Lawsuits Allege Banks Did Not Maintain “Commercially Reasonable” Data Security Systems

Recently, data security breaches at banks in Texas and Maine have resulted in two separate lawsuits (see here and here) alleging that the banks did not maintain “commercially reasonable” data security systems. PlainsCapital Bank v. Hillary Mach. Inc., No. 4:09-cv-00653 (E.D. Tex. Dec. 31, 2009). Patco Constr. Co. Inc. v. People’s United Bank, No. 2:09-CV-00503 (D. Maine Feb. 2, 2010). In PlainsCapital, a Texas bank approved an $800,000 transfer request from the account of a machining company. The transfer was discovered to be fraudulent and, though the bank was able to recover nearly three-quarters of the transferred funds, the machining company sent a letter to the bank arguing that the bank was liable for the remaining funds, because it failed to maintain “commercially reasonable security measures” in its internet banking system. Shortly after receiving the letter, the bank filed a complaint in the Eastern District of Texas seeking a declaratory judgment that its security measures are “commercially reasonable” within the meaning of §§ 4A-201 and 4A-202 of the Uniform Commercial Code (UCC). In Patco, a construction company sued a Maine bank after the bank allowed a fraudulent transfer of $588,581 from the company’s account. In its complaint, the construction company alleged, among other things, (i) that the bank failed to maintain “commercially reasonable” data security, as required by § 4-1204 of Maine’s version of the UCC, because the bank employed single factor user authentication, instead of multi-factor user authentication as recommended by the Federal Financial Institutions Examination Council’s online banking security standards guidance, and (ii) set an unreasonably low threshold for the challenge question for authentication of customer passwords. In its answer, the bank argued that the construction company was contributorily negligent because it failed to perform daily monitoring of its account, as required by its eBanking agreement and Automated Clearing House transfer of funds contract with the bank.