A recent legal decision by the U.S. Court of Appeals in Boston highlights a serious threat facing many small businesses and underscores just how crucial it is for them to be proactive when it comes to defending themselves against hackers.
As reported in The New York Times, the case involves Patco Construction of Sanford, ME, which was robbed of $588,000 in 2009 by cybercriminals who used malware to raid the company’s business bank accounts and execute automated clearinghouse batch transactions. After the fraud was discovered, Patco’s bank was able to recover about $240,000 by halting some of the transactions. Mark Patterson, Patco’s owner, asked the bank to reimburse another $250,000 to the company, but the bank refused, and with reason, according to The Times.
“Business owners often assume incorrectly that the protection they have on personal bank accounts applies to their business accounts as well. But historically that has not been the case,” it reports. “Provided banks can show adequate security procedures, they have no legal obligation to reimburse businesses for attacks, as federal regulations do not cover commercial accounts.”
Patco brought suit against Connecticut-based People’s United Bank, which had acquired the local bank in Maine. Both sides agreed on the facts of the case, and in 2011 the Federal District Court ruled in the bank’s favor, saying its security systems were “commercially reasonable.”
Patco then pursued the case in the Court of Appeals in Boston, arguing that People’s United had failed to prevent the crime because it had configured its security systems improperly and ignored red flags that a fraud was being perpetrated. The system used by the bank assigns a risk score for every transaction that ranges from zero to 1,000. Patco’s typical scores reportedly maxed out at 214, but the fraudulent transaction scores were in the high 700s. Patco’s attorney, Dan Mitchell, made the case that while People’s United had the ability to generate scores, it didn’t do anything with them.
The construction company won its appeal, and in November 2012 People’s United agreed to pay it the full amount stolen plus interest. Mitchell calls the case “a guidepost”, telling The Times that he believes the ruling will motivate banks not only to purchase adequate security systems, but to also configure and maintain them properly.
Sari Stern Greene, the president of a data security company who was an expert witness for Patco in the case, told The Times that financial institutions have significantly enhanced their security controls in the years since Patco’s breach occurred, and that they make more of an effort to educate their customers about this type of fraud.
Greene also emphasized that small businesses must install their own firewalls and adopt precautions to prevent hacking. “Online banking security is really a partnership between the customer and the financial institution. When customers use online banking, they’re in essence creating their own personal branch,” she told The Times. “Businesses invest in locks, alarms and motion sensors; they understand they need those controls in the physical world. And now they need them in the digital world too.”
The newspaper reports that Patco no longer makes automated clearinghouse batch transactions after spending hundreds of thousands of dollars and more than three years to resolve the case in court.
Beth Longware Duff is a professional editor and award-winning writer whose work on a wide variety of topics has been published in print and electronic media. She currently writes on a wide range of topics dealing with electronic payment processing for Merchant Express.