The appeals court sent specific aspects of the earlier decision back to the lower court for review, but it encouraged both parties to settle the matter out of court.
The appeals court in Boston called the bank’s security systems “commercially unreasonable,” reversing a lower court ruling that Ocean Bank’s reliance on passwords and secret questions was in line with guidance set out by federal banking regulators. A copy of the decision is here (PDF).
Charisse Castagnoli, a bank fraud expert and independent security consultant, said the decision could open the door lawsuits from small businesses that have been similarly victimized with the help of outdated security procedures at their banks.
“What this opinion offers is a strong basis for victims to challenge the security implementations of their banks regardless of whether they agreed that the implementation was ‘commercially reasonable’ at a single point in time in a ‘shrink wrap’ type contract,” Castagnoli said.
In September 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People’s United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said that in May 2009, cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.
In the weeks following the heist, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco’s account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco’s line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.
Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to multifactor authentication requirements set forth by the Federal Financial Institutions Examination Council (FFIEC).
Ocean Bank relied on service provider Jack Henry to process bank-to-bank transfers, and it selected an authentication process that required customers to log in with a company ID, user ID and password. Customers also were asked to provide answers to three “challenge questions” that would be asked if the system scored a transaction as “high risk.”
The Jack Henry product came with a risk scoring system developed by RSA‘s Cyota, which rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site. Challenge questions were prompted when the risk score for a transaction exceeded 750 on a scale of zero to 1,000 (RSA considers transactions generating risk scores in excess of 750 to be high-risk). Ocean bank also kept track of customer “device IDs,” an amalgamation of attributes from the customer’s PC that could be used to create a unique fingerprint for that machine.
Until 2008, Ocean Bank set its dollar amount threshold — transfer amounts that would automatically require the answer to a challenge questions regardless of the Cyota fraud score — at $100,000. But in July 2008, the bank lowered that threshold to $1. The bank told the court that it did so to enhance security following ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were forced to answer a challenge question whenever they used the bank’s system.
In its 43-page decision, the appeals court took a dim view of Ocean Bank’s decision to lower its fraud threshold to $1.
“In our view, Ocean Bank did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular and high dollar transfers,” the court observed. “Then, when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable.”
The court emphasized that it was these collective failures taken as a whole — rather than any one single failure — which rendered the bank’s security system commercially unreasonable.
A spokesperson for People’s United Bank declined to comment for this story. Mark Patterson, Patco’s president, said he was pleased with the decision.
“I hope we can give some assistance to those [companies] that are suing their banks, and I hope this makes it so that it works in their favor,” he said.
What does this mean in practical terms for banks, customers and lawmakers? Castagnoli said the decision seemed to emphasize that banks cannot take blanket security approaches, but instead need to consider the customer’s individual risk.
“That I think is helpful…and should put banks on notice that they need to be more vigilant,” Castagnoli said. “At the same time, you can’t be a sloppy or naive customer, as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money.”
Castagnoli said the appeals court also left open what the victim’s obligations and responsibilities are in the event that the bank’s security measures fail. For example, a court might declare reasonable the requirement commercial customers check their bank balance every day, and thus find Patco partially liable.
“I’d say this is a pretty big wakeup call to all parties to be more careful, and hopefully we will see more education from banks to their users on the part of computer security and online banking risk,” she said.