During a one-week span in 2009, a community bank in Maine authorized a series of apparently fraudulent electronic withdrawals from an account held by Patco Construction. Though the bank’s online security system had flagged the transactions as “high-risk”—they were inconsistent with the timing, location, and value of Patco’s usual withdrawals—the perpetrators were able to thwart the bank’s system by providing correct answers to Patco’s security questions.
Patco brought suit against the bank, alleging, among other claims, that the bank’s online security system was not “commercially reasonable” under Article 4A of the Uniform Commercial Code, which is meant to govern the rights, duties, and liabilities of banks and their commercial customers concerning electronic funds transfers. A federal district court in Maine dismissed the Article 4A count on summary judgment, finding that the bank’s system was, in fact, “commercially reasonable.”
In December 2012, however, the First Circuit Court of Appeals reversed the district court. That court found it was commercially unreasonable to require its customers to submit answers to security questions for every electronic transaction; indeed, by doing so, the bank exposed its customers to increased risk by malicious software or other computer viruses that log frequent keystrokes for unauthorized users. Moreover, by failing to monitor the transactions after they had been flagged as high-risk—and by failing to provide notice to the customers of the high-risk transaction—the bank’s security system was also not commercially reasonable.
While the Patco case focused on the cybersecurity obligations of banks, the SEC—partly in response to a string of high-profile online security breaches—recently issued guidelines and disclosure requirements for publicly traded companies concerning their cybersecurity risks. Those guidelines are widely seen as a likely precursor to SEC regulation or federal legislation that would tighten the duties incumbent on companies to better protect their own electronic data, and that of their customers. Inherent in any duties is increased exposure to litigation risk for companies who experience cybersecurity breaches or fail to provide adequate measures to secure their electronic data.
- Cybersecurity breaches are a double-edged sword. On the one hand, cybersecurity breaches are problematic for companies because they expose their electronic data to illicit uses by criminals. On the other hand, cybersecurity breaches may expose companies to heightened litigation risk if they fail to properly monitor and protect their online assets.
- Just because you have a security system does not mean that it protects your company from litigation. No online security system is hacker-proof. Yet, even though a company may have robust security measures in place, those may still be found inadequate if they are not monitored and executed in a way that safeguards electronic data.
- To understand a company’s cybersecurity risks, you must understand its vulnerabilities. The lessons from Patco and the SEC’s cybersecurity guidelines are that companies must ascertain and address their online security vulnerabilities in order to understand their risks. By doing so, companies can ensure that they are best-positioned to limit litigation risk if—or when—a cybersecurity breach occurs.
And Remember . . .
With the anticipated future prevalence of electronic purchases and other electronic funds transfer moving into the mobile space, cybersecurity is an issue that will only grow in prominence. Companies need to be proactive not only in meeting their customers where they are, but in ensuring security of their electronic data when they get there.
Case: Patco Constr. Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012)
The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.