Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Businesses, Viruses & Online Banking Pt. I

This weekend Joseph Flanders at Solo in Minneapolis added to his “Starting a Law Firm” series by discussing how to choose a business bank account. His post brought to mind a major topic that I feel still isn’t getting enough attention among small business owners (or the attorneys that advise them): fraudulent electronic funds transfers that result from the theft of the business’ online authentication credentials due to a computer virus.

This is the first of a two part series discussing how small businesses need to be aware of the threats posed by fraudulent electronic fund transfers, and why the banks may not lend a helping hand.

Image credit: frko at stock.xchng
The Scenario:
A medium-sized business discovers that over $800,000 in unauthorized wire transfers was removed from their business account without their knowledge. $600,000 is eventually recovered, but $200,000 remains outstanding. The business claims that evidence in the form of IP addresses logged by the bank show that the transfer requests were initiated from Europe and sent to accounts in eastern Europe and the former Soviet Union. This behavior was unprecedented and according to the business should have raised a red flag with the bank.

The bank, on the other hand, alleges that the business is responsible for the lost funds because the business computer used to initiate online transfers was found to have a virus. This particular virus (the Zeus trojan) intercepted the business’ authentication credentials (username/password), then transmitted that information to foreign cyber-criminals who initiated the fraudulent transfer. Because the computer systems of the business are beyond the bank’s control, the bank argues that the business is solely responsible for the loss.

The business writes the bank a letter seeking a refund of $200,000, alleging their security measures were not reasonable. The bank refuses, saying it acted in good faith, and that their security measures were reasonable. The bank then proactively sues the customer in federal court seeking confirmation that their security measures were reasonable.

That's right.
The bank sued the customer after losing the customer's money.

What is the Law?

Generally, consumer accounts would be legally protected in this situation. Commercial accounts, however, are different.

Commercial transfers are generally governed by Uniform Commercial Code Article 4A, specifically UCC §§4A-201-204. §4A-202(b) says that all payment orders, authorized or not, will be allowed once a bank and its customer have agreed on a security procedure for their authenticity so long as: (1) the bank's security procedure is "commercially reasonable", and (2) the payment order was accepted by the bank in good faith and in compliance with their agreement with the customer.

The customer may potentially shift the liability of the loss back to the bank under certain circumstances set forth by §4A-203(a)(2), but in this case the business simply challenged that the bank's security procedure was not "commercially reasonable."

So how did it end?

Feeling outmanned by the bank’s resources, the business took it its case to the public. They worked with a PR firm and utilized the Internet to draw public support. They got it in spades as local and national media outlets picked up on the story. The business happily linked to the news articles on their website. The publicity appears to have evened the odds as the business was generally viewed as the bullied victim, while the bank’s PR took a significant hit. The bank, seeking to limit additional negative publicity, asked the court to hold the hearings in private. The court refused.

A few days later
the parties settled for an undisclosed sum. But the questions raised by the lawsuit remain. What does a “commercially reasonable” security procedure look like in an online banking context? How diligent must a business be to ensure that viruses do not compromise their authentication credentials? If it is decided that the blame rests with the cyber-thieves and not the banks, does that deter the banks from strengthening their security measures?

As the answers to these questions continue to evolve, greater education is required regarding safe online banking by small businesses. Solo, small and medium-sized law firms should pay special heed as well. Not everyone can withstand the loss of $200,000 from their accounts.

Pt. II on Wednesday:

1. Exactly how did the cyberthieves get the business’ credentials?
2. How much money is being lost due to fraudulent electronic fund transfers?
3. What can businesses do to protect themselves?

blog comments powered by Disqus