Until recently, small businesses which were the victims of cyberattacks by thieves did not have recourse against their banks. That situation is finally changing. There have been two recent court rulings that gave small business owners grounds for suing banks that do not protect their security. The two court rulings found the banks liable for funds stolen by hackers from business account holders. This is a welcome change in light of the growing trend of cyberhackers to target small businesses.
Generally, banks are responsible for losses when personal bank accounts are hacked but state law generally places the burden on holders of commercial accounts to prove that banks did not do enough to protect their funds. The reasoning behind this distinction is that businesses should be more sophisticated than individuals and put in place their own online security to prevent such attacks.
The First Circuit Court of Appeals ruled in July that Ocean Bank did not have in place reasonable safeguards to protect against cyberattackers who stole over $500,000 from an account held by a Maine contractor and builder named Patco. Patco’s owner believes that hackers gained access to his business’s accounts by recording employee computer keystrokes. This allowed the hackers to answer correctly the security questions posed by Ocean Bank’s security system.
Patco’s owner argued that placing the burden on his small business for protecting their business accounts was unreasonable and onerous, noting that the business does not have, and can ill-afford an IT professional to handle these matters. Also, he is not savvy enough in the banking field to know what cyberthreats exist.
In the second court ruling, a federal district judge in Detroit ruled in 2011 that CMA bank, which is owned by Comerica, was liable for over $500,000 in money stolen from accounts held by a Michigan customs metal shop named Experi-Metal, Inc. Experi-Metal had been the victim of a phishing scheme which tricked an employee into providing account access information.
According to security firm, Symantec Corp., cyberattacks rose to a whopping average of 151 per day during May and June of 2012. The proportion of those attacks on small businesses increased by more than 30%, compared with almost half as many, i.e. 18%, by the end of December 2011. Symantec defined small businesses as those with 250 employees or fewer.
There are very few small companies that bother suing their banks when their accounts are raided by cyberhackers. Many believe that if news got out that the security of their accounts has been breached, their businesses could suffer even more. Instead, these businesses are happy to settle with their banks for mere pennies or write down the loss altogether. Also, businesses are leery of litigation because of the prohibitive costs involved.
Banks have traditionally relied on their contracts with business account holders which state that if banks take “commercially reasonable” steps to protect against cyberattacks and process transactions in good faith, they are not liable for any funds that are stolen by hackers. After these two recent federal rulings, banks will not feel as secure in relying upon these contract terms.
Many cheered the recent rulings, noting that they recognize how businesses really work. One expert noted that small business are not equipped to protect their accounts against hackers, and they need banks to step in since banks have more insight and knowledge that will help them recognize fraud patterns. Small business are simply not sophisticated enough to recognize the cyberthreats that are out there, many of which come from complex domestic and foreign mob networks.
The judge in the First Circuit opinion faulted Ocean Bank’s “one-size-fits-all” approach to customer security which was insufficient to protect Patco. Ocean Bank approved the payments to the cyberhackers over the course of a five-day period. After Ocean discovered the cyberattack, it was able to recover a little less than half the pay-outs. Patco sued Ocean to recover the rest of its missing funds.
What is startling is that approximately 1,500 other banks implemented security software similar to Ocean’s at that time. Such lax security opens legions of small business owners to similar cyberattacks.
One attorney who traditionally represents banks argued that the First Circuit opinion would scare banks away from doing business with small enterprises, because the banks would see them as a high risk and just not worth it. Consequently, the banks will either forego luring in these businesses or pass the increased security costs on to the small business customers. Only time will tell how this scenario actually plays out.