A Kaspersky blog post reported that, on July 3rd, the First Circuit Court of Appeals ruled that a bank's information security was "commercially unreasonable."
The case against People's United Bank stemmed from six allegedly fraudulent transactions that took place over a week in May 2009 and drained close to $589,000 dollars from Patco Construction Company's accounts. Patco alleged that People’s United Bank’s did an inadequate job of protecting them against fraud.
While the exact cause of the breach is not known, an employee's laptop was apparently infected with the Zeus Trojan. Additionally, some of bank's policies and processes were flawed. Somehow, fraud monitoring systems intended to detect high risk transactions were overridden. Patco eventually recovered $243,406 in fraudulent transfers.
The court found the bank liable under Article 4A of the Uniform Commercial Code. This is the first case I have seen where a bank's information security was deemed "commercially unreasonable." It certainly should serve as a wake-up call to financial institutions - as well as other businesses which may be found liable for frauds caused by hackers as well as other forms of data breaches.
Hat tip to our friend Alan Goldberg.
E-mail: email@example.com Phone: 703-359-0700