Who bears the risk of loss when a corporate bank account is hacked?

Recently, we have witnessed numerous examples of corporate web sites being hacked. Sony, Sega, Honda, Citibank, and Epsilon are all recent examples. When these sites are hacked often the victims are individual customers whose personal information is accessed. But, when a bank account is hacked often the object is money. When such an account is hacked such as by an unauthorized wire transfer or withdrawal, who bears the risk of loss, the bank or the customer whose account is raided?

Eric Goldman’s blog has a post that summarizes two recent US cases which deal this issue under US law. The first case is Experi-Metal v. Comerica Bank, 09-14890 (E.D. Mich.Jun. 13, 2011). The plaintiff was a victim of a phishing attack which resulted in unauthorized wire transfers from its accounts of more than $1.9 million. The bank was found liable for the unrecovered portion because, according to the court, it should have detected and/or stopped the fraudulent wire activity earlier.

The second case is Patco Construction Co. v. People’s United Bank, d/b/a Ocean Bank, 09-cv-005003 (D. Me. May 27, 2011). Here an unknown third party made a series of unauthorized withdrawals of more than $500,000 over several days using Patco’s user credentials and passwords. The magistrate judge ruled that the bank’s security processes were commercially reasonable, even though not perfect. As a result, the loss was allocated to the bank’s customer.

If the attacks on networked connected systems keep occurring, which appears very likely given the escalating problem with cyber-crime, we can expect many more cases like Exeri-Metal and Patco to address who bears the risks of losses in these cases.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Impacts of Bill C-28 (the new anti-SPAM and anti-spyware legislation)Impacts of Bill C-28 (the new anti-SPAM and anti-spyware legislation)

The new anti-SPAM and anti-spyware legislation (Bill C-28) will have significant implications for entities carrying on business in Canada and for entities doing business with Canadians. Its scope is very broad. Its approach to tacking the challenges posed by SPAM, ...

%d bloggers like this: