InfoBytes Blog
First Circuit Holds Bank May Be Liable For Customer Losses from Cyber Attacks
On July 3, the U.S. Court of Appeals for the First Circuit became the first federal appellate court to address the issue of bank liability for the loss of customer funds resulting from a breach of a bank’s cyber security, reversing a district court’s holding that the bank was not liable for such losses because its security protections were commercially reasonable. Patco Const. Co., Inc. v. People’s United Bank, No. 11-2031, 2012 WL 2543057 (1st Cir. Jul. 3, 2012). Patco Construction Company, a commercial banking customer suffered losses when cyber attackers gained electronic access to its account and made a series of unauthorized withdrawals. The customer sued the bank to recover the lost funds. The district court granted summary judgment in favor of the bank, holding that the customer should bear the loss from the fraudulent transfers because the bank’s cyber security protections were commercially reasonable, and the customer agreed that the procedures were reasonable when it signed the contract to add its electronic account. On appeal the customer argued that the procedures were not commercially reasonable, that it did not agree to the procedures, and that the bank did not comply with its own procedures. Specifically, the customer argued that the bank increased the risk of compromised security when it decided to lower the threshold that triggered account verification questions from $100,000 to $1, essentially requiring that the verification questions be answered for every transaction without considering the circumstances of the customer and the transaction. The First Circuit agreed. It found that the procedure change increased the risk of fraud through unauthorized use of compromised security answers. Moreover, after it had warning that fraud was likely occurring, the bank did not monitor the transaction or provide notice to the customer. The court held that the bank’s collective security failures, when compared to the security measures employed by other financial institutions and the bank’s capacity to implement more robust protections, rendered its security procedures commercially unreasonable. The court reversed the district court’s ruling in favor of the bank and remanded for further proceedings.