The Losses Keep Coming
Posted on 05/27/2016 at 12:00 AM by John Lande
This blog has previously covered instances of corporate account takeover that have resulted in litigation between account holders and banks. Chelan County, Wash. v. Bank of America Corp., a 2015 case from Washington, provides yet another example of the risk that banks and account holders have from cyberattacks and corporate account takeover.
The case follows what is becoming a familiar pattern. A county hospital in Washington state had several bank accounts at Bank of America. Bank of America offered the hospital the ability to initiate ACH transfers online though an internet module.
Over the course of two days hackers accessed the hospital’s bank accounts through malware installed on a hospital employee’s computer. The hackers used their access to transfer over $1,000,000 out of the hospital’s accounts. When the hospital identified the fraud it asked Bank of America to reverse the transactions, but only a portion of the funds could be recovered.
According to the court, before an ACH transfer from the hospital’s accounts could occur the following steps had to be completed:
1. The module created a digital fingerprint of each computer that accessed the online module. If the system did not recognize the computer then it would issue a challenge question for the user to answer.
2. A digital certificate was installed on approved computers. Computers without the digital certificate would be denied access.
3. The system would generate a fraud score based on login patterns and would identify high-risk logins for further review.
The parties disputed whether the following security procedures were also required:
1. The system denied transfers if there was a $0 balance in the account.
2. A call back procedure that required the bank to call the account holder before approving transactions.
3. Transfers could be reversed within 24 hours of authorization if the account holder requested reversal.
Bank of America and the hospital disputed the efficacy of the security procedures outlined above, and which parts of the procedures the parties had actually agreed to implement.
The dispute in the case centered on whether the hospital and Bank of America had agreed to use a commercially reasonable security procedure to verify the authenticity of ACH transactions through the online system. If Bank of America and the hospital agreed to a commercially reasonable procedure, and the bank followed it in good faith, then the hospital was liable for the loss. The hospital vigorously disputed that it had agreed to a procedure that was commercially reasonable.
The court did not decide whether the procedures above were commercially reasonable or not. The court instead required the parties to proceed to trial where the court would resolve the factual disputes, and then rule on the commercial reasonableness of the procedure. After the court’s ruling requiring the case to go to trial the parties settled, so we won’t know whether a court would find the security procedures outlined above commercially reasonable.
Banks have the potential to shift liability for certain fraudulent wire and ACH transfers to account holders. To do so the bank must (1) develop a commercially reasonable security procedure, (2) agree with its account holders to implement it, (3) comply with the procedure for every ACH and wire transfer, (4) and act in good faith when accepting ACH and wire transfer orders from account holders. This blog has covered the recent increase in email ghosting attacks, malvertising, and email phishing attacks. These threats mean attacks like the one in Washington will continue. Banks should review their online money transfer systems and account holder agreements to determine whether they have the option to shift liability to account holders. Otherwise, banks may be forced to reimburse account holders for losses of hundreds of thousands of dollars.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.