New England Biz Law Update
A bank that required customers to answer security questions before it cleared any electronic withdrawal of more than $1, but allegedly failed to implement further security measures to detect and address suspicious transactions, could be sued under Article 4A of the Uniform Commercial Code, the 1st U.S. Circuit Court of Appeals has ruled in a case of first impression.
The bank allowed more than $500,000 in unauthorized payments from the account of the plaintiff, a small construction company. Hackers had apparently secured the plaintiff’s user ID, password and answers to its security questions, possibly by placing “keylogging” technology on the plaintiff’s computers.
A U.S. District Court judge granted summary judgment to the bank, finding that its security procedures were “commercially reasonable” and thus it did not bear the risk of loss under Article 4A.
But the 1st Circuit reversed.
“In our view, [the bank] did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like [the plaintiff,] which had frequent, regular, and high dollar transfers” and thus had to answer its security question more frequently, making its answer more vulnerable to detection, Chief Judge Sandra L. Lynch wrote for the court.
“Then when it had warning that such fraud was likely occurring in a given transaction, [the bank] neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed,” she added. “Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable.”
The 43-page decision is Patco Construction Company, Inc. v. People’s United Bank.
Well-placed burden
Plaintiff’s counsel Daniel J. Mitchell of Bernstein, Shur, Sawyer & Nelson in Portland, Maine, said the court “did a good job of putting the burden where it should be.”
While many small businesses are well-versed on security issues, it would be unrealistic to expect every commercial customer to have the sophistication to deal with challenges posed by cyber-theft, he said.
“It’s really evolving, and as between commercial customers and banks, banks are in a better position to police this,” said Mitchell, who practices in Massachusetts as well as Maine.
Mitchell also said it is good to finally have a reported decision on the issue.
“A small business taking on a bank is a real challenge,” he said. “It’s no coincidence that there aren’t a lot of reported cases in this area, because small commercial customers generally don’t expend the resources to take on banks in these situations.”
Boston lawyer Stephen P. Kolberg, who handles UCC litigation but was not involved in Patco, called the 1st Circuit ruling “an important first step toward creating a comprehensive body of caselaw governing the rights and liabilities of banks and account holders in the age of instantaneous electronic transfers and increasingly sophisticated Internet fraud.”
In the wake of Patco, bank counsel can no longer maintain a “set it and forget it” approach to web security in which they draft detailed electronic transfer agreements for their account holders but leave the rest to the technology people, Kolberg said.
“Bank counsel must either arrange for personnel to monitor the transaction alerts that arise from their security systems [or], more economically, … insure that the bank’s security system requires automatic email, text or telephone alerts to account holders of suspect transactions so as to shift the liability for fraud back to the bank customer,” he said.
Brenda R. Sharton of Goodwin Procter in Boston represented the bank. She declined to comment.
Unauthorized payments
In September 2003, plaintiff Patco Construction Co. in Sanford, Maine, began making its weekly payroll payments electronically through an “eBanking” platform offered by its bank, a local subsidiary of defendant People’s Bank.
Patco always made its payment on Fridays from one of the computers at its offices. The payments came from a single IP address and were never for more than $36,000.
In 2004, the bank contracted with a company called Jack Henry & Associates to provide its core online banking platform, and in 2007, the bank selected the firm’s “premium” package for authentication of electronic transactions.
The system required a company ID, password and user-specific ID to access eBanking. The system also placed a “device cookie” on customers’ computers to identify computers used to access online banking and built a “risk profile” for each customer based on multiple factors, including the location from which the user logged in, the frequency of log-ins, and the size, type and frequency of payment orders.
Additionally, the system provided a risk score for every log-in attempt and transaction based on such information. If the transaction differed from its normal profile, the system reported an elevated risk score to the bank.
The system further required users to select three “challenge questions” and responses to be asked for authentication purposes when logging in. Initially, the bank set the system to automatically trigger challenge questions for any transaction over $100,000. But in August 2007, it lowered the threshold to $1.
After that point, customers — including Patco — were prompted to ask the challenge questions each time they made a transaction.
The bank claims it offered customers the option of receiving email alerts regarding incoming and outgoing transactions, balance changes and clearing of checks.
Patco alleges it was never notified of those alerts and that instructions for setting them up were hidden several clicks into the eBanking webpage where they would not likely be found by a customer who did not already know about them.
The bank also apparently chose not to implement several additional security measures, including monitoring risk scores of online transactions and reporting suspicious ones to customers.
Over several days in May 2009, unknown third parties — providing the security credentials of a Patco employee, including answers to her challenge questions — made a series of withdrawals from Patco’s account totaling more than $500,000.
The payments were directed to the accounts of various individuals who had never previously been sent money by Patco.
Additionally, the perpetrators logged in from a device unrecognized by the bank’s system and from an IP address that Patco had never used before. Though the risk-scoring engine generated unusually high scores for each transaction, apparently nobody at the bank was monitoring the transactions, which the bank processed as usual without notifying Patco of anything suspicious.
After Patco learned of the thefts, the bank allegedly instructed the plaintiff to disconnect all computers used for eBanking from its network, stop using them for work purposes, and leave them on to allow an investigator to determine whether a security breach had occurred.
The bank claims, and Patco disputes, that the plaintiff did not follow those instructions.
Meanwhile, Patco hired an IT consultant who found remnants of a malware that may have used “keylogging” technology to detect a Patco user’s security information. But the encryption key that might have told the consultant what information the malware had captured was apparently deleted by the consultant’s anti-malware scan.
On Sept. 18, 2009, Patco sued the defendant in state court in Maine alleging violations of Article 4A of the UCC.
The Connecticut-based defendant removed the case to federal court where a U.S. magistrate judge determined that the bank’s security measures were “commercially reasonable” and thus Patco bore the loss of the fraudulent transfers under Article 4A.
U.S. District Court Judge D. Brock Hornby adopted the findings and granted summary judgment to the bank. Patco appealed.
Commercially unreasonable practices
On appeal, Patco argued that the bank’s security practices were not commercially reasonable, and, therefore, the bank should bear the loss of the unauthorized withdrawals under Article 4A.
First, Patco contended that the bank increased the risk of compromised security by triggering security questions for any transaction over $1. According to Patco, the frequency of challenge questions for customers who made regular transactions made chances greater that the answers would be compromised by keyloggers or other malware that could capture such information for unauthorized uses.
Additionally, Patco argued that it was unreasonable for the bank not to take such additional security measures as monitoring for transactions with high-risk scores and immediately notifying customers that such transactions had occurred.
The court agreed.
“[The bank] introduced no additional security measures in tandem with its decision to lower the dollar amount rule, despite the fact that several such security measures were not uncommon in the industry and were relatively easy to implement,” Lynch said.
The judge also noted that Patco’s expert testified that all of her other banking clients using the same security product employed manual review or customer verification to authenticate unusual or suspicious transactions.
“Such security procedures would self-evidently not have been difficult to implement,” said Lynch, in reversing the lower court judge’s grant of summary judgment for the bank. “These collective failures, taken as a whole, rendered [the bank’s] security procedures commercially unreasonable.”
The court found, however, that Patco was not entitled to summary judgment on its own claims, citing issues of fact as to whether Patco fulfilled its own security responsibilities under Article 4A.
