July 23, 2012

Cybersecurity and the UCC

Posted in Commercial Litigation |

Article 4A of the UCC governs the rights, duties and liabilities of banks and their commercial customers with respect to electronic funds transfers.  Under the Article, a bank receiving a payment order ordinarily bears the risk of loss of any unauthorized funds transfer.  One of the ways the bank can shift the risk of loss to the customer, however, is essentially by showing that an agreed-upon “commercially reasonable” security measure was in place, and that the order (which later turned out to be fraudulent) was accepted in good faith and in compliance with the security procedure. 

In the Patco case, Ocean Bank (a southern Maine community bank) authorized six fraudulent withdrawals, totaling almost $600,000, from an account held by Patco Construction Company (a small property development company and contractor).  The thieves had correctly supplied Patco’s customized answers to the bank’s on-line security questions.  Although the bank’s security system flagged each of the transactions as “high risk” (they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders), the bank’s security system did not notify Patco of this, and allowed the transactions to go through.

Patco only discovered the fraudulent transactions, six days after they began, because portions of the unauthorized transfers were returned to the bank when the account numbers to which the funds were supposed to be sent were invalid.  The bank forwarded “return notices” to one of Patco’s principals via snail mail.  Patco immediately called the bank to report the fraud.   

Following Patco’s notification, the bank was able to block or recover $243,406.83, leaving a residual loss of $345,444.43.

The bank had in place a number of online security measures.  These included user IDs and passwords; invisible device authorization (through “cookies”); risk profiling (which generated a risk score for each transaction based upon IP address, device cookie ID, geographic location, and history of transactions); and challenge questions.  But the hackers got around all of the obstacles.

The Court ultimately ruled that the bank’s security measures appeared to be unreasonable under the circumstances, mostly because of the way the customized “challenge questions” were handled. The bank’s system let the bank set a dollar threshold amount above which a transaction would automatically trigger challenge questions, even if the user ID, password and device cookie were all valid.  Initially, the bank set the threshold amount at $100,000; but later (the fatal mistake), the bank lowered the amount to $1.  Because the very low $1 limit triggered challenge questions on every transaction, the system became exposed to “keyloggers.” A “keylogger” is a form of computer malware, capable of infecting a user’s system, secretly monitoring the user’s Internet activity, recognizing when the user has browsed to the website of a financial institution, and recording the user’s keystrokes on that website.  The keylogger captures the user’s authentication credentials and transmits them to a cyber-thief.  

The bank, however, argued that, whatever the failures in the bank’s system, Patco messed up.  Upon learning of the fraud, the bank told Patco to disconnect whatever computers were used for e-banking; stop using them for work; leave them turned on; and bring in a forensic professional to determine whether a security breach had occurred.  The bank argued that Patco failed to follow its instructions (which Patco denied).  

The Court wrote: “It is unclear what, if any, obligations a commercial customer has when a bank’s security system is found to be commercially unreasonable.”  The Court ordered further proceedings on the question of the duties of the customer, and, like all judges worth their salt, also wrote:  “On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.”

Here are a couple of takeaways from this.  First, isn’t it funny that, for all the sophisticated electronic measures taken to combat fraud, the fraud was only caught here because of attention to good, old-fashioned snail mail? (This is why I always have hard copy backup and a Plan B when I use technology in the courtroom.)  Pay attention to all sources of information…even those that come via the U.S. Postal Service.   Second, the sad truth is that, if you’re doing business on the Internet, you have to assume that some malcontent out there will be able to get past even the most sophisticated security measures and grab your confidential information.  Think now about what you’ll do if that happens.  One place to look is your insurance coverage program.  Here’s a pretty good article from the Washington Post on the basics of that (written for small business, but really applicable to all business).