In a case followed by bank analysts nationally, a federal judge ruled that People”™s United Financial Inc. should not be on the hook for some $350,000 in a small-business”™s funds hacked from one of its customer accounts.
Two judges agreed with People”™s arguments that the bank”™s information technology security safeguards were reasonable, though the magistrate judge that issued an initial opinion said the bank”™s security systems were “not optimal” at the time of the breach in May 2009.
Last May, an analyst firm called Javelin Research & Strategy warned that small-business owners represent an attractive target for fraudsters because they conduct myriad transactions that span both business and personal accounts and because they lack dedicated IT staff to monitor online operations. And after New York-based Citi suffered a breach earlier this year, the Federal Deposit Insurance Corp. said it would likely stiffen security requirements for banks.
Maine-based Patco Construction Company Inc. sued Ocean Bank, which People”™s United added in 2008 as part of its acquisition of Chittenden Corp. In its lawsuit, Patco said Ocean Bank lacked adequate security to stop hackers who used keylogging malware to capture passwords and challenge questions used by Patco employees to access accounts.
Ocean Bank relied on software from Jack Henry & Associates Inc., a Monett, Mo.-based company with nearly $1 billion in annual revenue.
Magistrate Judge John Rich III wrote last May that he could find no prior case considering whether the configuration of a discretionary rule can render a bank”™s security system commercially unreasonable. U.S. District Court Judge Brock Hornby agreed with Rich”™s determination that People”™s United”™s security procedures were “commercially reasonable” under Article 4A of the Uniform Commercial Code, preempting Patco”™s claims.
“It is apparent, in the light of hindsight, that the bank”™s security procedures in May 2009 were not optimal,” Rich wrote. “The bank would have more effectively harnessed the power of its risk-profiling system if it had conducted manual reviews in response to red flag information, instead of merely causing the system to trigger challenge questions. … The use of other systems, such as tokens and out-of-band authentication, also would have improved the security of the bank”™s system and might have minimized the loss that occurred.”
Patco alleged Ocean Bank erred after setting an e-banking threshold at $1 that triggered challenge questions aimed at thwarting crooks that might have obtained account information. Ocean Bank did so after suffering breaches involving extremely small withdrawals, a tactic used by hackers to avoid drawing notice to funds being pilfered. Patco claimed that low threshold forced its employees to regularly answer challenge questions ”“ in turn making it relatively easy for hackers using keylogging malware to pick off those answers and so engineer the heist.
People”™s United countered that Patco”™s transaction totals were far higher, and so would have triggered those challenge questions even if the bank had not adopted a low threshold to do so.
“This was one of the first cases of its kind in the United States to deal with online hacking of bank accounts,” stated Brenda Sharton, a partner in the Boston office of Goodwin Procter L.L.P. who led the litigation team representing People”™s United, in a client note. “People”™s United Bank”™s online banking security system is state of the art and among the best in use. Through this decision, the court recognized the commercial reasonableness of that system under the law.”
