updated 12:48 pm EST, Sat December 1, 2012
Credentials stolen from company, bank failed to prevent theft
A financial institution in Maine has agreed to reimburse a construction company $345,000 that was stolen by hackers following a ruling that the bank had "commercially unreasonable" security precautions. People's United Bank has agreed to pay Patco Construction Company every cent it lost in 2009, plus $45,000 in interest after miscreants stole the Patco banking credentials and withdrew money from the account.
Patco argued that the bank failed in its obligation to contact the company after the bank's own automated system flagged the thefts as suspicious. Throughout the initial trial, the bank claimed to have done everything it was supposed to, because it verified that the ID and password used for the transactions were authentic. The bank was originally found blameless of the theft, but an appeals court reversed the decision over the summer, and urged the parties to settle, rather than allow the matter to return to trial.
Using the purloined data, thieves removed $588,000 in several batches from the account in automated clearing house (ACH) transfers over a week. Ocean Bank was able to block or retrieve $243,406 of the stolen funds, leaving the construction company with a loss of $345,445. To make up for the difference between the retrieved funds, and the lost funds, Ocean Bank drew $223,237 on Patco's credit to cover the transfers. Patco sued shortly thereafter, arguing that the bank didn't provide multi-factor authentications, as laid out by the Federal Financial Institiution Examination Council (FFIEC).
Charisse Castagnoli, a bank fraud expert and security consultant, said the decision could open the door to lawsuits from small businesses similarly robbed because of inadequate or outdated security procedures. Furthermore, she said that the appeals court didn't address what the victim's obligations for maintaining security in the case that bank security fails, such as a requirement for timely balance checks and responses to bank notifications. "At the same time, you can't be a sloppy or naive customer," added Castagnoli, "as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money."