The PATCO v. Ocean Bank appellate judgment is attracting a lot of attention. The decision, handed by the First Circuit Court of Appeals in Boston, reverses the original lower court ruling that the bank is not responsible for PATCO’s unauthorized wire transfers of nearly $600,000. This is a wakeup call for any businesses out there that are relying on contracts, and not computer data security solutions, to mitigate risk.
Lower Courts Uphold Contract, Appellate Court Doesn’t
When PATCO Construction originally sued Ocean Bank (part of People’s United Bank), the judge
ruled in favor of the bank, denying PATCO’s motion for a jury trial. In its ruling, the court noted that Ocean Bank’s security could have been better. But because PATCO agreed to the bank’s security when it signed its contract with Ocean Bank, the court assumed PATCO considered the methods to be reasonable. [bankinfosecurity.com]
Furthermore, the bank argued that PATCO had not done fulfilled its end of the security bargain. PATCO, the bank argued, had been infected with the Zeus malware, a nefarious piece of software that can log keystrokes and steal data. Under such circumstances, all the security in the world would have been useless.
Or would it?
The judge noted that “Ocean Bank’s security could have been better.” Those “better” practices could have made a difference. And the federal appellate court focused on these. Among the practices that weren’t up to par:
Dollar Amount Rule: Ocean Bank’s online banking challenged users with a security question for any transfers over $1. That’s not a typo; it really is ONE DOLLAR. This cannot be considered as additional security because it doesn’t really add any security value. Plus, it messed with the bank’s risk profiling. (The threshold was $100,000 previously; it got lowered to $1 because there were too many online fraud attempts. This is a fundamental misunderstanding of what the dollar amount rule was designed for).
No Transaction Monitoring: The amounts being wired were significantly higher than PATCO’s regular amounts. Plus, they were being sent to individuals who didn’t have a history of being wired by PATCO, from computers that were not recognized by the bank’s systems, from IP addresses that were not recognized as being PATCO’s.
It was also revealed that the bank changed their security practices after PATCO was affected, possibly indicating that the bank understood that there were problems with how it was approaching its online banking security.
Contracts Aren’t Worth the Paper They’re Written On?
There is a saying that oral contracts are not worth the paper they are written on. In other words, they’re worthless. Now, this is not entirely true. Oral contracts are enforceable; the problem lies in proving that the oral contract existed. If you can provide witnesses or a voice recording, that contract can be enforced (at least, that’s my understanding). So, there’s a caveat to this particular nugget common wisdom.
Likewise with written contracts: there are times when a contract can’t protect you, regardless of what common wisdom might dictate. I’m not a lawyer so I can’t give specifics, but as the above story shows, you can’t just sign away your risk. That’s not how it works.
In this day and age, if you are dealing with digital data — especially sensitive data that can be used to steal money from clients, either directly (as in the above) or indirectly (such as a breach of customers’ SSNs which are later used to perpetrate mortgage fraud) — you need to ensure that you’ve got proper protection in place.
While banks (or any businesses) cannot be taken to task for not having perfect security, they cannot be, and cannot be expect to, given a free pass for having lousy security.
Related Articles and Sites: