US Magistrate Judge John Rich recommended that the US District Court in Maine grant a motion for summary dismissal of a lawsuit filed by Patco Construction against the bank.
In May 2009, Patco, a Sanford, Maine-based construction company, filed a lawsuit against Ocean Bank and its parent company, People’s United Bank, for failing to protect its accounts from cyber thieves who used the Zeus trojan to steal $588,000 in fraudulent automated clearing house (ACH) transfers.
Patco was able to recover $230,000 of the stolen funds, but sued Ocean Bank for failing to detect and prevent the bogus transfers. The banks filed a motion to dismiss the lawsuit.
The magistrate said that, while Ocean Bank’s security was “not optimal”, Patco agreed to the bank’s security procedures when it set up the ACH transfer account.
The agreement stated that Ocean Bank did not “assume any responsibilities” with respect to Patco’s use of the account, that “electronic transmission of confidential business and sensitive personal information” was at Patco’s risk, and that Ocean was liable only for its gross negligence, limited to six months of fees, the magistrate’s order said.
In addition, the law does not require a bank to adopt the “best security procedures” available, the order noted.
David Navetta, IT security and privacy attorney, told BankInfoSecurity that the magistrate's recommendation, if accepted by the district court, could set a legal precedent about the security banks are expected to provide. Unless Patco disputes the order, Navetta said it is unlikely the judge will overrule the magistrate's findings. Patco has between 14 and 21 days to respond, he noted.
"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability", Navetta said. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."
On the other hand, Avivah Litan, a fraud and bank security analyst at Gartner, was quoted by KrebsonSecurity as saying, “In my opinion, this is frankly an egregious injustice against small US businesses. It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”