Patco Construction v. Ocean Bank: Who Pays when a Hacker Steals Money from a Business Bank Account?
It was recently reported by Brian Krebs of the Washington Post, and others, that a Maine construction sued its bank for failing to prevent hackers from transferring some $588,000 in company funds to co-conspirators throughout the U.S. This case bears watching because it may well test the conclusion of the court in Shames-Yeakel v. Citizens Financial Bank that a bank's failure to use multi-factor authentication procedures for wire transfers may not constitute a reasonable business practice. It should also test the effect of a clause in the bank's contract with the construction company, requiring the company to monitor and immediately report questionable transfers to the bank.
The case is Patco Construction Co. v. Ocean Bank, York County Superior Court, 2009. According to the complaint, on May 7, 2009, hackers stole Patco's login credentials and initiated a series of transfers throughout the week that totaled over $588,000. Patco discovered the fraud on May 13, when one of its co-owners found a notice from Ocean Bank in his mailbox, stating that several recent transfers had been rejected. Patco notified the bank on the morning of May 14. While the bank attempted to rescind the transfers, Patco was ultimately out at least $345,000 in stolen funds.
The bank claimed that Patco was responsible for the loss, citing a clause in its ebanking and bill payment agreement, which states that customers who use automated clearinghouse (ACH) transactions on their commercial accounts "assume all liability and responsibility to monitor those accounts on a daily basis" and "[i]n the event you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs." Patco allegedly didn't discover or report the losses until days after most had occurred.
Patco claims that Ocean Bank is responsible for the loss, arguing that the bank breached its duty to provide a commercially reasonable security system because it only provided a single-factor authentication system for wire transfers.
So, which side is right?
Fraud losses for business deposit accounts, such as those suffered by Patco here, are governed by Part 4A of the Uniform Commercial Code. Part 4A is written from the standpoint of the bank and gives a bank a "safe harbor" from losses associated with wire fraud, if it meets three conditions: (i) the bank and its customer agree to use a particular procedure for verifying the authenticity of wire transfer orders, (ii) the bank has provided a "commercially reasonably method of providing security against unauthorized payment orders" to the customer, and (iii) the bank followed the procedures.
Article 4A permits generally parties to modify its provisions as they see fit -- except where modification is not permitted by Article 4A. See §4A-501. One area where waiver of Article 4A's provision is restricted is in contracts dealing with commercially reasonable security procedures. Under Section 4A-202, a security procedure can be "deemed commercially reasonable if (i) the security procedure was chosen by a customer after the bank offered, and the customer refused, a security procedure that was reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer." According to the official comment to this section, the bank has to first offer a commercially reasonably security procedure to the customer, the customer has to "be made aware of the risk" of rejecting the procedure, and the asset in writing to assume that risk.
Article 4A does not spell out the specific security procedures that are considered commercially reasonable. However, the official comment does state that "a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank" is not commercially reasonable.
Any attempt to define the prevailing standards for commercially reasonable security procedures would have to start with the Federal Financial Institutions Examination Council (FFEIC) 's 2006 Report on Authentication in an Internet Banking Environment. The FFEIC is an interagency group the promulgates examination standards for banks, credit unions and other financial institutions. As such, its pronouncements on what constitute sound banking practices create at least a minimum baseline for commercially reasonable practices.
The FFEIC Report requires that financial institutions perform an assessment of the risks to the security of their funds transfer systems and then design controls that meet these risks. Moreover, the FFEIC has stated that single-factor (e.g., ID/password) authentication systems are inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties -- the type of transactions involved in the Patco case. Instead multi-factor authentication should be used for such accounts.
As defined by the FFEIC, authentication methodologies involve three basic "factors"
• Something the user knows (e.g., password, PIN, or other "shared secrets", such as customer-selected images that must be identified from a pool of images)
• Something the user has (e.g., ATM card, smart card, USB tokens, one-time password tokens); and
• Something the user is (e.g,. biometric characteristic, such as a fingerprint, voice print, hand geometry, patterns of veins in user's eye).
Single-factor authentication involves using information from just one of these categories -- as in ID/password identification. Multi-factor authentication involves using information from at least two of these categories. For example, the typical ATM transaction requires multifactor authentication: something the user possesses, the ATM card, along with something the user knows, the PIN.
In the Patco case, the liminal question, before Ocean Bank can claim any safe harbor from liability for the fraud damages is did Ocean Bank offer a commercially reasonable security procedure to Patco? From reports of the case, Patco argues that Ocean Bank offered only single-factor authentication: a user ID and password, plus responses to two challenge questions -- all things that the user would know. Patco also claims that the same two challenge questions were asked and responded to so frequently, that they became just an extension of the password -- and were easily hacked. If the court (or jury) agrees with Patco's arguments and finds that Ocean Bank did not offer commercially reasonable security procedures to Patco, then it would likely conclude that Ocean Bank at least has some liability for Patco's wire transfer fraud losses.
This does not mean that Ocean Bank would necessarily be liable for all of these losses. Ocean Bank would doubtless make the counterargument that Patco's failure to report the fraud losses immediately was also a cause of the losses. If the court (or jury) agrees with Ocean Bank, this could well result on a reduction of the total damages that Patco could recover.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
