The Wall Street Journal ran an article by Joe Palazzolo today that discussed the court decisions in the Patco and Exeri-Metal cases, in which a federal district court (Experi-Metal) and a federal appeals court (Patco) found that banks' online security measures were not commercially reasonable. Palazzolo's point of view is that these cases give some "hope" to small business owners that when their bank accounts are hijacked because the business owners' security was flawed, the business owners are not necessarily going to eat the entire loss. According to lawyers for the business owners involved, owners of small businesses "often lack an understanding of cyberthreats when they accept bank security procedures," and, therefore, the bank bears a higher responsibility for making sure those security procedures are effective.
I'm not reading that much into the two decisions. First, last year, I questioned the soundness of the reasoning behind the court's reasoning in the Experi-Metal case, and I haven't changed my view. The bank settled that case rather than appeal it, so while it provides some precedential value in an area of the law where there's not much precedent, I don't think banks should quake in their boots over Experi-Metal.
As to Patco, while (as noted in a post last week) it's an appeals court that rendered the decision and, therefore, the ruling carries more weight, the facts are fairly bad for the bank involved. The bank had in place a process for flagging high risk transactions, the flags were raised, and the bank ignored those flags for an extended period of time while the thieves made off with the loot. If you have procedures in place and you don't follow them, it's hard to argue that you shouldn't be held at least partially responsible for the loss. Also, the appeals court sent the case back to district court to determine (among other things) the extent to which the customer ought to be held responsible for lax security in permitting its online security identifiers to be compromised. That's an issue on which it might be good to have some case law that states that the customer can't be lax in protecting itself (in other words, ignorance will not be an excuse). The fact that the court suggested that this was a good case for settlement indicates that neither side had clean hands.
I do agree with a couple of other points made in the article. One is that banks ought not to simply rely upon the protective language contained in their online banking agreements as to the commercial reasonableness of their security procedures and then go to sleep. Those contractual protections are very important, but they're not the end of the story. If, in fact, those procedures don't pass a judge's smell test for reasonableness or, even if they do, if the bank doesn't implement and follow them effectively, the bank may be exposed to liability.
Another point that appears at the end of the article also strikes me as being valid.
...William T. Repasky, a Louisville, Ky., lawyer who represents financial institutions, says the First Circuit ruling could prompt some banks to view small businesses as higher risk customers.
As a result, banks might then begin to pass on to small business customers their own increased costs for added security and customer education, he predicts.
If the courts keep coming down on the side of small business borrowers that have their security credentials compromised, I agree with Repasky that it's going likely going to cost small business borrowers more money to do online banking business with banks.
I think it's important that banks educate their customers in online security, and not merely because such education is now mandated by FFIEC guidelines. Education can result in decreasing the chances of cybertheft with respect to those clients who take such education to heart, and provide an additional defense for the bank against those customers who don't and whose accounts are compromised.