Last month the 1st Circuit of the U.S. Court of Appeals reversed the summary judgment granted to Ocean Bank against Patco Construction. Previously under Section 4A of the Uniform Commercial Code, the standard for “commercially reasonable” was literal compliance with FFIEC Authentication Guidance wherein certain security measures had to at least be available to the customer. Now the Bank must go above and beyond those standards, though just how far above is unclear.
Patco, a development and contracting company in Maine, suffered losses of over $300,000 in 2009 when fraudulent withdrawals were successfully carried out by hackers exploiting the cracks in Ocean’s eBanking System. Patco alleged that if the banks security system had been “commercially reasonable” in its attempts to protect its customers, the illegal withdrawals would have been stopped. Patco further claimed that since the withdrawals were not stopped by the security system, the bank ought to be on the hook for their unrecovered funds.
Oceans’ disagreed claiming they not only had “commercially reasonable” security measures in place to combat criminal hackers but additional security options to further repel them. They said they offered Patco the additional security measures and Patco declined them—for their part, Patco denied ever being notified about the upgrades.
In the end, Patco won their case. Ocean’s security personnel, in their attempts to be thorough, unwittingly spread the company’s verification-processes too thin; the transfer of one dollar relied upon the same password authentication as the transfer of a thousand dollars; the court ruled that it was too easy for a virus to crack Ocean’s codes, thereby reversing the summary judgment against Patco and raising the bar for banking security everywhere.
