Skip to main content

Court Rules on What is "Commercially Reasonable" Bank Security

Written by Amy Malone

Small business owners have new hope that they may be on the same footing as individuals when it comes to cybertheft from their bank accounts.

The First Circuit Court of Appeals has reversed a district court case over what is “commercially reasonable” under UCC Article 4A.  Under Article 4A, banks bear the risk for unauthorized transfers unless they can show that either the payment order was sent by an authorized person or that that they have commercially reasonable security procedures and they followed those procedures.

The case, Patco Construction Company v. Ocean Bank, involves a Maine construction company and Ocean Bank, a regional bank that has since been acquired by People’s United Bank.  Patco, a customer of Ocean Bank, used the eBanking feature which allowed them to make electronic funds transfers via the Automated Clearing House (ACH).  Patco used this service primarily for its payroll payments. These payments were made on the same day of the week by computers Patco has in its Sanford, Maine office, from the same IP address and they all had federal and state tax withholdings.  No payment was for more than $37,000.  In May 2009, six fraudulent transfers occurred over a seven-day period.  The transfers occurred from an IP address Patco had never used, a device unrecognized by the bank’s system, were sent to individuals that Patco had never sent transfers to and were for amounts between $56,000 and $116,000.

The first transfer generated a “high risk” score of 790.  Patco’s usual risk scores were between 10 and 214.  Unfortunately, Ocean Bank did not review or monitor their risk reports.  Some of the fraudulent accounts were invalid and a portion of the transfers was returned to the bank.  The bank then sent Patco a limited return notice notifying them of the incomplete transfers.  Patco then notified the bank that these were fraudulent transfers.  If the transactions had been fully completed Patco would have never received a notification from the bank.

Over a year before these fraudulent transfers, Ocean Bank had decreased the amount needed in a transfer to trigger the security questions from $100,000 to $1.   This lead to security questions being asked every time Patco made a transfer.  According to the court decision, answering security questions for each transaction “increased the risk that such answers would be compromised by keyloggers or other malware that would capture that information for unauthorized users.”  The court asserts that malware is common place enough to be expected and security measures need to be implemented to protect against such threats.

The court reasoned that the increased risk of frequently answering the security questions, coupled with the fact that Ocean Bank did not monitor or provide notice about suspicious activity, was not commercially reasonable under Article 4A. The court discusses the various security procedures that were available to Ocean Bank and industry standard security measures such as access tokens that Ocean Bank did not employ.

This ruling affords businesses more protection and requires those covered by Article 4A to ensure their security procedures are more robust and take into account the industry standards.

While changing the landscape in regards to the determination of what is “commercially reasonable,” this does not mean a win for Patco.  The case has been remanded to district court where issues of fact need to be decided.

 

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.