Conducting business on the internet has become commonplace in recent years. As a part of this evolution in commerce, banks and other financial institutions now offer virtual versions of their traditional financial services. In addition to increased convenience and efficiency, the increased use of the internet has created vulnerabilities for banks and their customers for virtual theft and fraud. Although virtual crime was unforeseen many years ago, the law has and continues to develop the rules for determining who liable for financial losses suffered from virtual crime, the banks or their account holders. Like the internet, the answer can be complicated.
Liability for Hacked Consumer Accounts
Unlike the law applicable to commercial accounts, the Electronic Funds Transfer Act has created a relatively straightforward scheme for determining liability for cyber crimes against consumer accounts. The Act imposes almost automatic liability on banks for cyber or electronic crimes against consumer accounts by limiting losses to consumers who comply with the requirements of the Act. If, however, the consumer does not comply with the requirements of the Act, the customer alone will suffer the losses resulting from the crime. The Act also limits the extent of bank liability to very low levels by requiring consumer victims to notify banks of the cyber or electronic crime within short time frames, which reporting enables banks to limit substantial losses by identifying and preventing repeated attacks against a hacked account.
Liability for Hacked Commercial Accounts
Commercial financial accounts are governed by Article 4A of the Uniform Commercial Code (“UCC”), which allows banks to avoid financial liability for cyber crimes if they employ “commercially reasonable” security procedures. In addition to Article 4A, courts and the Federal Financial Institutions Examination Council (“FFIEC”) have established guidelines for determining whether a bank’s security procedures are “commercially reasonable.”
Generally, the determination of whether security procedures are commercially reasonable considers (1) the customer’s requests to the bank; (2) the particular characteristics of the customer known to the bank, including size, type of business, and frequency of banking activities; (3) available alternative security procedures; and (4) security procedures in general use by similarly situated customers and financial institutions.
The FFIEC issued specific guidelines for electronic banking that also have an impact on the determination of whether certain security procedures are commercially reasonable. The guidelines strongly encourage banks to utilize multilevel authentication methodologies that involve each of the following: (1) something the account holder knows (e.g., a password or PIN); (2) something the account holder has (e.g., an ATM card); and (3) something the account holder physically is (e.g., a fingerprint). The FFIEC also instructs financial institutions to regularly monitor accounts and proactively report irregular activities by implementing “layered security programs” that detect and respond to suspicious activity.
In addition to limiting liability by following these guidelines, banks have avoided liability for cyber crimes against commercial accounts where, despite the availability of more comprehensive and secure procedures, the account holder chose less effective security procedures. In circumstances such as that, the courts have determined that customers that chose to take on higher risk (often in exchange for less expensive and less cumbersome security procedures) may not shift a cyber crime loss to their banks.
However, banks have also been found liable for losses stemming from cyber crime despite having commercially reasonable security procedures in place. Liability in these circumstances is typically imposed when banks fail to actively utilize their security procedures or act in good faith. For instance, a bank that implemented security procedures beyond those encouraged by the FFIEC was held liable for cyber crime losses, because it failed to monitor and notify its customer of numerous transactions that were given “high risk scores” by its own security mechanisms, which high risk transactions turned out to be the fraudulent work of a hacker. In another instance, a bank was found liable for hacking losses because of its authorization of numerous transactions over a short period of time that were out of character for the customer’s typically infrequent banking activities and resulted in the account going overdrawn $5 million.
As commerce continues to be conducted more regularly on the internet, cyber criminals will continue to create new ways to virtually steal real money from banks and their customers. Accordingly, it goes without saying that financial institutions must stay informed and on the cutting of edge of cyber security to protect themselves and their account holders from cyber criminals.
In the context of consumer accounts, banks must be ready, receptive, and prepared to react to customer reports of cyber crime or fraud. In this way only, can banks limit customer losses and their share of such losses imposed by the Electronic Funds Transfer Act.
Regarding commercial accounts, banks can control their exposure for cyber crime losses by implementing and continuously updating strong, multilayered security procedures, knowing the banking practices of their customers, proactively monitoring accounts for suspicious activity, and keeping their commercial account holders informed of any suspicious activity.
Steve Casselberry is a partner and Steve Isbell is an associate with Musick, Peeler & Garrett, located in its Orange County office. Both attorneys specialize in the representation of financial institutions in litigation, finance, and transactional matters.
Business Litigation Practice Group
Musick Peeler’s business litigation attorneys have been preeminent in California for decades. The Business Litigation Group represents clients in a wide variety of business and corporate litigation matters, ranging from simple contract disputes to class-action defense and other complex multi-party commercial disputes. Our attorneys have a long track record of success in jury trials, bench trials, arbitrations, and appeals with superior results for our clients. Our Business Litigation Group represents a full panoply of business and commercial clients including publicly traded, Subchapter S closely held, and non-profit companies, partnerships, and limited liability companies. Our clients are leaders in numerous key industries, including construction, communications and media, financial services, information systems, manufacturing, printing/graphic arts, real estate, technology, transportation, chemical, oil/gas, and professional services.
We offer a depth of experience in federal and state courts as well as arbitration panels. We have an excellent reputation with the courts and our legal colleagues. We have years of proven success in complex, multi–party, high exposure cases such as lender liability, shareholder disputes, corporate governance, unfair competition, contract and lease disputes, real estate, construction, trusts, and fair credit reporting.
We recognize that, in a global economy, clients’ interests involve matters in domestic and international courts. We handle such disputes and work closely with experts and our network of international resources. The group also includes attorneys who are active in several other Musick Peeler practice groups, including construction, intellectual property, white collar, environmental, and consumer credit/privacy.
In addition to actively litigating cases, our business litigation attorneys counsel clients regarding strategies for avoidance of liability in these areas. We focus first on understanding client business philosophies and business objectives in any legal dispute. We listen and apply those objectives to potential litigation budgets, analysis of adverse claims and parties, and applicable insurance coverage. We direct our efforts to early and cost effective resolution recognizing that our overburdened courts involve expense with unavoidable delays. When you contact us we will place the highest priority on responding to your legal issues.