US Appeals Court Says Bank Liable For Losses From Poor Online Security

An anonymous reader writes with this extract: "Threatpost reports that a judge on the United States Court of Appeals this week ruled that People's United Bank's processes and systems for protecting customer accounts from fraud were not "commercially reasonable." The ruling in People's United Bank (formerly Ocean Bank of Maine) versus Patco Construction Company reverses a lower court's ruling in a case that stems from six allegedly fraudulent transactions that occurred over the period of a week in May, 2009 and drained close to $589,000 dollars from Patco's accounts. Patco alleged that People's United Bank did an inadequate job of protecting them against fraud, ignoring repeated 'high risk' warnings from the bank's fraud detection system. Now the Appeals Court appears to agree. The ruling could have broad implications in the U.S., where businesses that are the victim of account takeovers and fraudulent transactions are suing banks to recover lost funds."

It's about fucking time

[DogDude]

It's about fucking time. Banks (and yes, even credit unions) have been warning its customers that whatever happens through their online interfaces isn't their fault. That's really just absurd, when a person or company's entire financial life is available via a single password on the Net. Security, of course, isn't the sole responsibility of the banks, but it is their responsibility. Banks provide giant safes for our physical valuables, they provide insurance for theft or collapse, but online, it's "good luck, customers!"? Bullshit. It's time to hold them at least somewhat responsible for their online interfaces, as well.

Re:It's about fucking time

[drinkypoo]

It's well past time. My bank is retarded. Mandatory security questions that people can find out answers to by research, you can lie to them but then you have to remember your lies. Also, your initial online access PIN is the last four of your SSN, and it persists from the time you go to the bank to get it activated to the first login, which could be a very short time (it was for me) or a very long time but either way is terrible.

Re:It's about fucking time

Basic tort theory states that responsibility for a loss should be placed on the individuals or entities that are most capable of preventing the loss. In this case, banks are responsible for security controls on their own accounts. Banks are most capable of preventing most losses due to fraudulent transactions. It's absurd that they have not already been held responsible for all the fraud out there.

Re:It's about fucking time

Yep. Though actually this isn't governed by tort law, it's governed by Art. 4A Sec. 202 of the Uniform Commercial Code. (http://www.law.cornell.edu/ucc/4A/4A-202.html) (But you're right; the UCC seems just to be codifying the principle you identified.) So, the good news may be that the law has always been pretty sensible about this sort of issue (at least in theory). Though perhaps individual judges and juries have lagged in their understandings of "commercially reasonable."

Re:It's about fucking time

[Mashiki]

Considering most banks don't even have FOB service, I find this not surprising. Heck, look at Blizzard, EA, Sony, *insert MMO*, even Google. They all provide two factor authentication for their services. Banks? Ahahaha...yeah good luck.

Re:It's about fucking time

[drinkypoo]

Basic tort theory states that responsibility for a loss should be placed on the individuals or entities that are most capable of preventing the loss.

Really? Where did you go to law school?

Courts (in the USA) have repeatedly ruled that cops do NOT have a legal obligation to protect you, or prevent you from being robbed.

Logical fallacy, attacking a straw man. The cops aren't there to protect you. The cops are there as a system of punishment for people who have already committed crimes. In the long run, that is meant to protect society but it is not feasible for the cops to protect you. Sometimes they will give it the ol' college try, though. If you're lucky. And white.

Right ruling

[DoofusOfDeath]

I don't see why it's any more complicated than, "I gave the bank X dollars. I have not withdrawn any money. They owe me X dollars."

The fact that this hasn't been the case so far strikes me as a case of the banks owning their regulators and the legislature. But I don't want to make too hasty of an assumption. Does anyone know the history of this issue?

Re:Right ruling

[slew]

RTFA.

Apparently the issue is that although individuals are protected against fraud by legal statutes, businesses are not. Specifically at issue is the authorization of commerical ACH (automated clearing house) transactions to the account (when you use your debit card it's authorized under the EFTA or electronic funds transfers act).

In this case the bank so egregiously ignored it's own security measures (authorized transactions even though it's internal fraud alert systems was warning against the transaction) that it was clear the bank was in the wrong...

Re:Right ruling

[slew]

I don't see why it's any more complicated than:

I gave the bank X dollars. I have not withdrawn any money. They owe me X dollars.

My business gave the bank X dollars. My business has not withdrawn any money. They owe my business X dollars.

Fixed.

IANAL, but as I understand it the question is the definition of "my business" in the withdrawn case. When it is a person, it is much clearer if you have authorized the money to be withdrawn because of the way the law is written. If it is a business, it isn't a statute thing, it is often a matter of the uniform commercial code or a business to business contract or the charter to your business (e.g., is the "treasurer" allowed, is a "sales-person" allowed, or third party "accountant" is allowed, or my "niece" is allowed to use a checking account), thus these facts sometimes need to be discovered in a court to determine if there is actual fraud, or if the company is instead required to sue the person who took the money (instead of the bank that authorized the transaction).

For example, if a bookkeeper employeed by a company wanted to embezzle money from the company and gave his password to his aunt in russia to do the deed, the company would probably have to sue the ex-employee and the uncle and the bank would be off the hook since to the bank, the bookeeper was authorized to take the money.

In this case, it was clearly the bank's fault, but that's not always the case in business (which is one of the reason business accounts are different than individual accounts).

Re:Right ruling

[tqk]

Does anyone know the history of this issue?

RTFA.

No need to be rude.

What's wrong with this picture? You asked a question, and s/he replied that the answer is in TFA, which I have to assume you didn't bother to read if so. How is that rude?

Your epidermis is way too thin.

Re:Right ruling

[pdabbadabba]

Well, it's clear that someone owes them X dollars, the question is whom. In cases where the bank's security measures aren't to blame (the typical case will be when the user picked a weak password, or allowed his password to be stolen somehow, or lost it to keylogging software they installed along with a desktop weather widget) why place the loss on the bank? All they did was implement the security measures that they and their customer agreed upon. It was the customer's fault (by hypothesis) that their account was compromised. The alternative would give customers no incentive to keep their passwords secure and would expose banks to essentially infinite uncontrollable liability.

Of course, if it really was the bank's fault then, yes, the customer should be able to recover directly from the bank and the bank should be the one left to track down the thief if they want their money back. It's this distinction that the law tries to capture (see UCC Art 4A Sec. 202, http://www.law.cornell.edu/ucc/4A/4A-202.html), and I think it generally does a good job (except, of course, for the inevitable problem of keeping courts up to speed on what counts as "commercially reasonable" -- but that's the beauty of our adversarial system: we can usually count on the parties' lawyers to keep the judges more-or-less educated).

Re:Right ruling

[evilviper]

In cases where the bank's security measures aren't to blame (the typical case will be when the user picked a weak password, or allowed his password to be stolen somehow, or lost it to keylogging software they installed along with a desktop weather widget) why place the loss on the bank? All they did was implement the security measures that they and their customer agreed upon.

The reason the bank should ALWAYS be liable is because "the customer" never gets a chance to "agree upon" the bank's security measures. I want two-factor authentication, I want one-time-use credit card numbers, I want cryptographically secure transactions... My bank doesn't care what I want.

Oh, and an important aside... Banks are REQUIRED BY LAW to provide two-factor authentication for their online banking services. Has your bank ever sent you an RSA key? No? That's because they got their lawyers to work out a loophole where those 'forgotten passwork"-type questions count as one factor, and your password the second. So EVERY BANK OUT THERE is actively circumventing the law, to provide insecure access to your account. Did they ever ask you? They sure didn't ask me.

Re:Right ruling

[evilviper]

1) 3-letter acronyms are much less clear and more easily mixed-up than 4-letter acronyms.

2) It's only YOU assuming that the F stands for something profane. I refer you to Jimmy Kimmel's "best of unnecessary censorship" series...

People's

I still get that cuddly, fuzzy Russian Soviet communist feeling every time I see or hear the word People's.

Video explanation

[Paradise+Pete]

This video properly explains it.

Now lawyers to design security protocols?

[140Mandak262Jamuna]

This decision is going to create a new problem. Bank lawyers are going to design and approve the security measures of the bank. They do it purely from a lawyer view point. "Will this procedure allow the bank to argue in a court, we have done all we could your honor, to protect the customer.". They would not worry about whether are not the security has been actually enhanced, or whether the procedures would be convenient enough for the customers to adopt.

Each bank and brokerage account I have wants to send me an RSA dongle. "It is free! It is convenient! Add it to your key bunch! And lug it every where!". If I follow their advice my key fob will have more RSA dongles than actual keys. Then once you accept an RSA dongle, Quicken is not able to download transactions. "You want both security and also download transactions to Quicken? Choose either this or that buddy. I will tell the court we offered RSA dongle and he refused. He is totally at fault.".

Re:Now lawyers to design security protocols?

[Mindcontrolled]

So you want security, indemnity and you do not want to do anything for it, yes?

Re:Now lawyers to design security protocols?

[The+Mighty+Buzzard]

I honestly don't see how this is a problem. A bank's fundamental commitment is to be a safe place to stuff your money. They pay a pretty fair chunk of money to physical security experts to make sure nobody can walk in and take the money in their charge. They should take their online security just as seriously and if they don't they should be held liable.

Re:Now lawyers to design security protocols?

False dichotomy - the choice isn't usually between 'lawyer security' and 'real security'. The bank is often choosing between 'lawyer security' and 'no security'.

when I opened my first bank account

[way2trivial]

back in the 80's I was asked for my mothers maiden name-

I asked why they needed it- and they said for a password in case I ever called
- i immediately thought -- my brother knows the answer to that- and he's the only person I can see attempting it

My mothers maiden name has been snotrag ever since (not snotrag, but something equally offcolor) and it's always been the same answer

the one my brother does not know.

Re:when I opened my first bank account

[Xtifr]

And now you just have to hope that your brother doesn't read slashdot! ;)

Transaction records

[volmtech]

I find it amazing that every email, tweet, and Facebook post is saved and retrievable forever but a million dollar bank transaction disappears in milliseconds