Banks Liable For Cyber Criminals? - Technologist
Technologist - The FindLaw Legal Technology Blog

Banks Liable For Cyber Criminals?

FindLaw columnist Eric Sinrod writes regularly in this section on legal developments surrounding technology and the internet.

The Internet has made life easier in so many ways, including the ability to shop and conduct financial transactions online. Of course, just like in the world of bricks and mortar, criminals also lurk in Cyberspace, seeking to steal identities, data and money. While Cyber criminals, of course, are responsible as a matter of criminal and civil law for their own wrongdoing, the question arises as to whether others also can be deemed responsible for the harm suffered as a result of this illegal conduct.

The recent case of Patco Construction Company, Inc. v. People's United Bank d/b/a Ocean Bank, filed in state court in Maine, tees up this very question for resolution.

Patco alleges that it has been a customer of Ocean Bank. Patco asserts that Ocean Bank failed to fulfill "ones of its most basic obligations, namely, to protect its customers' funds against theft."

According to Patco's complaint, over the course of one week in May of this year, cyber criminals accessed Patco's accounts at Ocean Bank and transferred hundreds of thousands of dollars to numerous banks accounts by way of the Automated Clearing House network, a system used by banks to transfer funds electronically between accounts.

Patco states that Ocean Bank purportedly informs its customers that its online banking system utilizes sophisticated "behind-the-scenes" security measures that are suppose to monitor the type, frequency and origination point of electronic transactions. However, Patco complains that the security measures on Patco's account were structured in a manner that leave the account vulnerable to the very attacks that occurred.

Moreover, Patco alleges that Ocean Bank did not detect the improper transfers that should have been seen as suspicious because they were larger than usual Patco transactions, they were directed to numerous accounts as to which Patco had never transferred funds, and the transfers original from Internet protocol addresses that Patco had not used before to conduct its online banking.

In addition to the foregoing, Patco complains that Ocean Bank allowed the perpetrators to draw on a line of credit Patco had with the bank in excess of more than $200,000 in additional stolen funds. Patco states that it is particularly insulted that Ocean Bank expects the repayment of this money plus interest by Patco.

Patco has asserted causes of action for negligence, breach of contract, breach of fiduciary duty, among others.

Patco's complaint is just one side of the story, of course. Ocean Bank will have its day in court and will be able to present its defenses. How this case unfolds and resolves largely will turn on the facts.

Factual questions to be answered will include: the extent to which Ocean Bank represented and agreed that it would implement security measures to protect the funds of customers; whether Ocean Bank fulfilled its representations and promises in that regard; whether Ocean Bank acting responsibly in light of its position of trust and in light of reasonable industry standards; and whether Ocean Bank should have been on notice of improper criminal conduct based on the facts.

Other facts to be considered include the banking history of Patco with Ocean Bank, whether Patco possibly did anything to contribute to the compromised scenario as it unfolded, and whether the Cyber attacks were beyond what a reasonable financial institution could detect and prevent under these circumstances.

The object lesson of this lawsuit is not necessarily what the ultimate outcome will be based on its unique facts. The real point is that causes of action do exist in the law that can make a third-party, like a bank, potentially responsible for harm suffered by others at the hands of Cyber criminals.

Thus, not only should online companies protect themselves from online criminal conduct, they should consider and develop measures to protect their customers from such conduct, when it is foreseeable and when industry knowledge and standards demand such protection.

 

Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes.  His Web site is http://www.sinrodlaw.com and he can be reached at ejsinrod@duanemorris.com.  To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line.

This column is prepared and published for informational purposes only and should not be construed as legal advice.  The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.