Consider it a warning to businesses out there that are slacking off on security: A federal appeals court may find you at fault if you aren’t doing enough to protect your customers on your network.
In this particular situation, it involved my old pal Zeus and a bank in Maine. A lower court found that Ocean Bank was not at fault for its customer, Patco Construction Co., being the victim of cyber theft. The appeals court didn’t agree, stating the bank’s security was “commercially unreasonable.” Basically, according to InformationWeek, the bank ignored an attack by Zeus, even though the system flagged several transactions as high risk and possibly fraudulent. In the end, the construction company was in the hole over $300,000 due to the attack.
Now, the appeals ruling did add that further hearings need to be held to determine whether or not Patco could have done anything to better protect itself during these transactions. I’m not a law expert, so I have no idea where this case will go or what the legal fallout will or will not be. Brian Krebs spoke to a bank fraud expert who thinks this ruling could lead the way for other SMBs to fight back against poor bank security and monetary losses suffered from lax security practices.
This ruling shows that security is complicated and everybody has to be responsible for what they can control. Banks and financial institutions need to be proactive when a transaction is flagged. In this particular case, the bank had the ability to recognize fake transactions and didn’t act on it. SMBs, like consumers, need to be smart about security on their end and pay attention. This ruling, after all, didn’t totally put the onus of responsibility on the bank. As the Kaspersky Lab ThreatPost blog stated:
The question of who is liable for financial damages resulting from hacks or account takeovers is hotly debated. While consumers enjoy legal immunity from responsibility for losses due to fraud, businesses don't enjoy the same protections. In June, the New York Times published a cautionary article that warned owners of small businesses that they may not be covered if hackers compromise and wipe out an account. This ruling could buck that trend, but this depends largely on future proceedings.