Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Appeals Court Says Bank Liable For Losses From Poor Online Security

Posted by timothy on from the perhaps-should-apply-to-more-than-banks dept.

An anonymous reader writes with this extract: "Threatpost reports that a judge on the United States Court of Appeals this week ruled that People's United Bank's processes and systems for protecting customer accounts from fraud were not "commercially reasonable." The ruling in People's United Bank (formerly Ocean Bank of Maine) versus Patco Construction Company reverses a lower court's ruling in a case that stems from six allegedly fraudulent transactions that occurred over the period of a week in May, 2009 and drained close to $589,000 dollars from Patco's accounts. Patco alleged that People's United Bank did an inadequate job of protecting them against fraud, ignoring repeated 'high risk' warnings from the bank's fraud detection system. Now the Appeals Court appears to agree. The ruling could have broad implications in the U.S., where businesses that are the victim of account takeovers and fraudulent transactions are suing banks to recover lost funds."

10 of 94 comments (clear)

  1. It's about fucking time by DogDude · · Score: 5, Insightful

    It's about fucking time. Banks (and yes, even credit unions) have been warning its customers that whatever happens through their online interfaces isn't their fault. That's really just absurd, when a person or company's entire financial life is available via a single password on the Net. Security, of course, isn't the sole responsibility of the banks, but it is their responsibility. Banks provide giant safes for our physical valuables, they provide insurance for theft or collapse, but online, it's "good luck, customers!"? Bullshit. It's time to hold them at least somewhat responsible for their online interfaces, as well.

    --
    I don't respond to AC's.
    1. Re:It's about fucking time by drinkypoo · · Score: 4, Insightful

      It's well past time. My bank is retarded. Mandatory security questions that people can find out answers to by research, you can lie to them but then you have to remember your lies. Also, your initial online access PIN is the last four of your SSN, and it persists from the time you go to the bank to get it activated to the first login, which could be a very short time (it was for me) or a very long time but either way is terrible.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:It's about fucking time by Anonymous Coward · · Score: 5, Informative

      Basic tort theory states that responsibility for a loss should be placed on the individuals or entities that are most capable of preventing the loss. In this case, banks are responsible for security controls on their own accounts. Banks are most capable of preventing most losses due to fraudulent transactions. It's absurd that they have not already been held responsible for all the fraud out there.

    3. Re:It's about fucking time by Anonymous Coward · · Score: 5, Informative

      Yep. Though actually this isn't governed by tort law, it's governed by Art. 4A Sec. 202 of the Uniform Commercial Code. (http://www.law.cornell.edu/ucc/4A/4A-202.html) (But you're right; the UCC seems just to be codifying the principle you identified.) So, the good news may be that the law has always been pretty sensible about this sort of issue (at least in theory). Though perhaps individual judges and juries have lagged in their understandings of "commercially reasonable."

  2. Right ruling by DoofusOfDeath · · Score: 5, Interesting

    I don't see why it's any more complicated than, "I gave the bank X dollars. I have not withdrawn any money. They owe me X dollars."

    The fact that this hasn't been the case so far strikes me as a case of the banks owning their regulators and the legislature. But I don't want to make too hasty of an assumption. Does anyone know the history of this issue?

    1. Re:Right ruling by slew · · Score: 5, Informative

      RTFA.

      Apparently the issue is that although individuals are protected against fraud by legal statutes, businesses are not. Specifically at issue is the authorization of commerical ACH (automated clearing house) transactions to the account (when you use your debit card it's authorized under the EFTA or electronic funds transfers act).

      In this case the bank so egregiously ignored it's own security measures (authorized transactions even though it's internal fraud alert systems was warning against the transaction) that it was clear the bank was in the wrong...

  3. People's by Anonymous Coward · · Score: 5, Funny

    I still get that cuddly, fuzzy Russian Soviet communist feeling every time I see or hear the word People's.

  4. Video explanation by Paradise+Pete · · Score: 5, Funny

    This video properly explains it.

  5. Re:Now lawyers to design security protocols? by The+Mighty+Buzzard · · Score: 4, Insightful

    I honestly don't see how this is a problem. A bank's fundamental commitment is to be a safe place to stuff your money. They pay a pretty fair chunk of money to physical security experts to make sure nobody can walk in and take the money in their charge. They should take their online security just as seriously and if they don't they should be held liable.

    --
    Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
  6. when I opened my first bank account by way2trivial · · Score: 5, Insightful

    back in the 80's I was asked for my mothers maiden name-

    I asked why they needed it- and they said for a password in case I ever called
    - i immediately thought -- my brother knows the answer to that- and he's the only person I can see attempting it

    My mothers maiden name has been snotrag ever since (not snotrag, but something equally offcolor) and it's always been the same answer

    the one my brother does not know.

    --
    every day http://en.wikipedia.org/wiki/Special:Random