The Fraud Blog with Tracy Kitten

Defining Reasonable Security

Are Courts Reviewing Fraud Cases Within Historical Context?
Defining Reasonable Security

Last month, an appellate court in Boston reversed a lower court's ruling that favored a bank in a legal dispute over a 2009 account takeover incident (see PATCO ACH Fraud Ruling Reversed.)

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

Was that appellate ruling fair? Based on the security practices that most banking institutions used in 2009, probably not. The case exemplifies the challenges courts - and the attorneys arguing both sides - face in resolving cases involving ACH and wire fraud. The key issue? How to define "reasonable" security - and how that definition changes over time.

Some Background

Deciding these cases based on how we define reasonable security is dangerous. What's considered reasonable today might not be considered reasonable tomorrow. 

The appellate court decision dealt with an ongoing legal dispute between Maine-based PATCO Construction Inc. and the former Ocean Bank, now People's United Bank, over a series of bogus ACH/wire transactions that in May 2009 drained more than $580,000 from PATCO's online account.

In May 2011, a U.S. District Court denied PATCO's motion for a jury trial on the issue of whether the bank should be held financially liable for the breach. Although the court noted Ocean Bank's security could have been better, it determined that PATCO agreed the bank's security was reasonable when it signed its online banking contract.

The federal appeals court disagreed, and on July 3 ruled Ocean Bank's security procedures were "commercially unreasonable," reversing the district court's decision. The court further recommended that the two parties pursue an out-of-court settlement of the case.

What the Ruling Means?

I've spoken with several financial security and legal experts who offer widely varying perspectives about the appellate court ruling.

Joseph Burton, an information security and cybercrime attorney at the law firm Duane Morris, says the ruling could be a win for banks in the long run, suggesting it hints at the fact that commercial customers bear some responsibility for ensuring their own online security.

"It opens the possibility that you could have a circumstance where you had a commercially unreasonable procedure that was used by the bank, but liability might not be on the bank, because there may be responsibilities that the customer of the bank has," Burton says.

But Scott Vernick, a data security/privacy and attorney at the law firm Fox Rothschild, says he doesn't expect the ruling to have much impact.

Vernick says the ruling highlights points about Ocean Bank's security practices that other banks should heed - such as why the bank developed a risk profile for PATCO that it never reviewed, as well as how the bank failed to adequately use risk scoring to more closely monitor high-risk accounts. But he doesn't deem the appellate court's review of security reasonableness, based on Article 4-A of the Uniform Commercial Code, to be quite so impactful.

Under Article 4-A, a bank typically bears the risk of loss when unauthorized funds transfers are approved. The bank may shift that risk by proving the commercial reasonableness of its security, or by proving the payment was approved on good faith.

"It's hard for me to say necessarily that you are going to see a wave of lawsuits against banks," Vernick says. "If you see it, you'll see it because it would be hard for a bank today to argue that they are not aware of the any number of cyberthreats that are out there."

Why the Ruling Matters

Regardless, the ruling marks the first time we've seen a federal court's review of a legal dispute involving fraud linked to account takeover. And that, on its own, makes this case special.

But deciding these cases based on how we define reasonable security is dangerous. What's considered reasonable today might not be considered reasonable tomorrow.

Bill Nelson, who heads up the Financial Services Information Sharing and Analysis Center, was involved with some of the early Article 4-A discussions about reasonable security. He makes a good point, and one I think the court failed to consider in the PATCO case: Reasonable security changes over time.

A few years ago, authentication based on username and password, with challenge questions and/or identifying cookies during the session, was "commercially reasonable," he contends. Today, however, that approach is widely considered inadequate.

In the PATCO reversal, the appellate court judged the reasonableness of Ocean Bank's security based on today's standards, not standards deemed reasonable in May 2009. The industry did not really even take notice of account takeover fraud until late 2009, after the Federal Bureau of Investigation identified it as a serious threat.

I'm not saying Ocean Bank should have been let off the hook for not taking advantage of the fraud-detection systems it had in place. Why invest in solutions if you aren't going to use them? And by solutions such as transactional risk monitoring, commercial customers have every right to assume the bank is, in fact, monitoring those accounts.

But the form of authentication - log-in and password, plus challenge questions - that Ocean Bank relied on was standard at the time PATCO's account took a hit. As we move forward, I hope the courts carefully consider the timing of an incident when determining whether a bank followed reasonable security practices.

Nevertheless, the ruling offers important lessons for banks: If you have a system that flags high-risk transactions, use it. And if you have systems in place that sound alarms when transactional limits are suspicious, take advantage. It's worse to have systems in place and not use them than to not have the systems at all.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.