Think Your Cybersecurity is Up to Snuff? Don’t Bank on It
June 3, 2016
Cyber and data security remain a significant priority issue for all banks and financial institutions. Attorneys representing financial clients are well advised to inquire into cybersecurity concerns and further explore what their client is doing to combat security breaches.
Criminals are constantly searching for creative new ways to obtain money from banks and customers through fraud and cybersecurity vulnerabilities. However, in today’s new era of cybercrime, criminals are stealing directly from banks as well as from their customers. And as consumers and businesses rely more on electronic devices such as computers, tablets, and smartphones to bank and shop online, logic suggests vulnerabilities increase exponentially as a result.
Cybercrimes occur utilizing various means and methods:
- Cyberattacks: Often for the purpose of shutting down a computer system.
- Information theft: Example, stealing trade secrets.
- Hacking: Gaining illegal access to closed systems.
- Phishing: Sending unsolicited emails to lure people into giving personal
- Theft of service: Example, gaining internet access without paying for it.
- Altering computer data unlawfully.
In the U.S., regulatory agencies such as the Securities and Exchange Commission, Federal Trade Commission, Federal Financial Institutions Examination Council, the OCC, and others are increasing scrutiny over how companies apply security controls to defend their enterprise from cyber risk.
Attorneys and financial institutions know well that computer fraud is a federal crime, most often punishable with fines of up to $250,000 and up to 20 years in prison for conviction on a single count.
Example of Direct Bank Theft
A year ago, Moscow-based security firm Kaspersky Lab released a report showing that a gang of international hackers stole as much as $1 billion from 100 banks across 30 countries by installing malware that allowed them to take control of the banks’ internal operations. While the nature of this attempt was nothing new, the scale and sophistication of the attacks, which spanned several years, had experts worried that this represents a new trend.
The scheme, dating back to 2013, used phishing and other techniques to infect bank employee computers and then spread the virus to entire networks. Kaspersky reports that once inside, the hackers would then lie in wait, sometimes for months, watching how bank employees operated until they could figure out how to lift money, often in amounts under $10 million, to an outside account.
The hackers were so skilled at taking control of the various banks’ operations that they remotely dispensed cash from ATMs, where people were waiting to collect the loot. One bank lost up to $7.3 million this way, Kaspersky reported.
Civil Liability for Service Providers
Are product liability cases likely for software defects in programs designed to combat cyber security breaches? That is, can a service provider to third parties be liable for damages caused by the provider’s alleged negligence, and are these a step short of the product liability doctrines that would be inherent in software design claims? Two recent cases that may be of modest immediate importance are perhaps harbingers of the future. Here’s a summary of each:
Consider the First Circuit decision Patco Constr. Co. Inc. v. People’s United Bank (1st Cir. July 2012). Patco was a customer of People’s United—portrayed as a typical mid-size business customer with a fairly normal and regular pattern of banking activity. The company regularly withdrew money to make payroll, and it made monthly payments to a variety of vendors.
Somehow, intruders installed malware on Patco’s computers and stole its banking credentials (user name and password). They used those credentials to siphon money from Patco’s account, transferring it offshore. But there is a bit more to the story than this all-too-common occurrence. According to Patco’s complaint, the bank’s internal systems automatically flagged the large offshore transfer since it was so far out of the norm. This prompted human review of the transaction. Unfortunately, the bank manager decided that the password/user name combination and the accompanying answers to certain challenge questions was sufficient to verify the transaction, and ignored the alert. As a result, all the money was allowed to go offshore.
Patco sued the bank and lost in the district court. That court relied on standard contractual terms in the bank’s agreement with Patco that disclaimed any liability for losses that might arise from using electronic banking. On appeal, the decision was reversed. The First Circuit decided that People’s reliance on password authentication and its decision to ignore certain transaction-based flags (which had highlighted the unusually large offshore fund transfer) was not necessarily a good commercial practice. Perhaps most notably, the court concluded that People’s reliance on answers to challenge questions (which the Patco hackers had provided) was not a good security practice. The bank’s contract with Patco incorporated the Uniform Commercial Code’s requirement that the bank act in a “commercially reasonable” way, and the court thought the protections they had implemented were commercially unreasonable.
Presumably because of litigation uncertainty, a settlement soon materialized. As Wired’s Kim Zetter reports, the bank paid out $345,000 to Patco. This appears to be the first time that a financial institution (or any other commercial entity for that matter) had been obliged to settle a claim premised on its own “commercially unreasonable” cybersecurity failures. In addition to the amount lost, People’s United Bank agreed to pay Patco $45,000 in interest.
Lone Star Bank Decision
Was Patco a sign of things to come, or simply a ‘one-off’ decision that did not signal the start of a trend? The Patco decision was apparently not unique. The Fifth Circuit in Texas issued a very similar ruling in Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir. September 2013). This time, however, banks were the plaintiffs, and they won.
Heartland Payment Systems had a contract with a number of banks to provide credit card processing services. These banks, known as ‘acquiring banks,’ had contracts with the merchants making sales. Heartland, in turn, cleared the transactions with the upstream banks (known as issuer banks) who eventually received payment from the consumers to whom they had issued the credit cards.
Heartland was hacked in 2009, and lost the data from more than 160 million credit card accounts. Because of the interlocking web of financial relationships, they were not the only ones affected by the hack. The issuing banks incurred significant costs as well. These included losses from the fraudulent use of the stolen data, the cost of replacing credit cards and the cost of providing their consumers with credit monitoring services.
The banks sued Heartland to recover these losses, but their suit was initially dismissed. The district court concluded that under New Jersey tort law, the banks could not get a recovery for purely economic losses. On appeal, the Fifth Circuit reversed. It said that the issuing banks had a valid negligence claim against Heartland for its cybersecurity failures and that, if proven, they could recover their consequential damages from Heartland.
Significance of Patco and Lone Star Bank Decisions
Despite their limited scope, these two cases are significant for applying the doctrine of tort liability.
First, if application of the doctrine becomes common, tort liability should cause a significant change in how banks do business. Currently, banks operate with the assumption that if they suffer a cybersecurity breach, the losses experienced by their customers will be borne by their customers, not them. This is a classic economic consequence that, in the long run, causes banks to sometimes underinvest in cybersecurity. Development of a tort doctrine will reduce that underinvestment tendency, though at some obvious cost consequences thrown at the consumer. If these cases are a sign of things to come, we may see more cybersecurity, albeit at greater cost to consumers.
Second, the viability of a doctrine of tort liability may be prompting cybersecurity bills currently before Congress and endorsed by the American Banking Association. These bills suggest the need for the development of a federal regulatory system to identify cybersecurity best practices and require their adoption by critical infrastructure service providers. Under current proposed legislation, companies would also be immune from civil and criminal liability for any action, including but not limited to violating a user’s privacy, as long as the company uses the powers granted by the proposed legislation in “good faith.” The immunity might even extend to “decisions made based on” any information “directly pertaining” to a security threat. The consequences of such a clause could be far-reaching.
One reason some oppose such a regulatory system is their belief that in the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly—imposing costs on those who stint their cybersecurity efforts in an unreasonable manner, without the costs that come from a hierarchical regulatory system.
We will never be able to eradicate all risk. However, taking the time to conduct a proper security assessment, apply risk-mitigating action, and prepare for the inevitable cyber-incident, will be far less costly and could help prevent or at least mitigate damage. Consider also transferring residual risk for catastrophic financial loss by way of insurance. The insurance industry is innovating to address cyber risks as they evolve with a particular focus on data security and privacy.
It is still too early to tell how this all may shake out. But for now, it looks like we stand at the dawn of a new era of cybersecurity tort liability in response to a growing national and international cybersecurity threat. Legislation is looming on the horizon. That would be a significant change, if it comes to pass.
BY JEANA GOOSMANN