A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases.
Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.
BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.
Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.
A trial court was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.
“It’s a good opinion for banks [and] it’s definitely more pro-bank than pro-consumer,” said Dan Mitchell, a lawyer who chairs the data security practice at Bernstein Shur in Portland, Maine. “The appellate court found the same thing as the basic court. The customer was offered dual controls — that two people should be required to sign off on all transactions — and they were informed that it was important for them to take advantage of this. So, when [Choice Escrow] made an informed decision in writing not to use dual controls, the bank was careful to document that.”
Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm.
“The bank had asserted a counterclaim that the customer should pay the bank’s legal fees,” said Mitchell, who battled similar claims in which Patco — a Maine construction firm — successfully sued its bank over a $588,000 cyberheist. “There’s no other federal circuit court case other than Patco that has gotten up to that level. The appeals court said the bank can now pursue its legal fees against the customer. And that may end up being the important part of this opinion in the long run if [plaintiffs are] looking at not only have to pay their lawyers to pursue a loss but also those of the bank.”
Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said the appeals court decision means that indemnification is now the ‘law of the land’ in the 8th Circuit.
Castagnoli said she expects two results from this decision: that banks which don’t already have these clauses in their online banking agreements will add them; and that cyberheist victims will think more cautiously about bringing a lawsuit.
“This is the first time a court has ruled on fee shifting, and that will certainly have a chilling effect on litigation,” Castagnoli said.
A copy of the appeals court’s ruling is available here (PDF).