Privacy Rumblings Grow Louder: Prompted by Recent Publicity over Data Breaches, Congress, State Houses, and, Increasingly, the Courts Are Considering Cases and Proposals That Could Impact Banks

Article excerpt

If you already have trouble sleeping at night, don't read any further. Not to minimize anything going on in Congress or the statehouse, but a pending state lawsuit concerning customer data has drawn little banking industry press and yet poses the risk of setting some awful precedents in the areas of identity theft, data breaches, and privacy law violations.

The case is considered a test of the relative responsibilities between banks and their customers over ensuring the security of online financial transactions and it is believed to be the first case of a customer suing their bank over cyber crime losses. While the case involves only one firm thus far, the plaintiff's attorney has been quoted as hoping to turn the matter into a class action suit.

Officially known as Ahlo, Inc. vs. Bank of America, N.A., the case, filed Feb. 3 with the 11th Judicial Circuit of Florida, Miami-Dade County, draws its colloquial name--the "Lopez case"--from that of the owner of Ahlo, Joe Lopez. Ahlo is a small supplier of business goods. The case had not gone to trial as of mid-May, but the two sides had already been trading motions and BofA had already moved to dismiss the civil suit.

This is Lopez' case, in a nutshell. He alleges that an unknown third party infiltrated the company's computer and initiated an unauthorized wire transfer for $90,348.65, and that the beneficiary bank, Parex Bank, in Latvia, refuses to return the money to Ahlo. Some has already been withdrawn and the rest is frozen.

Here's where the bank comes in. Ahlo blames the bank for allowing the wire to be sent, for failing to recall the wire, and for not reimbursing Ahlo. The firm charges the bank with breach of contract, breach of good faith, and more, including fraud.

Getting to particulars

The cause of the breach of Ahlo's accounts, according to the firm's case, was a computer virus called Coreflood, which it claims the bank should have warned it about. In a extended legal argument for dismissal, the bank stated that: "Ahlo alleges that the Bank owed a fiduciary duty to advise Ahlo that on-line accounts are subject to exploitations by computer viruses. However, superior knowledge alone is insufficient to transform a banking relationship into a fiduciary relationship.... Moreover, the Plaintiff does not allege that Bank of America promised to protect the Plaintiff's computer from viruses. Indeed, there is no allegation that Bank of America allowed its own system to be compromised."

The bank declines to comment specifically on the case because of customer confidentiality. However, a spokeswoman did state that, "Safeguarding information is a priority for Bank of America. Completion of wire transfer transactions requires multiple levels of security to initiate and complete. Our internal review of the transaction in question determined that all of the required account and personal information required to complete the transaction was provided and all appropriate security steps took place within our systems."

Symantec Corp.'s website defines Coreflood as a trojan horse virus. It has been known of since late 2002, according to the site, and though it is frequently used to initiate denial of service attacks, it allows a hacker to gain unauthorized access to an infected computer. Reportedly, the virus was detected when the Secret Service analyzed Ahlo's machine for infiltration. However, reports indicate that the Secret Service has not determined that the virus caused the loss.

The case has been the source of a furious debate on the internet between IT experts and other parties. However, in a commentary posted on the website FindLaw for Corporate Counsel, Anita Ramasastry, Associate Professor at the University of Washington School of Law and a director of the Shidler Center for Law, Commerce & Technology, wrote an analysis of the case. If the bank loses it, she wrote, one could envision a massive duty to advise online banking clients of every potential risk posed by hackers and other internet fraud, potentially even including remedial steps. …