The last time we discussed the PATCO decision, the appellate court had found that the bank's security procedures to defeat account takeover were not "commercially reasonable," but had sent the case back down to the trial court to determine what legal responsibility the customer might have to prevent account takeover. Following that action, the bank and PATCO settled the case, so that burning legal issue was not resolved.
Recently, PATCO co-owner Mark Patterson and counsel Dan Mitchell were interviewed by Bank Info Security's Tracy Kitten about the lessons they think they learned from the case. Among those (along with my observations) are:
- PATCO approached the bank within the first month of the incident with a settlement proposal that turned out to be a heck of a lot less than what the bank eventually paid in settlement after three years of litigation. Both sides ended up enriching their legal counsel needlessly. Sweet!
- Community banks seem more willing to settle quickly than do larger banks. Mitchell and Patterson think that's because community banks are more concerned about the reputational risk if the dispute hits the press. Might this be a potential competitive marketing advantage for community banks? "Bank with us! We'll pay for your negligence!"
- Most cases of corporate account takeover are settled quickly, and off the radar screen. That certainly appears to be accurate from our personal experience. While many lawyers live to engage in disputes, bankers live to make money the old fashioned way: by doing business. It's hard to do business when you're the defendant and your customer is the plaintiff.
- Prospective litigation costs and reputational risk can be as much of a deterrent to bank customers pursuing litigation as they can be to banks.
- There's not much case law on these issues. Until there is, there is likely to be much jockeying for position, blustering and posturing by lawyers for both sides, unless responsible business leaders on each side of the table seize control early in the game and keep their eyes on the prize: salvaging the relationship (if possible) without breaking either the bank or the customer.
- Patterson thinks ACH should not be done by businesses, no matter how allegedly "strong" the security devices or procedures used. He claims that his business will use ACH only for tax payments. The reasons for his revulsion: the one-sided nature of the agreements prepared by the banks, which place almost all liability on the customer. Hey, that's why banks pay us the big bucks, Mark!
- Patterson and Mitchell do believe that customers have "some responsibility" for protecting their accounts from takeover. However, they claim that banks bear more responsibility than customers because they are "in a better position" to prevent and detect takeovers. While I don't disagree that banks should be more sophisticated in this area than the average small business owner, I'm still not willing to go as far as Patterson and claim that using a dedicated separate PC solely for online banking (and not for cruising Internet porn sites) is cost prohibitive for most small businesses. That simply doesn't pass the smell test for me. On the other hand, I'm an alleged elitist, so perhaps my view is slanted toward my liege lords and masters, "The Banks." Perhaps a refurbished eMachine for $250 is simply beyond the reach of the average small business. If that's the case, how much money would they stand to lose from any of their corporate accounts? Wouldn't cybercrooks just enter, laugh, and leave?
Whether you represent banks or bank customers, Mitchell's final words ring true.
I would bet my bottom dollar that there will be more lawsuits in the future in this area. What types of questions will come up really will depend on the unique circumstances of each case. But given the prevalence of corporate account takeover, you can bet that there will be more cases.