TRENDING:

ACH Fraud: Judge Denies PATCO Motion

No Jury Expected to Hear About Dispute with Ocean Bank Tracy Kitten (FraudBlogger) • August 9, 2011    
ACH Fraud: Judge Denies PATCO Motion
A U.S. District Court in Maine has affirmed a magistrate's May recommendation to deny a motion for a jury trial filed in the ACH-related fraud case between PATCO Construction Inc. and its former commercial account manager, Ocean Bank. [Ocean Bank is now owned by bank corporation People's United Bank.]

In the May disposition, the court notes that Ocean Bank's security could have been better. But because PATCO agreed to the bank's security when it signed the contract, the court assumed PATCO considered the methods to be reasonable.

In his Aug. 4 order affirming the May decision, U.S. District Judge D. Brock Hornby, writes, "On the issue whether Patco agreed to the Bank's security procedures, I do not rely on the Magistrate Judge's conclusion that Patco conceded the point by not addressing the issue in its Reply. The parties filed simultaneous cross-motions for summary judgment and Patco did address the issue in its filing. That was enough to preserve it. I do agree with the Magistrate Judge, however, that the record supports the conclusion that Patco did agree."

Mark Patterson, president of PATCO, had no comment regarding the judge's support of the order.

In June, Patterson said he was weighing legal options. "Things are not always fair, and we have to decide how long we want to fight the fight," he said. "We do feel very strongly about this issue, but how far do we want to go?" [See ACH Legal Ruling Favors Bank.]

Brenda Sharton, partner and co-chair of the Business Litigation practice group at Goodwin Procter and lead counsel for People's United Bank, which acquired Ocean Bank, says the court's ruling was balanced. "We are pleased that the judge acknowledged the commercial reasonableness of the bank's security procedures," she says. "Of course, as the law recognizes, while banks must employ commercially reasonable procedures, they cannot be guarantors against this type of criminal activity."

PATCO's Primer

At issue for PATCO was whether banks should be held responsible when commercial accounts are drained because of fraudulent ACH and wire transfers approved by the banks that oversee the accounts. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?

"Obviously, the major issue is the banks are saying this is the depositors' problem; but the folks that are losing money through ACH fraud don't have enough sophistication to stop this," Patterson says. In May 2009, PATCO, a construction company based in Maine, had its account taken over by cyberthieves, after malware hijacked online banking log-in and password credentials for its commercial account with Ocean Bank. More than $500,000 in fraudulent ACH transactions from PATCO's account was approved by the bank.

Patterson argues that Ocean Bank was not complying with the Federal Financial Institutions Examination Council's requirement for multifactor authentication when it relied solely on log-in and password credentials to verify transactions. [See FFIEC Authentication Guidance.]

David Navetta, an attorney who specializes in IT security and privacy, says most IT security experts agree with Patterson's view; but the court, in this case, did not.

"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability," Navetta says. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."

Recent rulings from the courts in corporate account takeovers have been across the board, making case law on the matter a bit disjointed. Last month's closure of the account takeover case between Michigan-based Experi-Metal Inc. and Comerica Bank revealed a much different view from the courts. [See ACH Fraud: Comerica Pays Settlement.]

In that case, a U.S. District Court in Michigan ordered Comerica to reimburse EMI more than $560,000 for funds EMI lost after Comerica approved fraudulent wire transfers that totaled more than $1.9 million.

At this point, it's too early to discern agreement on exactly what is deemed by the courts to be reasonable security, with only two decisions to weigh, Navetta says. "Both sides are going to be looking at these cases and trying to make their arguments based on what's already been decided," he says.

Previous
GAO, State Clash Over Infosec Documentation
Next
Health Net Breach Impact Grows

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 1 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.



Around the Network

Aité-Novarica's Cybersecurity Impact Award
Aité-Novarica's Cybersecurity Impact Award
The Persisting Risks Posed by Legacy Medical Devices
The Persisting Risks Posed by Legacy Medical Devices
Are We Doomed? Not If We Focus on Cyber Resilience
Are We Doomed? Not If We Focus on Cyber Resilience
Showing Evidence of 'Recognized Security Practices'
Showing Evidence of 'Recognized Security Practices'
Protecting the Hidden Layer in Neural Networks
Protecting the Hidden Layer in Neural Networks
David Derigiotis on the Complex World of Cyber Insurance
David Derigiotis on the Complex World of Cyber Insurance
Organization-Wide Passwordless Orchestration
Organization-Wide Passwordless Orchestration
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
Whistleblowing Brings Visibility to the Role of CISOs
Whistleblowing Brings Visibility to the Role of CISOs
Craig Box of ARMO on Kubernetes and Complexity
Craig Box of ARMO on Kubernetes and Complexity

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.