U.S. Appeals Court Gives Retailers Fraud Loss Victory
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
In a decision that has huge implications for retail chains, a Federal Court of Appeals ruled on July 3 that a contractor in Maine could successfully sue its bank for losses from a hacked bank account. The problem is that many of the “thefts” of money from retailers don’t occur at the bank itself. A hacker may attack the retailer’s computer, obtain user IDs and passwords, and then log into the bank’s computer either using the stolen credentials or even logging in from the compromised computer itself. To the bank, it sure looks like the login came from the retailer.
Once the bad guy gets in, it’s only a few keystrokes to wire transfer all of the account funds to a waiting account in Latvia, Bulgaria or wherever. The retailer only learns of the transfer later, when the funds are gone. Sometimes the bank can “clawback” all or part of the transaction; sometimes it cannot. But who eats the cost of that loss?
Many retailers maintain bank accounts that permit, or even encourage, depositors to interact with the bank electronically. This E-banking serves both the bank and the merchant, enabling fast and usually reliable transactions without having to wait in line at a teller. But who has liability if a bank account is hacked? And who has liability if a merchant’s computers are hacked and, through the compromised computers, funds are transferred? In general, the rule has been that the merchant bears the risk of loss. But that general rule is changing.
For consumer bank accounts, the risk of loss in the event of a hack or intrusion is either zero or close to that. The same rules that protect consumers from stolen or fraudulently used credit or debit cards protect them from hacked accounts. The consumer liability, under a law called Regulation E, is limited to $50 in most transactions and $250 is some other transactions, so long as the fraud is reported relatively promptly. As a practical matter, consumers rarely have to pay even the $50, because banks are willing to eat those costs to encourage more people to engage in online banking.
For commercial entities, however, Regulation E doesn’t apply. Instead, Article 4A of the Uniform Commercial Code (UCC) allows the bank to disclaim liability if the bank used “commercially reasonable” means to prevent the fraud.
The law that relates to commercial electronic banking transactions is UCC 4A, which says the bank is entitled to rely on the authenticity of a payment order if it is verified according to a security procedure that is a “commercially reasonable method of providing security against unauthorized payment orders” and the bank accepted the order in good faith.
-Marc
July 12th, 2012 at 10:38 am
But there is one more key point here: crooked employees at customers.
There is a non-trivial amount of attempted fraud by employees at small businesses. Before the Zeus malware, business bankers worked with their SMB customers to put in place split-knowledge and dual-control. SMB accounting departments typically only have a few people in them, and do not have the kind of on-premise accounting and IT expertise that large companies have. Light-fingered employees (and sometimes even the boss) realize after awhile that there are no controls on key aspects of the handling of receipts and payments. If the SMB has to eat the loss, the SMB management starts to get very motivated to listen to the bankers and their CPAs, to implement effective controls.
Now enter Zeus: how can the bank tell the difference between Zeus and real employee fraud? Worse, what if smart employees read about Zeus and realize that they can claim that malware was what caused the loss, when it was really them? Kind of like the dog-ate-my-homework defense that school kids use.
Banks don’t want the horrible press about putting an SMB out of business, but they also don’t want to open the floodgates to human fraud.