Academic journal article ABA Banking Journal

Rethink Cyber Security: Patco Decision Finds Banks Must Do More

Academic journal article ABA Banking Journal

Rethink Cyber Security: Patco Decision Finds Banks Must Do More

Article excerpt

The cost of operating a technologically secure bank may have just gone up. The First Circuit's ruling in Patco Construction Co. v. People's United Bank means banks can be liable for the money cyber thieves steal from a customer's commercial account.

[ILLUSTRATION OMITTED]

Patco joined Ocean Bank's "ebanking" program in 2003, primarily for weekly payroll; the payments exceed $37,000. In 2008, People's United Bank acquired Ocean Bank. In May 2009, hackers infiltrated Patco's account and initiated six fraudulent transfers totaling $588,851.26. The thieves apparently used computer malware to steal Patco's customized answers to security questions and passwords. The bank recovered just $243,406.83.

Patco sued, claiming the bank's "commercially unreasonable" security procedures allowed hackers to steal security data. Article 4A of the Uniform Commercial Code generally holds banks responsible for the loss of any unauthorized funds transfer, but banks may shift the risk of loss to a commercial customer if transfers follow commercially reasonable security procedures.

The bank argued that its ebanking agreement detailed the procedures and limited the bank's liability. The district court held that the bank's security systems were commercially reasonable. The First Circuit reversed the decision: The bank's "collective failures" made security procedures inadequate.

Initially, Patco users answered "challenge questions" for all transfers over $100,000, but in June 2008, the bank lowered the threshold to all transfers over one dollar. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.