A Magistrate has recommended to the Federal court in Maine that a bank (in this case Ocean Bank of Maine) has no liability, even though it allowed hackers to remove more than $500,000 from one of the bank’s customers accounts. The customer, Patco Construction, had been the victim of the Zeus trojan, which steals passwords once surreptitiously installed on a victim’s computer.
According to the recommending magistrate, the bank had met its duty by requiring a username and password, and so should have no liability. Moreover, where Patco argued that the bank was not using the “best” security practices, the bank successfully countered that not only had Patco had agreed to their security methods when they opened the account, but that the law does not require them to use the best practices (!)
Said Mark Patterson, president of PATCO Construction, “Things are not always fair, and we have to decide how long we want to fight the fight. We do feel very strongly about this issue, but how far do we want to go?”
Patco was able to recover about $230,000 of the more than $500,000 that was stolen, and sued Ocean Bank for the rest, alleging that Ocean had failed to detect or prevent the orginal fraud (which took the form of fraudulent ACH (Automated Clearing House) transfers).
Said IT security and privacy expert attorney David Navetta, “Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability. The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Yet, even the court itself noted that Ocean Bank’s security was less than good. “It is apparent, in the light of hindsight, that the Bank’s security procedures in May 2009 were not optimal. The Bank would have more effectively harnessed the power of its risk- profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions,” said the court.
But, the court further observes, “Patco in effect demands that Ocean Bank have adopted the best security procedures then available. As the Bank observes, that is not the law.”
That’s legalese for “Sucks to be them.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
I lost my cell phone Nokia E63,I would like trace my cell phone
IMEI No.359319025319238
The bank failed in its duty to secure the client’s funds. What else is their duty?? No matter what the excuses are they failed to do their duty. If they don’t want to harbor that responsibility then get out of the business and allow others to do a better job.
What about the question of Patco’s responsibility to protect their computers from virus infections? If their computers had been protected from infection, then their username and password would not have been compromised. Patco seems to suffer from the “its not my fault, someone else is to blame” syndrome.