What’s the extent of a bank’s liability when a customer’s account has been hacked?
A district court in Maine held that Ocean Bank wasn’t liable for a hacked account, but the First Circuit Court of Appeals remanded the case, finding that the bank could potentially be liable.
The quick facts are as follows (courtesy of Network World): A hacker correctly answered the security questions and accessed Patco Construction Company’s Ocean Bank account. The bank failed to notify the company that the transactions were flagged for suspicion. In the end, the bank was able to recover $243,406 from the transaction, leaving a loss of $345,444.
The First Circuit’s decision was based largely on Article 4A of the Uniform Commercial Code, under which a bank receiving a payment order would generally bear the risk of loss of any unauthorized funds transfer.
The bank could shift the risk of loss to the customer if the bank’s security measures were commercially reasonable.
The UCC explains that a commercially reasonable security procedure is a question of law, to be decided by a court.
The First Circuit went on to say that the bank must show not only that the security procedures were commercially reasonable, but also that the bank accepted the payment order in “good faith and in compliance with the security procedures.”
While the First Circuit found the bank’s security system to be commercially unreasonable, the court didn’t issue a ruling on the extent of Ocean Bank’s liability. Instead, the First Circuit Court of Appeals left the UCC Article 4A question to the district court, on remand.
The district court will now be charged with deciding what obligations or responsibilities should be imposed on a commercial customer, in light of a commercially unreasonable security system.
The outcome of the case is TBD, but it’s certainly an interesting case.