Craig Dilger for The New York Times
In June, we published an article advising small-business owners to guard against hackers who use malicious software, or malware, to raid business bank accounts. Computer security specialists say these crimes, called “corporate account takeovers,” have become increasingly common, and small businesses are especially easy prey because many lack firewalls and monitoring systems.
Worse, business owners often assume incorrectly that the protection they have on personal bank accounts applies to their business accounts as well. But historically that has not been the case. Provided banks can show adequate security procedures, they have no legal obligation to reimburse businesses for attacks, as federal regulations do not cover commercial accounts.
A recent court decision, however, creates a precedent to change that. In July, the United States Court of Appeals for the First Circuit in Boston ruled in favor of a construction company that had been hacked, declaring its bank responsible for the losses. Last month the two parties reached a settlement.
In May 2009, Mark Patterson’s company, Patco Construction in Sanford, Me., was robbed of $588,000 by cybercriminals using ZeuS Trojan, a form of malware. Over seven consecutive days, thieves executed automated clearinghouse batch transactions with Patco’s user name and password.
Mr. Patterson assumed incorrectly that his financial institution, Ocean Bank, a southern Maine community bank, would cover the unauthorized debits. When he learned otherwise, he tried to cut a deal.
“We thought there were enough red flags that the bank should have detected” fraudulent activity, Mr. Patterson said, “but we also knew the malware was on our systems.” Because the bank was able to recover about $240,000 by halting or clawing back money from transfers processed within 24 hours of discovering the fraud, Patco’s actual losses were about $350,000. So Mr. Patterson asked Ocean Bank to reimburse $250,000. When the bank refused, he called a lawyer.
Patco brought suit against People’s United Bank, a regional bank based in Bridgeport, Conn., which had acquired Ocean Bank. With both sides in agreement that money was stolen and about how it was stolen, the facts of the case were never in dispute. In August 2011, Maine’s Federal District Court ruled in favor of the bank, finding that People’s United’s security systems were “commercially reasonable,” meaning the bank had done everything possible to protect its customers from fraud.
But Patco appealed, arguing that because People’s United had configured its security systems improperly, the bank failed to prevent the crime. “In this case, the bank put settings in place that were counter to good security,” said Dan Mitchell, a partner in the Portland, Me., office of Bernstein Shur and a member of the law firm’s data security practice. Mr. Mitchell represented Patco in the case. “The way they operated it left holes in the system.”
Mr. Mitchell explained that thieves spirited away money from Patco’s account to places like California and Florida, where the company does not normally conduct business. The timing and values of payments were also inconsistent with regular orders.
While People’s United assigned a risk score from zero to 1,000 for every transaction, the bank did not monitor scores to halt the fraud. “Patco’s typical scores were zero to 214 max, but in this case the risk scores were in the high 700s,” Mr. Mitchell said. “So the bank had the ability to generate these scores but didn’t do anything with them.”
On this basis, Patco won the appeal, and in November People’s United agreed to pay back the full amount stolen from Patco, plus interest. Representatives of People’s United did not respond to requests for comment.
“The Patco case was the first to come from a court that high up,” Mr. Mitchell said. “This case is a guidepost now. My guess is that most of these cases get resolved, and this case will encourage that even more.” He believes the ruling will motivate banks not only to purchase adequate security systems but also to configure and maintain them properly.
Still, the impact of the Patco case may be muted, as financial institutions and their customers have become increasingly knowledgeable about computer security in the past three years. “If the status quo had been maintained, this decision would have put the fear of God into institutions,” said Sari Stern Greene, president of Sage Data Security in South Portland, Me., who testified as an expert witness in the case on behalf of Patco. “But in the interim, financial institutions have significantly enhanced their security controls and helped educate their customers.”
Ms. Greene also underscores that small businesses must erect their own firewalls and take precautions to prevent hacking. “Online banking security is really a partnership between the customer and the financial institution. When customers use online banking, they’re in essence creating their own personal branch,” she said. “Businesses invest in locks, alarms and motion sensors; they understand they need those controls in the physical world. And now they need them in the digital world too.”
As for Patco, the company no longer makes automated clearinghouse batch transactions. Mr. Patterson and his lawyer estimate People’s United spent more than $1 million in legal fees, while Patco spent hundreds of thousands of dollars to resolve the case.
“Yeah, I feel good about winning,” Mr. Patterson said. “But in the end, why does this stuff have to occur? Why didn’t the bank just settle?”
Article source: http://boss.blogs.nytimes.com/2012/12/12/a-win-for-small-businesses-in-bank-fraud-case/?partner=rss&emc=rss