From behind a laptop and halfway around the world, they can stroll into a bank vault and drain corporate accounts in a matter of minutes. They can abscond with hundreds of thousands of dollars at a time, all with a just a few swift keystrokes, and all before anybody realizes the money is gone.
Cyber thieves represent one of the most rapidly growing problems for banks and businesses. Since 2008, there have been roughly 50 reported incidents of cyber theft involving at least $13 million in fraudulent electronic fund transfers. On average, cyber thieves have gotten away with just under $300,000 per theft, and have spawned almost a dozen lawsuits across the country, turning banks and businesses against each other as the innocent victims of cyber theft.
Anatomy of Cyber Theft
Cleverly designed emails can trick unsuspecting recipients into installing a computer virus, which can infect a business’ entire network and secretly log every keystroke made on the affected computers. By logging keystrokes, the cyber thieves are able to acquire the business’ confidential banking credentials, including usernames, passwords and answers to security questions.
When the time is right, the cyber thieves strike, electronically transferring thousands of dollars to outside accounts and depleting the victim’s balance. In most cases, the cyber thieves will disguise the transactions as payroll transactions, but the recipients are anything but actual employees of the business. In fact, the recipients are themselves unwitting pawns in the theft. Commonly known as money mules, they have themselves been recruited by the cyber thieves through online scams. In some cases, the money mules are told that they will receive a certain amount of money — usually for completing a nominal task — and instructed to keep a small portion of the theft as their commission and to forward the rest to another person, who is oftentimes yet another unwitting money mule.
There is often little recourse for commercial victims of cyber theft. Unless an account is being vigilantly monitored, cyber thieves usually have time on their side. They avoid detection by strategically initiating the fraudulent transfers at times when the account is not likely to be actively monitored, such as holidays when key employees may be out of the office. For this reason, school districts with predictable or defined holiday schedules have become favorite targets. The thieves also exploit electronic fund transfers through automated clearinghouses, where processing rules and standards can sometimes give cyber thieves a window of several days before the theft is even detected, at which point it may be too late to cancel or reverse the transactions. The various mules — who rarely pocket enough money to make individualized pursuit worthwhile — obscure the path of the funds and make recovery from the cyber thieves difficult, if not impossible.
As a result, victimized businesses are left with substantially depleted accounts and thus understandably expect their banks to compensate them fully for the apparent bank robbery. That was exactly the situation facing Ocean Bank in Maine and Dallas-based Comerica Bank, both of which had commercial customers that were victimized by cyber theft. While some banks will repay their customers, these banks refused, claiming that they were not responsible for the theft because the theft originated on the customer’s end. As some of these disputes have matured into heated lawsuits, the question for the courts now is, “Who should bear the loss?”
The Legal Standard
The answer is found in Article 4A of the Uniform Commercial Code. While individual consumers are generally protected against losses from this type of cyber theft through Regulation E of the Electronic Fund Transfer Act, businesses with commercial bank accounts are subject to a slightly different standard. Under Article 4A, the question of who bears the loss revolves primarily on whether the bank’s security measures were “commercially reasonable.” That is, did the bank use appropriate safeguards to ensure that online access to the business’ account was properly granted? In the past, a security system requiring only a user name and password may have been deemed commercially reasonable.
But now, a number of factors must be considered, including the wishes of the customer, the types of transactions the customer frequently performs, alternative security procedures offered to the customer, and the security measures used by customers and banks “similarly situated.” For example, a court in Maine recently exonerated Ocean Bank after analyzing these factors and concluding that its security, which involved user names and challenge questions, was commercially reasonable given its specific circumstances. Thus, while banks may not need to adopt every top-of-the-line security measure available, they must still stay current of advances in security to ensure that their security is commercially reasonable based on their clientele.
Managing Cyber Theft Litigation
Defending cyber theft litigation can be costly for banks. Victimized businesses usually seek not only the return of the lost funds, but also other damages. In some cases of cyber theft, the fraudulent transfers dipped into the customer’s line of credit, triggering additional fees and losses. Outdated insurance policies may not cover the loss, leaving the bank to choose whether to repay the disgruntled and likely now-former customer, or defend the lawsuit.
For most banks, defending the lawsuit may seem appealing at first. After all, from the bank’s perspective, its security functioned precisely as it was supposed to, and the customer should bear the loss for allowing its network and banking credential to be compromised. But this is not the only consideration. Cyber theft can be a public relations nightmare for a bank, especially because most customers may mistakenly believe that the bank’s security failed, when in fact it was the victim’s network that was compromised. Also, news of the cyber theft may adversely affect retail customers, who may not easily understand that Regulation E offers broader protection against cyber theft than the laws applicable to commercial accounts. Thus, if the bank chooses to vigorously defend the lawsuit, it should be prepared to address a variety of inquiries from concerned customers.
To avoid liability and establish the commercial reasonableness of their security, banks must also demonstrate that they processed the fraudulent transfers in “good faith,” which means that the more suspicious the banking activity appears, the harder it will be for the bank to innocently process the transaction. For example, Comerica Bank was held liable because it failed to halt more than a dozen fraudulent transfers that were initiated after the bank received notice of suspicious activity. As a result, banks should be prepared for their security measures and internal policies to come under intense scrutiny. In response, banks will likely need to retain experts familiar with online banking security to testify about the effectiveness of their security, which can increase the cost of defense. Banks will also need to publicly defend their internal policies for dealing with suspicious transfers and, hopefully, their compliance with those policies.
Various responses have been proposed to curb cyber crime and its damaging effects, such as such as new legislation, cyber theft insurance and stepped-up prosecution of money mules. For their part, banks must join the fight by assessing their vulnerability to cyber theft and upgrading their security as appropriate. For example, the Federal Financial Institutions Examination Council recently issued a guidance that banks must comply with starting in January 2012. The guidance directs banks to re-assess their security measures and adopt layered security to detect and respond to suspicious banking activity. Such measures could include account fraud detection and monitoring, dual customer authorization, out-of-band verification, enhanced control over account activities and IP-vetting tools. Of course, the FFIEC guidance also stresses customer awareness, which means banks should proactively discuss the threat of cyber theft and work together to develop strategies to protect the customer’s money. After all, the best kind of cyber theft is the one that never occurs.
Still, despite best efforts, cyber theft is bound to increase, as these 21st century criminals have proven adept at staying ahead of the curve and crafting new ways to exploit technology and security vulnerabilities. While the law recognizes that banks can avoid liability for cyber theft in certain instances, customers assume that their accounts are safe and can become justifiably litigious if their funds are lost. As a result, banks must stay vigilant and recognize the devastation that can be wreaked by a few simple keystrokes.
Joseph A. DiMenno is a shareholder in the commercial law and litigation group at Dickie, McCamey & Chilcote, P.C. in Pittsburgh. Nathan Kostelnik is an associate in the firm.
Copyright (c) December 2011 by BankNews Media.