Who bears the risk of loss when a corporate bank account is hacked?

Recently, we have witnessed numerous examples of corporate web sites being hacked. Sony, Sega, Honda, Citibank, and Epsilon are all recent examples. When these sites are hacked often the victims are individual customers whose personal information is accessed. But, when a bank account is hacked often the object is money. When such an account is hacked such as by an unauthorized wire transfer or withdrawal, who bears the risk of loss, the bank or the customer whose account is raided?

Eric Goldman’s blog has a post that summarizes two recent US cases which deal this issue under US law. The first case is Experi-Metal v. Comerica Bank, 09-14890 (E.D. Mich.Jun. 13, 2011). The plaintiff was a victim of a phishing attack which resulted in unauthorized wire transfers from its accounts of more than $1.9 million. The bank was found liable for the unrecovered portion because, according to the court, it should have detected and/or stopped the fraudulent wire activity earlier.

The second case is Patco Construction Co. v. People’s United Bank, d/b/a Ocean Bank, 09-cv-005003 (D. Me. May 27, 2011). Here an unknown third party made a series of unauthorized withdrawals of more than $500,000 over several days using Patco’s user credentials and passwords. The magistrate judge ruled that the bank’s security processes were commercially reasonable, even though not perfect. As a result, the loss was allocated to the bank’s customer.

If the attacks on networked connected systems keep occurring, which appears very likely given the escalating problem with cyber-crime, we can expect many more cases like Exeri-Metal and Patco to address who bears the risks of losses in these cases.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

Developments in computer, Internet and e-commerce law: the year in review (2017-2018)Developments in computer, Internet and e-commerce law: the year in review (2017-2018)



I gave my annual presentation today to the Toronto computer Lawyers’ Group on “The year in review in Computer, Internet and E-Commerce Law”. It covers the period from June 2017 to June 2018. The developments include cases from Canada, the U.S. the U.K., Singapore, Australia, and other countries. The developments are organized into ...

Online vendors owe purchasers a duty of care says an Ontario court: Hazjizadeh v CanadaOnline vendors owe purchasers a duty of care says an Ontario court: Hazjizadeh v Canada



Online vendors will be interested in a recent decision of an Ontario court in Hazjizadeh v Canada (Attorney General), 2014 CanLII 48552 (ON SCSM). In the ruling the court held that online advertisers owe a duty of care to prospective purchasers to ensure that their representations are true and not misleading. ...

%d bloggers like this: