Self-Service Shifts Legal Risks, May Let Customers Off The HookWritten by Mark Rasch
Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.
One of the great things about the Internet and computer technologies is that they can empower consumers and businesses to do things that ordinarily require a middleman. Consumers can purchase their own insurance, engage in banking transactions, deposit checks, make purchases, etc. They can do this both online and in the brick and mortar environment.
But this means that when the technology fails, it is the consumer who must suffer the consequences, when ordinarily the risk of loss would have remained with the merchant.
For example, a few weeks ago I went with the family to a nice bistro, and sat outside. I got a parking space right across the street. My wife told me that she had quarters to pay the meter, but I said, “No problem, I can pay with my iPhone.” I whipped out my device and invoked an app to pay for parking. I input the parking space number, the amount of time I wanted to park (an hour and a half seemed enough for dinner) and enabled the feature to send me an SMS message when the meter was about to expire.
After a pleasant dinner of pizza and chicken parmesan, I returned to find a ticket on the car. I checked the app, and it was blank. I logged into the app’s website which showed that I had paid for parking—but had only paid for about two minutes.
I figured out what happened: After I paid for parking and enabled the SMS notification, I placed the phone in my pocket. By default, the app had a link to a command “Stop Parking.” Putting the phone in my pocket invoked this command. When I pointed this out to the parking hearing officer, he was unpersuaded. You see, the meter wasn’t broken. The app was poorly designed.
Similar results occur when an online banking app is hacked. While consumers may have no liability for the misuse of their credit and debit cards, online banking apps effectively put an ATM machine in the consumer’s pocket. While ATMs are the property and responsibility of the bank, which are patrolled by and secured by the bank, the apps, smartphones and devices on which they sit (as well as the connections themselves) are not always the responsibility of the financial institution.
Thus, if a cyberthief hacks a business’s computer, network or device, and through that gets into the company’s bank account, the bank may have no liability. It is as if the bank installed an ATM at their customers’ location and then said, “here – you take care of it.”