Skip to main content

"Reasonable" security does not necessarily equal "best" security - even if ACH fraud involved

Written by Stu Eaton

Bank Info Security reports that a magistrate for the U.S. District Court  in Maine  issued an Order that further defines what constitutes “reasonable” security practices.  The Order, which must be approved by the judge, recommends dismissal of a complaint filed by PATCO Construction Company against Ocean Bank regarding more than $500,000 in fraudulent Automated Clearing House (ACH) Network transactions.   The magistrate found that Ocean Bank was not required by law to adopt “cutting edge” security practices -- it fulfilled its contractual obligations for security and multifactor authentication through its use of simple log-in and password credentials.

In May 2009, PATCO had its login and password credentials hijacked by cyberthieves, who used those credentials to make over $500,000 in unauthorized transactions from PATCO's account.  PATCO sued Ocean Bank for failing to detect and prevent the theft, arguing the bank did not comply with the Federal Financial Institutions Examination Counsel’s requirement for multifactor authentication when it relied on simple password and log-in credentials.  The Magistrate disagreed, finding that although the bank’s authentication was not “optimal,” it was multifactor, and that the law does not require banks to implement the “best” security practices.   “Patco in effect demands that Ocean Bank have adopted the best security procedures then available . . .[a]s the Bank observes, that is not the law.”

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.