The United States Court of Appeals on Tuesday reversed a lower court’s decision, ruling that the IT security system used by a domestic bank was not “commercially reasonable” to protect its customers.
The ruling (PDF), in the case of People’s United Bank (formerly Ocean Bank of Maine) versus Patco Construction Company could have broad implications in the U.S., where businesses that are the victim of account takeovers and fraudulent transactions are suing banks to recover lost funds.
The case against People’s United Bank stems from six allegedly fraudulent transactions that occurred over the period of a week in May, 2009 and drained close to $589,000 dollars from Patco’s accounts. Patco alleged that People’s United Bank’s did an inadequate job of protecting them against fraud.
The exact cause of the breach isn’t known. However, an antivirus scan found a computer used by a Patco employee that was infected with the Zeus Trojan. It is believed that the piece of malware had key logging capabilities and managed to steal the employee’s user name and password, as well as the answer to a security question.
According to the ruling, a subsequent investigation of IT security practices as People’s United found a number of flawed policies and processes. Secret questions were required for even minor transactions, making it easier for remote attackers to conduct brute-force attacks against them. Also, alerts from fraud monitoring systems within the bank about “high risk” transactions were overridden the fraudulent transfers were allowed. Patco eventually recovered $243,406 in fraudulent transfers.
In overturning the lower court’s ruling, Justice Sandra Lea Lynch of the U.S. Court of Appeals for the First Circuit found People’s United Bank liable under article 4A of the Uniform Commercial Code. The appeals court also vacated the district court’s grant of summary judgment on the claims of unjust enrichment and conversion, and dismissed the remaining charges altogether.
The question of who is liable for financial damages resulting from hacks or account takeovers is hotly debated. While consumers enjoy legal immunity from responsibility for losses due to fraud, businesses don’t enjoy the same protections. In June, the New York Times published a cautionary article that warned owners of small businesses that they may not be covered if hackers compromise and wipe out an account. This ruling could buck that trend, but this depends largely on future proceedings.