ACH Fraud: Judge Denies PATCO MotionNo Jury Expected to Hear About Dispute with Ocean Bank
In the May disposition, the court notes that Ocean Bank's security could have been better. But because PATCO agreed to the bank's security when it signed the contract, the court assumed PATCO considered the methods to be reasonable.
In his Aug. 4 order affirming the May decision, U.S. District Judge D. Brock Hornby, writes, "On the issue whether Patco agreed to the Bank's security procedures, I do not rely on the Magistrate Judge's conclusion that Patco conceded the point by not addressing the issue in its Reply. The parties filed simultaneous cross-motions for summary judgment and Patco did address the issue in its filing. That was enough to preserve it. I do agree with the Magistrate Judge, however, that the record supports the conclusion that Patco did agree."
Mark Patterson, president of PATCO, had no comment regarding the judge's support of the order.
In June, Patterson said he was weighing legal options. "Things are not always fair, and we have to decide how long we want to fight the fight," he said. "We do feel very strongly about this issue, but how far do we want to go?" [See ACH Legal Ruling Favors Bank.]
Brenda Sharton, partner and co-chair of the Business Litigation practice group at Goodwin Procter and lead counsel for People's United Bank, which acquired Ocean Bank, says the court's ruling was balanced. "We are pleased that the judge acknowledged the commercial reasonableness of the bank's security procedures," she says. "Of course, as the law recognizes, while banks must employ commercially reasonable procedures, they cannot be guarantors against this type of criminal activity."
At issue for PATCO was whether banks should be held responsible when commercial accounts are drained because of fraudulent ACH and wire transfers approved by the banks that oversee the accounts. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?
"Obviously, the major issue is the banks are saying this is the depositors' problem; but the folks that are losing money through ACH fraud don't have enough sophistication to stop this," Patterson says. In May 2009, PATCO, a construction company based in Maine, had its account taken over by cyberthieves, after malware hijacked online banking log-in and password credentials for its commercial account with Ocean Bank. More than $500,000 in fraudulent ACH transactions from PATCO's account was approved by the bank.
Patterson argues that Ocean Bank was not complying with the Federal Financial Institutions Examination Council's requirement for multifactor authentication when it relied solely on log-in and password credentials to verify transactions. [See FFIEC Authentication Guidance.]
David Navetta, an attorney who specializes in IT security and privacy, says most IT security experts agree with Patterson's view; but the court, in this case, did not.
"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability," Navetta says. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."
Recent rulings from the courts in corporate account takeovers have been across the board, making case law on the matter a bit disjointed. Last month's closure of the account takeover case between Michigan-based Experi-Metal Inc. and Comerica Bank revealed a much different view from the courts. [See ACH Fraud: Comerica Pays Settlement.]
In that case, a U.S. District Court in Michigan ordered Comerica to reimburse EMI more than $560,000 for funds EMI lost after Comerica approved fraudulent wire transfers that totaled more than $1.9 million.
At this point, it's too early to discern agreement on exactly what is deemed by the courts to be reasonable security, with only two decisions to weigh, Navetta says. "Both sides are going to be looking at these cases and trying to make their arguments based on what's already been decided," he says.