Printed from http://www.electronista.com

Appeals court finds bank liable for $588,000 ACH theft

updated 07:30 pm EDT, Fri July 6, 2012

Security used 'commercially unreasonable,' didn't meet federal standards

The US Federal Court of Appeals for the First Circuit has reversed a lower court's decision, and found Ocean Bank (now People's United) at fault for a $588,000 "virtual robbery" in 2008 against Sandord, ME-based Patco Construction Company. Calling the bank's security systems "commercially unreasonable," the Boston-based appeals court returned some specific aspects back to the original court and judge for review, but is encouraging both parties to settle the matter out of court.

In September 2008, the construction company filed suit against the bank. Patco used online banking to make weekly payroll payments. The banking login credentials were stolen from Patco in May 2009 by the ZeuS trojan. Using the lifted data, thieves removed $588,000 in several batches from the account in automated clearing house (ACH) transfers over a week.

Ocean Bank was able to block or retrieve $243,406 of the stolen funds, leaving the construction company with a loss of $345,445. To make up for the difference between the retrieved funds, and the lost funds, Ocean Bank drew $223,237 on Patco's credit to cover the transfers. Patco sued shortly thereafter, arguing that the bank didn't provide multi-factor authentications, as laid out by theFederal Financial Institiution Examination Council (FFIEC).

In the court's 43-page decision, the appeals court found Ocean Bank's fraud monitoring lacking overall. The statement clarified that "when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable."

Charisse Castagnoli, a bank fraud expert and security consultant, said the decision could open the door to lawsuits from small businesses similarly robbed because of inadequate or outdated security procedures. Furthermore, she said that the appeals court didn't address what the victim's obligations for maintaining security in the case that bank security fails, such as a requirement for timely balance checks and responses to bank notifications. "At the same time, you can't be a sloppy or naive customer," added Castagnoli, "as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money."



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Asus Chromebook C300

When Chromebooks hit the market back in 2011, consumers didn't know what to do with them. The low-cost laptops, powered by Google's Ch ...

Plantronics BackBeat Pro Bluetooth headphones

Looking for a pair of headphones that can do everything a user requires is a task that can take some study. Trying to decide on in-ear ...

Lemur BlueDriver

"Oh no, the check engine light is on…again! What one of the hundreds of reasons could it be this time? Probably going to cost a fort ...

Sponsor

toggle

Most Commented

 
toggle

Popular News