Maine Magistrate Judge John Rich has ruled that despite the fact that a bank allowed online hackers to steal more than $300,000 from a customer’s account, the bank is not responsible for the lost money. According to BankInfoSecurity, the judge said the plaintiff, a construction company, should have done a better job of protecting its bank account details.
Judge recommends charges against Ocean Bank be dismissed
Judge Rich recommended that the U.S. District Court in Maine dismiss a complaint filed by Patco Construction Company against Ocean Bank after Patco’s account was hacked and more than $300,000 was stolen. How much security banks should reasonably be required to provide commercial customers was called into question. If U.S. District Court follows Rich’s recommendation, legal experts see a precedent being set for liability claims in which online bank theft occurs via password interception. Each year, small- and mid-sized U.S. companies lose hundreds of millions of dollars via fraudulent ACH (Automated Clearing House) transfers, and the District Court ruling on the Ocean Bank case will no doubt be of interest.
Patco v. People’s United Bank: The inside story
Patco Construction Company’s case against People’s United Bank (the owner of Ocean Bank) states that in May 2009, it was discovered that hackers were stealing $100,000 per day from the company’s online Ocean Bank account. Apparently, the company’s password had been stolen via a malicious email that placed trojan malware onto a Patco employee’s computer.
Nearly $600,000 was gone before Patco noticed and informed Ocean Bank. The bank was able to block $240,000 in transfers, but told Patco the rest was irretrievable. Patco’s lawsuit accused the bank of “failing to implement best security practices,” i.e. requiring customers to use multi-level authentication. Ocean’s initial defense was that because the online user identification and password matched, it had done its share of maintaining security.
While Judge Rich agreed that Ocean Bank could have done more to maintain security, he concluded that the law does not require banks to use the best security methods available. As Ocean’s security was similar to other online banks, Rich deemed that Patco was responsible for not securing its log-ins.
Not the best, just multi-factor
Patco Construction Company President Mark Patterson argued that Ocean Bank was not in compliance with the Federal Financial Institutions Examination Council’s authentication processes by only asking for username and password. IT security attorney David Navetta seconded Patterson’s concern, yet the court was satisfied by Ocean Bank’s two-step, “multi-factor” process of requiring username and password.