Bank Lawyer's Blog

A couple of weeks ago, I said that I thought the plaintiffs' attorneys in the recently settled class action litigation against the Veterans Administration over the theft of a lap top computer would "make millions." Yesterday, The Washington Post reported that the "millions" assumption was indeed correct.

Under the $20 million deal, lawyers for the veterans will receive up to $5.5 million for fees and costs, while roughly $1.4 million will be spent to notify millions of veterans and provide information about the settlement via advertisements in newspapers, magazines and a toll-free hot line.

As you'll recall, each veteran who can prove that he or she has "incurred out of pocket expenses for credit monitoring or physical symptoms of emotional distress," will receive between $75 and $1500. I've asked it before and I'll ask it again: Is this a great country, or what?

In yet one more sign that this nation of the lawyers, by the lawyers, and for the lawyers shall not perish from the earth (as long as one lawyer and one solvent defendant remain), The Memphis Business Journal recently ran a piece detailing that though the TARP program may be a bust in terms of goosing the economy, it's been a godsend for the formation of "special practice groups" by law firms.

Securities Docket, an online trade journal for the securities industry, has tracked the proliferation of financial crisis practice groups and task forces since the fall. To date, the self-regulated list has grown to 32 national law firms. No Memphis law firms are represented.

Dude! If you're walkin' in Memphis, walkin' with your feet ten feet off of Beale, if you're walkin' in Memphis, and you don't know if you really feel the way you feel, then it's probably because you haven't created a financial crisis practice group. Get you one of those bad boys and you'll know how you really feel. You'll be feelin' like singing Hallelujah!

We've been a big fan of special practice groups, linked first to subprime and now to the bailout, for some time now. Every law firm should have one. In fact, when private capital finally heeds Treasury's siren call and comes pouring in to buy up "distressed assets," we look forward to the first "Bottom Feeders Feeding Frenzy Practice Group" bursting forth from a giant law firm like Athena from the head of Zeus.

Two and one-half years ago, then-VA Administrator Jim Nicholson asked Congress for emergency funding of not less $160.5 million "for credit counseling and other measures to protect veterans and military troops whose sensitive personal information was stolen." Yesterday, the VA announced that it had agreed to pay $20 million to settle class-action litigation filed by five veterans groups as a result of that data theft.

Unfortunately for the taxpayers, there's a rub. As VA spokesman Phil Buhdan stated yesterday: "We want to assure veterans there is no evidence that the information involved in this incident was used to harm a single veteran."

It's even better than that. A lap top and external hard drive containing the data were stolen, and later recovered. According to FBI experts at the that time, the data had not been accessed by the thieves, much less used. In the intervening 30 months, not a single incident of identity theft or other unlawful use of the personal information was reported. So why pay $20 million?

The money, which will come from the U.S. Treasury, will be used to pay veterans who can show they suffered actual harm, such as physical symptoms of emotional distress or expenses incurred for credit monitoring.

[...]

According to the proposed settlement, veterans who show harm from the data theft will be able to receive payments ranging from $75 to $1,500. If any of the $20 million is left over after making payments, the remainder would be donated to veterans' charities agreed to by the parties, such as the Fisher House Foundation Inc. and The Intrepid Fallen Heroes Fund.

[...]

"This is a very positive result," said Douglas J. Rosinski, an attorney representing the veterans groups. "A lot of hard work went into finding a resolution that all the parties could be proud to say they were a part of bringing about."

$75 to $1500 a pop for "emotional distress." How many warriors will step forward and claim that prize? Not many, I bet.  As for credit monitoring, the VA offered to provide free credit monitoring for any veteran who asked for it, but it wasn't necessary, was it? We knew it was a waste of money in the summer of 2006, and the absence of any misuse of personal information in the intervening months has only supported that view. The VA fired the parties responsible for the lapse of security, and the OMB changed its rules to require encryption of laptop hard drives, and all that was done without prompting by a class action lawsuit. Therefore, no actual harm exists to be compensated, and no dysfunctional behavior was corrected by the litigation.

The folks that this class-action litigation serves are the plaintiffs' lawyers. They'll make a lot more per-person than $75 to $1500. They'll make millions. For that small cadre, this outcome is, indeed, "a very positive result."

While most honest citizens are recovering from the hangover induced by the Obama Inaugural Extravaganza, the few rotten apples in the barrel have been busy little bees. Last week, the WSJ reported that last year, businesses reported 656 data security breaches, up 47% from the previous year. Much of that increase may be due to the expansion of state laws that require notification of such breaches, according to the Identity Theft Resource Center. More distressing was the news that over 35% of the breaches were due to human error, and worse, that insider abuses that resulted in data breaches were double those of 2007. "The Bozo Factor" that affects employees can be mitigated by training, and by implementing policies and procedures that are rigorously enforced, but as we've noted before, a banker's worst nightmare is the rogue employee. If an employee's bent when he starts working for you, it's doubtful that any training will straighten him or her out.

Yesterday, the news did not get better. Heartland Payment Systems Inc., a major credit-card processor, disclosed a data breach "that analysts said may be among the biggest ever reported."

Heartland Payment Systems Inc. said Tuesday that cyber criminals compromised its computer network, gaining access to customer information associated with the 100 million card transactions it handles each month.

The company said it couldn't estimate how many customer records may have been improperly accessed, but said the data compromised include the information on a card's magnetic strip -- card number, expiration date and some internal bank codes -- that could be used to duplicate a card.

100 million rockets past the previous record of 45 million, set by TJX (which we last discussed here). Heartland's president said that his company was targeted by malicious software that "light-years more sophisticated" than what is usually downloaded from the Internet by your average stooge. This points up another problem we've often discussed: the crooks are smart cookies. Bet you a dollar to a donut that they came from Eastern Europe. That area of the world appears to be breeding gifted amoral cyber thieves at a rate that would make your average Mafia don green with envy.

An analyst at Forester Research estimates that the average data breach costs $300 to $600 in fraudulent purchases, fees and legal costs, for a total of hundreds of millions, perhaps in excess of a billion, of dollars to be spread around between Heartland, the card issuing banks, and others (including merchants who are duped by the fraudulent use of the stolen data).

It's tough becoming the poster child of data breaches. Coming in the midst of an economic maelstrom makes it all the tougher to deal with. On the other hand, most of the average citizenry will have little sympathy for Heartland. The man on the street may sell his e-mail password for a discount card to Starbucks, but he expects businesses, especially those that handle sensitive personal and financial information, to be impenetrable fortresses when it comes to data security. That may not be fair, but it's just the way it is.

Speaking of the TJX fiasco, the Maine Bureau of Finacial Insitutions released a report that showed the financial costs to banks in that state from the TJX and other data security breaches. The TJX breach cost banks from $60 to $32,146 in card reissuance expenses. H/t CSBS

Last May, we profiled the risk of rogue sociopathic employees who help outsiders steal sensitive data from banks, mortgage lenders, and other businesses. In that story, former employees disclosed passwords that were not changed after the employees left the business. According to a recent study by Cisco, a bank's current  employees pose even more of a security risk.

Employees could be to blame for one of the most prominent security concerns facing businesses today: loss of corporate information.

So say findings from a new Cisco global security study. The report offers insight into the risks employees take that could cause data leakage.

The reason is clear: With the move toward distributed business models and remote workforces, lines are blurring between work and home lives. That’s leading to more collaborative devices and applications, including mobile phones, laptops, Web 2.0 applications, video and other social media.

[...]

Security is ultimately rooted in users’ behavior, so businesses of all sizes and employees in all professions need to understand how behavior affects the risk and reality of data loss — and what that ultimately means for both the individual and enterprise, according to John Stewart, chief security officer at Cisco.

"Understanding this can help strengthen relationships between IT and employees, tailor localized awareness and education programs, and better manage risk," Stewart said.

The takeaway: There are opportunities for businesses to tailor risk-management plans that prevent data loss incidents locally while remaining global in scope. While some solutions are technology-based and others are policy-based, the common denominator in these programs is employee education.

"Companies need a strong set of policies and consequences for breaking them," said Michelle Drolet, CEO of IT security services firm Towerwall in Framingham. "The employees need to be clear about the rules for handling information and using technology."

An information security officer for a banking client recently told me that employees remain his biggest concern  with respect to data leaks and information security system breaches. No matter the policies and procedures, the training sessions, the education, and the penalties imposed for violating information security policies, no business has yet found the magic bullet to deal with the "dumb-ass factor" (his term, not mine). I suppose capital punishment might bring the point home, but that seems a bit harsh.

Cisco's study confirm's my client's officer's jaundiced view.

Still, even with awareness programs, employee handbooks and information security training, and appreciation, workers remain a common point of failure in the information security equation.

Employees tend to lose laptops or portable storage, store logins and passwords, share sensitive corporate information or corporate devices, and alter security settings on computers, according to the Cisco study.

[...]

"A lot of our clients are looking into ways to prevent the use of flash drives by locking the ports so they can’t use them and putting some level of protection on laptops to encrypt the data in the hard drive," said Glenn Siriano, a principal of KPMG’s Information Technology Advisory Services. "But you still see people posting sticky notes with their passwords on the desktop."

The sticky notes problem is definitely a prime example of "the dumb-ass factor" at work. Such employees need to put out to pasture. Unless, of course, he oe she is a senior officer, in which case you give him or her a bonus and a promotion.

As compliance officers of banks have long known, unless senior bank management makes the failure to comply with a policy a termination offense, and enforces the penalties consistently, all the well intentioned policies, procedures, education and training in the world aren't going to be enough to stem the tide. In addition, as the article also suggests, banks and other businesses need to invest in the necessary technology-based solutions and/or consulting engagements to minimize the risks. During a time when everyone's uncertain how bad the economy is going to become (just that it's bound to be bad), convincing banks and other businesses to make such investments is going to be a tough sell, absent regulatory sanctions or other painful experiences (hits to reputations, lawsuits, etc.) that make the risks impossible to ignore. As we've previously observed, many businesses have decided that, as things now stand, the risk doesn't justify the expense.

Occasionally, I like to point those readers who are in-house counsel or private practitioners and who represent financial institutions to a useful publication that's available on-line from another law firm. Ordinarily, I'd make a snarky, self-deprecating comment at this point; however, my e-mail lately indicates that there are some readers who not only don't "get" the snark, but take it on face value and begin to froth at the mouth with politically correct apoplexy. So, just for today, I'll play it straight. Tasteless, low-brow sarcasm will resume tomorrow.

Today's resource is the Proskauer Rose LLP Privacy Law Blog, which has good material on, of all things, privacy law. Of particular interest to many businesses is a recent post on the suspension of enforcement by the FTC of the of the "Identity Theft Red Flag and Address Discrepancies Rules" until May 1, 2009. Unfortunately, the suspension applies only to those business subject to FTC enforcement of the rules, not to financial institutions governed by the Red Flag rules that are enforced by the federal bank regulatory agencies. As to the latter, you banks better be in compliance by the end of this week!

The reasons for the FTC action are interesting.

The rules apply to financial institutions and creditors.  But, according to the FTC, many companies “indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution.”Moreover, the FTC said that companies not traditionally subject to the jurisdiction of the FTC did not follow the FTC’s rulemaking, and consequently did not become aware of their obligations under the Red Flag Rules until very recently.  The FTC also expressed concern that covered entities, to meet the fast approaching November 1 deadline, were not taking the appropriate care necessary to do a proper risk assessment and craft a meaningful red flags program.

As the FTC stated, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial for the public.”  Therefore, the FTC will delay enforcement of the new rules for six months.  Considering this generous extension, covered entities should be on notice that they will need to have a written identity theft prevention program in place by the May 1, 2009 deadline.

So, this time around, being a clueless ignoramus turned out to be a good thing, unless you were a financial institution regulated by one of the federal bank regulatory agencies.

Many banks were well on their way to compliance with the Red Flag rules as part of their information security and customer identification programs, long prior to November 1. Red Flag and address discrepancies compliance has been more a matter of documenting the program and having it approved by the board of directors.

Incidentally, the OTS released last Friday revised examination procedures, which were developed jointly with the other agencies, for examinations after November 1, 2008. The revised procedures incorporate procedures to test compliance with the Red Flag rules. The OCC released its revised examination procedures on October 15, 2008, which also addressed affiliate marketing and opt-out notices.

According to Ben Worthen at The Wall Street Journal's Business Technology Blog, the recent surge in bank mergers has been accompanied by a commensurate surge in "phishing" attacks by cybercrooks.

If you want to see one way the mess on Wall Street is affecting Main Street, just check your inbox: Cyber criminals are taking advantage of the financial crisis by sending so-called phishing emails that pretend to be from banks that have recently been acquired.

[...]

In the wake of the shotgun marriages now taking place, banks have neglected to tell customers about what changes will be made to their online-banking setups. Cyber criminals are trying to fill that void, Andy Klein, a product manager at tech-security company SonicWALL, tells the Business Technology Blog. One such email tells customers of Chase and Washington Mutual banks that because of the merger, customers new and old need to go the Chase Web site and update their information. The email contains a link to a site that looks like Chase.com, but is really operated by a hacker.

Yeah, it's all the fault of the banks. When Wamu disappears into Chase's welcoming embrace in the blink of an eye (you'll recall that Wamu's demise was hastily arranged on a Thursday, rather than on the customary late Friday afternoon, because of the fear of a run), Chase's first thought is supposed to be to send an e-mail to Wamu's on-line banking customers alerting them to the new on-line banking set-up. The only problem with that plan is that Chase probably hasn't worked that all out yet because the mechanics of the transition are still being resolved. Speed kills many things, but apparently not "phishing."

Moreover, it's not as though phishing attacks are something new. How many newspaper articles have to be written about this topic before the average bank customer realizes not to respond to one of these e-mails? As Worthen explains, "[m]ost banks rarely contact customers via email. If they do, they won’t send emails asking customers to click on a link and confirm their personal information – the hallmark of a phishing scam." At some point, customers have to take responsibility for their own gullibility. Or is that being unreasonable?

A side note: The only comments to Worthen's post are by two commenters who are promoting their businesses, and slant their comments accordingly (and include links to their web sites). Shameless shilling in comboxes is one more reason to consign them to the black hole of cyberspace.

The Wall Street Journal's Business Technology blog had an eye-opening post the other day about the rapid pace of data breaches, and, more surprising, the alleged reason for the increase in breaches.

U.S. businesses reached an ignominious milestone in August, when the number of data breaches disclosed publicly for the first eight months of 2008 already surpassed the total number of disclosed breaches for all of last year.

There were 449 publicly disclosed security breaches as of Aug. 22, compared with a 446 total in 2007, according to Identity Theft Resource Center, a San Diego nonprofit organization for victims of identity theft. The reasons why businesses struggle keeping customer or employee data secure are many: Cyber criminals are adopting more sophisticated techniques for breaking into businesses; businesses are creating, storing, and sharing more data than ever before; and employees don’t understand the value of the data that they work with or the myriad ways the data could fall into the wrong hands.

[...]

The real reason that data breaches are on the rise is that businesses don’t have a real incentive to invest more than the minimum required in security, says Bruce Schneier, chief security technology officer at BT Group.

“For the most part a company doesn’t lose its data, they lose your data,” Schneier tells the Business Technology Blog. Consequently, the entity responsible for the breach isn’t the party that is harmed by it. Victims are upset, but they are more likely to learn about the fraud that is committed in their name—not the breach where a criminal obtained the data. They are often powerless to punish the business that exposed the record because they can’t link the fraud to a cause, says Schneier.

All those state laws that require businesses to notify customers of data breaches (44 states, according to the Business Technology Blog) aren't causing a corresponding decrease in data breaches, a Carnegie Mellon University study concludes. There are various reasons for that.

There are potential loopholes: Sometimes only businesses in certain industries must disclose a breach; or the breach may only have to be disclosed if a business suspects that the information will be used to commit fraud. Also, aside from potentially negative publicity, businesses are rarely penalized for a breach as long as it is disclosed.

The penalties provided under state law are also, in many cases, less than the cost to fully investigate and report. Thus, according to some studies, many breaches are not being reported, notwithstanding the requirements of the law.

The article does not address whether banks were included within the studies. Given the information security requirements of the federal banking agencies, which include a requirement that banks who suffer a breach notify their primary regulator, and also notify the affected customers where the misuse of customer information has occurred or is reasonably possible, I'd doubt that they were included. On the other hand, a "loophole" that requires notification where the information has been or likely will be misused seems reasonable. This "risk-based" approach is part of the federal scheme for banks, and prevents needlessly causing expense and alarming customers.

I agree that if businesses are blowing off their legal responsibilities, they ought to suffer sufficient penalties to give them an incentive to comply. However, those legal responsibilities ought not to impose an obligation to notify customers of a breach that is not likely to cause the customer any harm. Not only does that require the needless expenditure of time and money, but it runs the risk of creating a "Chicken Little" syndrome where customers start ignoring notices of data breaches. You know, just as most of do when we receive those annual privacy notices that few of us open, much less read.

Twenty plus years ago, I had been recruited by a large law firm as a lateral hire. At my first quarterly firm dinner, I was sitting next to an especially acerbic fellow lateral hire (and, therefore, one of my favorite co-toilers at the firm) when a senior partner waltzed in wearing a navy blue blazer, pink dress shirt, red-and-green plaid pants and a paisley tie. I watched him walk across the room, booming loudly and obnoxiously every step of the way. My mate, reading the "WTF?" look on my face, turned to me and deadpanned, "The Bozo Factor: every firm's got it."

According to Ben Worthen of the Business Technology Blog, many businesses have it and it applies to IT professionals as well as to legal professionals. It's not clown-like dress and behavior that Worthen's discussing, however. it's incompetence, the kind that causes security breaches.

Hackers enjoy a reputation as computer whizzes who can break into the most sophisticated systems. They may be whizzes, but the reason for their success is that businesses rely on defenses filled with holes big enough to drive a truck through.

A new study by Verizon’s Business Risk team, which performs post-breach forensics, looked at the causes of more than 500 data-loss incidents and concluded that sloppy security procedures were partly to blame in almost every one. (The study didn’t take into account incidents where a laptop containing sensitive data was lost or stolen, because the cause of the breach is self-evident and these incidents rarely result in fraud or identity theft.) In fact, stupid mistakes are so common that forensics work is getting boring. "The most difficult thing for me and my team is that we see company after company fall victim because of the same basic flaws," Bryan Sartin, vice president of investigative response at Verizon, tells the Business Technology Blog. These include failing to update or misconfiguring systems.

What about the "professional hacker" that this blog and others have hyped for the last year – you know, the guy who tricks employees into disclosing sensitive information, which he then uses to make off with reams of data? Turns out he isn’t that big a threat. Verizon concludes that only 17% of the attacks it investigated were committed by a highly-skilled hacker, while 54% required little or no technical skill. And only 15% of attacks committed by outsiders were targeted. More often, a hacker cast a wide net looking for any company with weak defenses.

While hackers accounted for 73% of all data breaches – an indication of how poor defenses are – these outsiders didn’t make off with as much data as insiders, who accounted for just 18% of breaches, and business partners – outsourcers, consultants, call-center workers – who accounted for 39% of breaches. (The total is more than 100% because some breaches were committed by multiple parties.) In fact, when the number of attacks and amount of data stolen are combined, business partners are the biggest threat of all.

Sartin says that in these cases, too, lax security is an issue – a contractor saw weak defenses and treated them like an opportunity. In almost every breach he’s investigated the thief "took the path of least resistance."

I was thinking about "The Bozo Factor" recently while assisting a client in formulating vendor management policies and procedures. One of the principles that the client was adamant about building into its procedures, especially with respect to technology vendors who would have access to customer information, was that due diligence on those vendors had to be rigorous. The institution also would require that a legal review of all contracts with vendors was essential to make certain that the institution was adequately protected from the results of the vendor's negligence because, no matter how good the due diligence, "stuff happens." Although we didn't label it "The Bozo Factor," we discussed the fact that even those vendors with great reputations can suffer security breaches. Worthen's observation that "business partners" are the biggest threat when it comes to security breaches only serves to confirm the client's cautious approach.

Unfortunately, no amount of vendor due diligence will protect a bank from a truely "inside job." The fact that insiders make off with more from security breaches than outside "hackers" is no surprise. We've blogged about that "nightmare" previously, where "The Bozo Factor" involved an apparent failure to shut off access to the computer system of the business after the employees' services were terminated. Of course, even  without any apparent incompetence, "rogue employees" can breach security and even the biggest of the big boys are susceptible. Venality and greed can often trump the best security.

Over the past year, we've discussed the risks involved in remote deposit capture (most recently here) and that financial institution regulators expect banks that offer RDC to customers to examine, underwrite, and educate customers who use this service, in order to minimize those risks. According a recent article in The American Banker (paid subscription required), thus far, "community banks play it safe. Some say too safe."

The banks' main concern is getting burned by check fraud. To forestall that risk, the first customers a community bank typically offers the deposit scanners to are those that have had long-term relationships with the bank.

Though this approach can be effective in retaining valuable customers, it is not going to win much new market share, said Bob Meara, a senior analyst at Celent LLC, a Boston financial research arm of Marsh & McLennan Cos.

"A great deal of banks are inherently defensive in their use of remote deposit," he said. "But there are huge lost opportunities in being so passive in today's environment."

The article confirms what I've been seeing as the standard approach to business customer screening (I've not been involved with a bank that offers the service to consumers): evaluating potential customers as if they were borrowers, using the merchant services guidelines of Visa and MasterCard to evaluate the business customers, and onsite inspections of the customers operations. The banks also will, if they think it necessary, "train" customers not only on check scanning procedures and the use of the scanners and software, but on the safe handling, securing and disposal of the scanned checks.

What the article does not discuss is that community banks that think through the process and the risks involved will also require specific protections in the contract between the customer and the bank that govern the service, often as part of a treasury management services agreement. Some banks are also requiring a special guaranty of the obligations (including indemnity and hold harmless obligations) of the customer to the bank under the appropriate agreement, if the bank's underwriting standards would indicate that such a guaranty is appropriate.

The author of the article, David Brietkopf, asserts that "banks are not seeing much fraud involving remote-deposit customers." That certainly appears to be true. However, that may be (a) a testament to conservative customer underwriting by banks and (b) a justification for banks continuing to "go slow." On the other hand, all this caution rankles critics. Mr. Meara, for one, thinks community banks are being "overly cautious."

All new customers--whether in a bank's market area or not--are risks to some degree, he said, but he argued that offering them remote deposit actually minimizes, not increases, the chances for fraud.

The early capture of images and code-line information lets banks subject checks to fraud systems much faster than the next-day scans typical for teller-presented checks. Fraud suspects, therefore, can be identified and examined before banks must pay on the items, he said.

A customer could accidentally deposit an item more than once, but banks' back-office systems are designed to flag second deposits, he added.

A fraudster could scan a check into one deposit account and then deposit it in another account with another bank. But Mr. Meara said he doubted such a fraudster would have any long-lasting success because a bank would "know who you are, where you are, and when you made this deposit, and what account you made the deposit to. Of the many banks I've spoken to about this, I have not been aware of a single bank who can attribute fraud uniquely to remote deposit capture."

I'll defer to bank IT and operational professionals as to whether or not the ability of a bank's "back-office systems" to flag second deposits justifies a bank being more aggressive in marketing remote deposit capture services. Thus far, from the meetings I've attended, no employee who mans the back office operations of a bank is sticking his or her head on the chopping block.

Complaints about bank caution are also coming from a not surprising source: technology service providers who make money from providing RDC software and/or services to banks.

David Peterson, an executive vice president at Goldleaf Technologies, which offers remote deposit services to banks, said "the needle is moving too slowly" in regard to deploying scanners to customers.

"If they're that high a risk, then the risk is there whether they're scanning the checks at their location or walking into your teller line with a manual deposit," Mr. Peterson said. "Either you have a bad check or bad person, but scanning is a zero-risk issue."

Banks, he pointed out, can do due diligence, train the proper person at an office, then see that person leave the company or the scanner be sent to a distant site. This should not matter as long as checks are secured properly and destroyed about a month after the deposit. The technology's fraud detection capability also should override these risks, he said.

Mr. Peterson said many scanners are set up to conceal checks with red ink across their face so they cannot be resubmitted. He added that banks can also establish their own safeguards, such as initially capping the number of checks and the amounts that could be deposited by a new customer until the bank is comfortable with the customer.

Some of Mr. Peterson's observations may be valid, but I wonder if he realizes how little banks like being lectured about their underwriting practices by their vendors. It builds SUCH good will. As for scanning being a "zero-risk issue," neither the banks nor, more importantly, the regulators, see it that way. Making such bold statements that insult your potential customers and their regulators because they're too stupid to see that Goldleaf Technologies needs to make more money is an unusual marketing approach. I'll have to try that some time, perhaps when I'm ready to retire.

Obviously, there is some risk in remote deposit capture, and such risk is not necessarily analogous to other risks. In other words, Mr.  Peterson's implied allegation that what the banks underwrite is solely the likely criminal behavior of the customer is inaccurate. Banks also underwrite the customer's creditworthiness, its understanding of the product, its proper use, and the risk of duplicate deposits, and the systems and safeguards the customer has in place to minimize these risks. Also, the allegation that "the technology's fraud detection capability should override these risks" has thus far proved unconvincing to community bank personnel who have the expertise to make that judgment call. Perhaps Mr. Peterson is right and they are wrong. If so, he'll need to do a better job of convincing them than he's done thus far. Again, in effect calling them stupid is not likely to be successful, in my opinion, but that's merely an opinion, not a statement of fact.

If there's "zero risk" in scanning, and if the RDC technology a vendor sells a bank will override any risks that remain in the process, then the vendor should be willing to warrant its technology to this effect, to agree to fully reimburse a lender that uses the technology for all losses (actual and consequential) that it incurs without any limitation on amount, arising out of a breach of that warranty or the vendor's negligence, and to indemnify and to hold the bank harmless from all third party claims arising out of the breach of the all-encompassing warranty or the negligence of the vendor. Hey, the product's "zero risk," so what's the problem?

As the technology continues to improve and, more critically, as banks gain more experience with the product and in the actual occurrence (or paucity) of fraud, banks may very well overcome their initial cautious approach, and regulators may ease their preference for "strict underwriting." However, notwithstanding the critics, it doesn't appear that this product will be adopted with the rapidity that vendors would prefer.

The security breach at LendingTree that allowed former employees to help other mortgage lenders gain access to mortgage application information, which we discussed last month, has given rise to what may become a class action lawsuit against LendingTree.

One month after suing three lending firms, LendingTree has now been sued by a Bronx man who claims a security breach with the mortgage site has harmed his credit score, led to higher credit card interest rates, and resulted in him getting rejected for at least one loan.

The lawsuit against LendingTree, filed late last week in U.S. District Court in Manhattan, seeks class action status. Filed on behalf of Marvin Garcia, it alleges that LendingTree was negligent in failing to keep customer personal information secure and failing to notify customers of the security breach in a timely manner.

The breaches--which involved names and Social Security numbers among other personal information--are believed to have begun in October 2006, but LendingTree did not notify customers until last month.

The plaintiff, taking to heart LendingTree's suggestion that he obtain a copy of his credit report, did so. Unfortunately for LendingTree, he didn't like what he found: "that nearly a dozen lenders had pulled his personal information for review without his permission, which affected his credit score, interest rates, and mortgage loan application, according to the lawsuit, which was filed by lawyers at the firm of Meiselman, Denlea, Packman, Carton & Eberz." Inasmuch as the unauthorized access to the loan applications was motivated by a desire of the perpetrators to steal LendingTree's mortgage customers, it's no surprise that they also ordered credit reports without the applicants' authorization.

  LendingTree sued the mortgage lenders involved last month. I'm sure it will try to pass along to those  defendants any liability to people like Mr. Garcia, although the odds are good that those mortgage companies won't be loaded with assets to satisfy any judgments. I think that it's safe to assume that LendingTree will assert coverage under its fidelity bond and it may have other insurance coverage that covers security breaches of its network (insurance companies have been touting such coverage for a number of years). Nevertheless, Mr. Garcia (and a class of his fellow loan applicants, if one is certified) very well may be able to support claims that LendingTree was negligent in failing to cut off network access to the former employees, so someone may eventually pay the plaintiffs. In the interim, defense counsel will stay gainfully employed.

These rogue employees, every lender's nightmare and the ultimate bad actors in this particular play, however negligent LendingTree might be proved to have been, certainly opened up a can of worms when they opened up access to LendingTree's network. Here's hoping they get smacked right along with the mortgage companies they assisted. We'll be watching Luke Wilson's Mullin's "The Collar" to see if criminal charges are pursued against any of the miscreants.