Cyber Liability Update: Bank May Be Held Liable to Business for Failure to Maintain Commercially Reasonable Security Measures Resulting in Cyber Theft


Over the past few years, businesses have experienced a surge in cyber attacks. Their bank accounts have become a prime target of such attacks. Last month, the United States Court of Appeals for the First Circuit in Boston issued a decision in Patco Construction Company, Inc. v. People's United Bank, No. 11-2031, 2012 WL 2543057 (July 3, 2012) that could open the door to potential liability for banks and lead to increased protection for businesses which are victims of cyber theft.

At issue in Patco was whether Ocean Bank (a community bank in southern Maine that was later acquired by People's United Bank) could be held liable to Patco Construction Company for a $345,000 loss Patco suffered due to fraudulent online banking withdrawals from its account. The First Circuit's decision is significant because it is the first to conclude that a bank's security system failed to meet the "commercial reasonableness" standard under Article 4A of the Uniform Commercial Code (UCC), which governs electronic funds transfers between businesses and their financial institutions. The UCC has been adopted, with some local variation, in all 50 states and the District of Columbia.

Patco began using internet banking for its commercial checking account with Ocean Bank in 2003. Following this, Ocean Bank determined that its internet banking service was a high-risk system that required enhanced security, and later purchased a security program to control those risks. The program included risk profiling, a feature that monitored a multitude of data (including IP address, device cookie ID, geo location, transaction amount/activity) and reported any high-risk transactions to the bank. High-risk transactions would prompt "challenge questions" designed to prevent unauthorized access. In 2008, Ocean Bank lowered the dollar amount rule for challenge questions from $100,000 to $1.00, the effect of which was that Patco was prompted to answer these questions every time it initiated a transaction.

In May 2009, cyber thieves made a series of withdrawals from Patco's account over the course of several days. Each transaction generated a high-risk score, but Ocean Bank was not notified of this. At the end of the string of thefts, a total of $588,851 was fraudulently withdrawn, of which $243,406 was recovered.

Patco subsequently brought suit against Ocean Bank seeking to recoup the $345,000 loss and claiming that Ocean Bank's security system was not commercially reasonable under Article 4A of the UCC, as codified in Maine. Under Article 4A, a bank will bear the loss of an unauthorized commercial fund transfer, unless it can demonstrate that it maintained a "commercially reasonable method of providing security against unauthorized payment orders" and that it "accepted the payment order in good faith and in compliance with the security procedure." UCC § 4A-202(b). The commercial reasonableness of the security procedure is a question of law to be determined by the court.

Patco argued that Ocean Bank's decision to lower the dollar amount rule to $1.00 in 2008 increased the risk that answers to challenge questions would be compromised by "keylogger" computer malware, which infects a user's system and records the user's keystrokes, transmitting them to cyber thieves. The First Circuit agreed with Patco's argument and concluded that, aside from lowering the dollar amount rule, Ocean Bank failed to take any additional security measures (despite its knowledge of substantial increases in internet fraud involving keylogging malware) and that its generic "one-size-fits-all" approach to its customers' security violated Article 4A. The Court, therefore, held that Ocean Bank's security system was commercially unreasonable. However, the Court remanded the case to the lower court, leaving open the question of what, if any, obligations or responsibilities Article 4A imposed on Patco for purposes of liability or mitigation of damages.

While the First Circuit's holding in Patco may be limited to its facts, the decision nonetheless provides guidance as to what constitutes commercially unreasonable security procedures that could lead to liability under Article 4A of the UCC. Patcoalso serves as yet another cautionary tale of the constant threat of cyber attacks that businesses face today, and underscores the importance of establishing safeguards to comply with applicable laws and to mitigate the risk of cyber attacks.

For more information regarding the Patco case or cyber liability issues in general, please contact David Governo ([email protected]) or Corey Dennis ([email protected]).