Thursday, December 27, 2012
Courts - "Maine Bank Agrees to Reimburse Hacking Victim $300K in Precedent-Setting Case"
This story is from Nov. 30th. Kim Zetter's report in WIRED begins:
In a case watched closely by banks and their commercial customers, a financial institution in Maine has agreed to reimburse a construction company $345,000 that was lost to hackers after a court ruled that the bank’s security practices were “commercially unreasonable.”
People’s United Bank has agreed to pay Patco Construction Company all the money it lost to hackers in 2009, plus about $45,000 in interest, after intruders installed malware on Patco’s computers and stole its banking credentials to siphon money from its account.
Patco had argued that the bank’s authentication system was inadequate and that it failed to contact the customer after its automated system flagged the transactions as suspicious. But the bank maintained that it had done due diligence because it verified that the ID and password used for the transactions were authentic.
The case raised important questions about how much security banks and other financial institutions should be reasonably required to provide commercial customers.
Small and medium-sized businesses around the country have lost hundreds of millions of dollars in recent years to similar thefts, known as fraudulent ACH (Automated Clearing House) transfers, after their computers were infected with malware that swiped their bank account credentials. Some have been lucky to recover the money from banks that valued their business, but others, like Patco, were told by their banks that they were responsible for the loss.
Although the assets of customers with personal bank accounts are protected under federal law, commercial bank accounts are not. The only recourse such customers have when their bank refuses to assume responsibility for stolen funds is to try to pursue their money in state courts under the Uniform Commercial Code.
People’s United Bank agreed to the settlement only after an appellate court indicated that the bank’s security system and practices had been inadequate under the UCC.
Posted by Marcia Oddi on December 27, 2012 10:21 AM
Posted to Courts in general