Recently, we have witnessed numerous examples of corporate web sites being hacked. Sony, Sega, Honda, Citibank, and Epsilon are all recent examples. When these sites are hacked often the victims are individual customers whose personal information is accessed. But, when a bank account is hacked often the object is money. When such an account is hacked such as by an unauthorized wire transfer or withdrawal, who bears the risk of loss, the bank or the customer whose account is raided?
Eric Goldman’s blog has a post that summarizes two recent US cases which deal this issue under US law. The first case is Experi-Metal v. Comerica Bank, 09-14890 (E.D. Mich.Jun. 13, 2011). The plaintiff was a victim of a phishing attack which resulted in unauthorized wire transfers from its accounts of more than $1.9 million. The bank was found liable for the unrecovered portion because, according to the court, it should have detected and/or stopped the fraudulent wire activity earlier.
The second case is Patco Construction Co. v. People’s United Bank, d/b/a Ocean Bank, 09-cv-005003 (D. Me. May 27, 2011). Here an unknown third party made a series of unauthorized withdrawals of more than $500,000 over several days using Patco’s user credentials and passwords. The magistrate judge ruled that the bank’s security processes were commercially reasonable, even though not perfect. As a result, the loss was allocated to the bank’s customer.
If the attacks on networked connected systems keep occurring, which appears very likely given the escalating problem with cyber-crime, we can expect many more cases like Exeri-Metal and Patco to address who bears the risks of losses in these cases.