ACH Legal Ruling Favors Bank

Maine Magistrate Recommends no Trial for Defrauded Business

By , June 6, 2011.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ACH Legal Ruling Favors Bank

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in an ACH fraud case filed by a commercial customer against its former bank. According to the order, which must still be reviewed by the presiding judge, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials.

Now Mark Patterson, president of PATCO Construction Inc., the commercial customer in the case, says he's weighing his legal options. "Things are not always fair, and we have to decide how long we want to fight the fight," Patterson says. "We do feel very strongly about this issue, but how far do we want to go?"

At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?

"Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."

PATCO Primer

In May 2009, PATCO, a construction company based in Maine, had its account taken over by cyberthieves, after malware hijacked online banking log-in and password credentials for the commercial account PATCO held with Ocean Bank. More than $500,000 in fraudulent ACH transactions from PATCO's account was approved for transactions by the bank.

The business was able to recover only $230,000 of the stolen funds, but sued Ocean Bank for failing to detect and prevent the bogus transfers.

PATCO sued Ocean Bank in 2010, and the bank quickly responded with motions to seal court documents and request a summary judgment. [Ocean Bank is owned by bank corporation People's United Bank.] The magistrate who recently reviewed the case now recommends that the cross motions filed by PATCO and Ocean Bank be considered moot.

David Navetta, an attorney who specializes in IT security and privacy, says the magistrate's recommendation, if accepted by the judge, could set an interesting legal precedent about the security banks are expected to provide. And unless PATCO disputes the order, Navetta says it's unlikely the judge will overrule the magistrate's findings. PATCO has between 14 and 21 days to respond.

"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability," Navetta says. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."

Bank's Security 'Not Optimal'

In the disposition, the court notes that Ocean Bank's security could have been better. "It is apparent, in the light of hindsight, that the Bank's security procedures in May 2009 were not optimal," the order states. "The Bank would have more effectively harnessed the power of its risk- profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions."

But since PATCO agreed to the bank's security methods when it signed the contract, the court suggests then that PATCO considered the bank's methods to be reasonable, Navetta says. The law also does not require banks to implement the "best" security measures when it comes to protecting commercial accounts, he adds.

"Patco in effect demands that Ocean Bank have adopted the best security procedures then available," the order states. "As the Bank observes, that is not the law."

Patterson argues that Ocean Bank was not complying with the Federal Financial Institutions Examination Council's requirement for multifactor authentication when it relied solely on log-in and password credentials to verify transactions. Navetta agrees, but the court in this order does not.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Investors Assess Corporate IT Security

In conducting due diligence, investors spend more time than ever assessing the cyber-risk posed by...

Latest Tweets and Mentions

ARTICLE Investors Assess Corporate IT Security

In conducting due diligence, investors spend more time than ever assessing the cyber-risk posed by...

The ISMG Network