updated 07:30 pm EDT, Fri July 6, 2012
Security used 'commercially unreasonable,' didn't meet federal standards
The US Federal Court of Appeals for the First Circuit has reversed a lower court's decision, and found Ocean Bank (now People's United) at fault for a $588,000 "virtual robbery" in 2008 against Sandord, ME-based Patco Construction Company. Calling the bank's security systems "commercially unreasonable," the Boston-based appeals court returned some specific aspects back to the original court and judge for review, but is encouraging both parties to settle the matter out of court.
In September 2008, the construction company filed suit against the bank. Patco used online banking to make weekly payroll payments. The banking login credentials were stolen from Patco in May 2009 by the ZeuS trojan. Using the lifted data, thieves removed $588,000 in several batches from the account in automated clearing house (ACH) transfers over a week.
Ocean Bank was able to block or retrieve $243,406 of the stolen funds, leaving the construction company with a loss of $345,445. To make up for the difference between the retrieved funds, and the lost funds, Ocean Bank drew $223,237 on Patco's credit to cover the transfers. Patco sued shortly thereafter, arguing that the bank didn't provide multi-factor authentications, as laid out by theFederal Financial Institiution Examination Council (FFIEC).
In the court's 43-page decision, the appeals court found Ocean Bank's fraud monitoring lacking overall. The statement clarified that "when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable."
Charisse Castagnoli, a bank fraud expert and security consultant, said the decision could open the door to lawsuits from small businesses similarly robbed because of inadequate or outdated security procedures. Furthermore, she said that the appeals court didn't address what the victim's obligations for maintaining security in the case that bank security fails, such as a requirement for timely balance checks and responses to bank notifications. “At the same time, you can’t be a sloppy or naive customer," added Castagnoli, "as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money."