Construction company, bank, settle dispute over $345,000 cyber heist

A Maine construction company that sued its bank after losing $345,000 in an online banking heist has settled its dispute after a protracted legal battle that raised questions about the bank's responsibility in protecting customer accounts against cyber fraud.

The settlement between Patco Construction and People's United Bank (formerly Ocean Bank) comes about four months after the U.S. Court of Appeals for the First Circuit faulted the bank's security measures at the time of the theft and advised the two sides to work out a compromise.

Bankinfosecurity.com, which was the first to report the settlement, quoted Patco's co-owner Mark Patterson as saying that the bank has agreed to reimburse the company's losses from the theft. No other details of the settlement were released.

Court records show that the two sides agreed to dismiss the case on Nov. 19. Neither Patterson nor People's United responded to requests for comment on the settlement.

Patco, a family-owned construction company in Sanford, Maine, sued Ocean Bank in 2009 after online crooks believed to be operating in Europe siphoned close to $590,000 in a series of unauthorized Automated Clearing House (ACH) transfers.

About $243,000 was later recovered after the fraud was detected. Patco sued Ocean Bank for the remaining money claiming that the theft was the result of the bank's failure to implement reasonable security measures as defined under the Uniform Commercial Code (UCC).

The lawsuit charged Ocean Bank with negligence and breach of contract for failing to detect and stop the unauthorized ACH transfers even though they were clearly fraudulent. Patco claimed in its lawsuit that the bank should have noticed that the fraudulent transfers were for much higher amounts than the company's usual transactions and were being sent to an unfamiliar overseas bank account.

Patco also faulted Ocean Bank for not implementing stronger authentication mechanisms, such as token-based authentication and out-of-band verification, which many banks were using at the time.

Ocean Bank, for its part, blamed Patco for the loss. The bank said the thieves were able to steal the money only because Patco had allowed them to gain access to the username and password the company used to log in to its commercial banking account.

Ocean Bank insisted that it had processed the ACH requests in good faith after it had verified that the proper IDs, passwords and answers to challenge response questions were being used to conduct the transactions.

In a ruling in May 2011, a Maine Magistrate sided with Ocean Bank and recommended that the U.S. District Court in Maine grant the bank's motions for a summary dismissal of Patco's complaints.

The judge disagreed with Patco's claims about the bank's responsibility for the theft and held that it was Patco's failure to adequately protect its login credentials that had allowed the thieves to steal the money.

However, the judge conceded that Ocean Bank could have done a better job detecting the fraud. He also ruled that the bank had provided clear notice to Patco of its online authentication measures and security controls as well as the extent to which it could be held liable for any mishaps.

On appeal, the First Circuit Court of Appeals in Boston earlier this year overturned that ruling and held that the theft resulted because of Ocean Bank's poor security measures. A three-judge panel at the appellate court ruled that the bank failed to implement commercially reasonable measures to properly authenticate users during ACH transactions. The court also faulted the bank for failing to monitor for suspicious transactions or for altering customers about such transactions.

At the same time, the court held that more hearings were needed to determine how much responsibility Patco should bear for failing to protect its login credentials and urged the two sides to work out a compromise.

The case is important because it was one of the first to raise questions about a bank's responsibility to protect customers against fraudulent ACH transfers. Over the past few years hundreds of small businesses, school districts and municipalities have been victims of the same kind of theft that hit Patco. Both the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have repeatedly warned small businesses about the problem and noted that hundreds of millions of dollars have been siphoned out of the country in the past few years in this way.

The settlement still leaves unanswered the question of who should be responsibility for such breaches, said Avivah Litan, an analyst at Gartner. It does not throw light on how much protection companies have under the UCC in such circumstances, she said.

"I think the settlement proves that it's worth the banks' while to prevent these breaches and account takeovers in the first place," Litan said via email.

"No one really wins in a lawsuit involving account takeover. The banks are better equipped to prevent account takeover than their customers are, although certainly customers should institute whatever security measures they have access to," she added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about financial it in Computerworld's Financial IT Topic Center.