Archive for June, 2013

WHEN BUSINESS BANK ACCOUNTS ARE HACKED: TRY MEDIATION INSTEAD OF GOING TO COURT

Friday, June 14th, 2013

WHEN BUSINESS BANK ACCOUNTS ARE HACKED:
TRY MEDIATION INSTEAD OF GOING TO COURT

The threat to business bank accounts from cyber theft is real and growing.  It is shockingly easy for cyber criminals to obtain a company’s online banking credentials and use them to drain the company’s bank accounts.  Many banks and companies do not fully understand this threat (also called “corporate account takeover”) and are unprepared.  When hit with financial losses, companies may sue their banks.  Courts are beginning to question bank security procedures, creating an impetus for these cases to settle.  Taking these cases to trial is very time-consuming and expensive; companies that get their money back sometimes spend more in attorney fees and court costs than they lost.  Mediation using a subject matter expert is a much better alternative because it is faster, cheaper, confidential, and flexible.

The Cyber Threat To Business Bank Accounts Is Real And Growing

We are learning more about the cyber threat to businesses because more companies are willing to talk about what happened to them.  The New York Times states that some victims of online hacking are breaking the silence that usually surrounds a cybersecurity incident; hackers have hit thousands of American corporations in the last few years, including Twitter, Google, Facebook, Intel, Adobe Systems, and Apple, but few companies ever publicly admit it. [2]  A security consultant said, “I divide up the entire set of Fortune 2000 firms into two categories:  those that know they’ve been compromised and those that don’t yet know.”[3]  The Washington Post reports that more companies are disclosing cybersecurity incidents in reports required by the Security Exchange Commission.  At least 19 financial firms have been recent targets, including Bank of America, Citi, Wells Fargo, and JPMorgan Chase.[4]  Security experts say the real scale of companies affected by cybersecurity incidents is much larger.[5]  A review of recent media reports shows the extent of the cyber threat specifically to business bank accounts:[6]

  • The New York Times reports that, according to computer security specialists, corporate account takeovers have become “increasingly common and small businesses are especially easy prey because many lack firewalls and monitoring systems.”[7]  Statistics on the extent of the thefts have not been compiled by regulators, but experts estimate that more than 10 percent of small businesses have had funds stolen from their bank accounts—losses totaling more than $2 billion.[8]
  • According to the Wall Street Journal, bank robberies are on the decline as criminals see greater rewards in online theft.[9]
  • The Krebs on Security website writes about how a “distributed denial of service,” or flooding cyber attack, on a bank provided cover for the cyber theft of $900,000. A 2012 Christmas Eve attack against the website of a regional California financial institution helped to distract bank officials from an online corporate account takeover against one of its clients.[10] The website also reports that cyber thieves are targeting small businesses.[11] A $170,000 cyber heist in December 2012 against an Illinois nursing home, for example, starkly illustrates how cyber criminals can hack a business’ computers to exploit security weaknesses at small and regional banks and credit unions. Cyber attacks on small businesses are increasing: late 2012 data suggest that cyber attacks aimed at small businesses doubled over the previous six months.[12]
  • A leading cybersecurity firm finds a threatened cyber attack on banks “credible” and that at least 500 accounts are vulnerable after early attacks planted software that could help thieves steal money.[13]
  • • An independent blogger writes that the threat of cyber theft from our nation’s banks is growing and that we are all suffering from the mistaken idea that our money is safe after we put it in a bank.[14]

A former senior cyber official at the FBI said of the effort to prevent cyber theft from businesses:  “We are not winning.”[15]   He said too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks.[16]   He stated, “I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model.  Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”[17]   A senior cybersecurity fellow at a leading institution was blunter:  he said we have lost the opening battle with hackers and he did not believe there was a single secure, unclassified computer network in the United States.[18]

How Cyber Thieves Operate

Cyber thieves are clever and persistent. There are many techniques they use to obtain critical company information in order to access the company’s bank accounts. Most involve tricking a company user into doing something that results in harmful computer code, called “malware,” being downloaded onto a company computer. Once the company computer is infected, the cyber thieves can control that computer and gain access to information stored on it. They also may be able to find their way into other computers on the company network.

Often, the cyber thieves will dupe a user at the company into visiting a legitimate—but compromised—website. Once the user links the company computer to the website, malware can be downloaded. Other times, the company user will be encouraged to accept a fake friend request on a social network site. Once the request is accepted, malware is downloaded.

A popular infection vector is to get a company user to click on an attachment to an email. Opening the attachment permits malware to be downloaded. Cyber thieves are often very good; they may pose as the sender of an email that looks legitimate. The fake email may appear to come from a trusted source such as a delivery service (e.g., “click here to learn about a problem with the delivery of your shipment”), a financial institution (“click here for information about a problem with your account”), or a court (“you have been served with a subpoena, click here for information”). In certain cases, cyber thieves may study a company in detail in order to be able to send an email to a targeted individual or set of individuals in a manner that is so convincing the individual will open it and click on the attachment. The thieves may steal email addresses from the company’s website or from other victims and design a “phishing” email to make it look like it comes from a trusted company source. Who would not open an email and click on its link if it looks like it comes from the CEO and says, “click here for important news?”

Banks and Business Customers Are Not Fully Prepared

The cyber threat to business bank accounts is not well understood and, as a result, banks and companies are not well positioned to handle it. A recent survey of corporate general counsels found that companies are ill-prepared to deal with cyber breaches.[19] A computer security consultant calls companies “woefully unprepared.”[20] Many have the “misconception that firewalls and anti-viral programs protect everything, and that’s a myth.”[21] Banks are improving security, but challenges remain, particularly for banks that rely on vendors to keep them up to date with changes in technology and threat vectors.[22] Increasingly, what have been thought of as adequate security procedures, such as patching known vulnerabilities, are giving way to calls for behavior-based tools that can sound an alarm if account activity deviates from a known baseline.[23] A recent survey found that, while banks and credit unions are making strides toward enhanced fraud detection and prevention, many financial institutions do not fully understand Federal regulatory security guidance and most do not believe that conformance will curb online fraud.[24]

Bank Liability Under the Law

While bank depositors acting as individuals are protected from cyber theft losses by Federal regulations, commercial depositors may be at risk. Corporate accounts are covered under the Uniform Commercial Code, adopted in all states, which holds the business liable for the loss if–generally speaking–the bank’s security procedures are found to be commercially reasonable.[25]

Business Victims Are Suing Their Banks And Winning

A First Circuit case may portend closer judicial scrutiny of bank security procedures, increasing the likelihood that business cyber theft victims will sue and that banks may be liable. In Patco Constr. Co. v. People’s United Bank, No. 2: 09-cv-503 WL 3420588-DBH (D. Me. 2011), remanded rev’d in part and aff’d in part, 684 F. 3d 197 (1st Cir. 2012), the construction company Patco was hacked. The hackers used malware to obtain Patco’s log-on information that the company used to access its bank account. The hackers used the stolen authentication information to break into Patco’s account at the bank and steal over $345,000. Patco sued alleging that the bank should bear the loss because its computer security practices were not commercially reasonable under Uniform Commercial Code. The bank defended arguing that its practices were commercially reasonable.

The District Court agreed with the bank but, on appeal, the First Circuit found that the bank’s practices were not commercially reasonable for a number of reasons. By lowering the dollar threshold used to trigger security questions, the bank substantially increased the risk of theft where the answers could be captured by keylogger malware.[26] The bank did not actively monitor transactions on Patco’s account or provide notice that anomalies existed before allowing the transactions to be completed. The First Circuit denied the bank’s motion for summary judgment and, in dicta, suggested that the parties settle. They did so several months later.

Other courts have found against the bank. In Experimental v. Comerica Bank, 2011 WL 2433383 (E.D. Mich.), the company sued its bank to recover $560,000 stolen in January 2009 when a company employee responded to a cyber attack and revealed the company’s bank account information to cyber thieves. The court found the bank liable because the bank failed to meet its burden under Michigan’s adopted version of the Uniform Commercial Code of showing that it followed commercial standards of fair dealing with its customer. The key factor in the court’s decision was that the bank lacked fraud detection mechanisms and procedures. The court found that a bank dealing fairly with its customer would have detected and stopped the fraudulent wire transactions earlier.

It is Advantageous to Settle Business Cyber Theft Cases

Settling a business cyber theft case may result in a larger recovery than a court would provide. Village View Escrow settled in June 2012 with the Professional Business Bank and recovered the full amount of the money lost, plus interest and attorney fees. This is reported to be more than is provided for in the Uniform Commercial Code and the corresponding California Commercial Code, which limits recovery to the actual amount of the money lost, plus interest. In that case, cyber thieves caused a $393,000 loss in March 2010 by sending fraudulent wire transfers from Village View’s bank accounts. According to a business litigator that obtained the settlement, “Banks typically deny liability for the cyber-theft which forces small businesses to spend money they do not have on legal fees and regulatory expenses in order to recover a limited and defined set of damages under the Uniform Commercial Code.”[27]

Even if You Win in Court, You May Not be Happy

Taking business cyber theft cases to trial can be unsatisfying. Consider the Patco owner. Even though he won, he is very frustrated with the litigation process. In an interview, he said he is not happy that it took three years for the case to work through the courts.[28] “It’s been a very trying event and taken a lot of energy to get through.”[29] The relationship between the bank and its customer was “tossed out,” he said.[30] Moreover, the effort was very expensive. The owner said it cost him “hundreds and hundreds of thousands of dollars” in litigation costs to recoup his cyber losses, plus interest.[31] He concluded, “Nobody wins when they go to court,” and his attorney said it would have been a lot better to settle early on.[31]

On the other side, bankers have similar feelings. The president of a county bank that settled a 2009 takeover of one of its customer’s corporate accounts reported that, between the legal fees and reimbursing the customer through a settlement, the cost of the incident was about as much as was lost.[33] Going to court would have been far costlier. The banker said his attorney estimated that the cost of proceeding to trial would have been far in excess of the actual loss.[34]

Mediation Is Better

Settling business cyber theft cases using a mediator who has subject matter expertise is a better alternative to going to trial because it is faster, cheaper, confidential, and flexible.

  • Unlike a court case that can take many years to move through the system, mediation could resolve a case in a matter of weeks or months, depending upon the degree of fact-finding and number of expert witness reports the parties desire.
  • The cost of mediation, which is usually shared equally by all parties, is much less than the cost of proceeding to trial. The earlier the mediator is brought in, the more the parties will save. This is an important issue to litigation counsel, who are continually advising their clients about whether it is in their best interest to settle and, if so, at what point.
  • Litigation is not confidential. Court opinions expose the bank’s security lapses for the entire world to see. (Moreover, besides the bad publicity caused by advertising a bank’s poor security, hackers benefit by knowing what worked and what did not.) Confidentiality is important to companies that have suffered cyber intrusions. They are turning to law firms in order to obtain the protection of the attorney-client privilege. When Nationwide Mutual Insurance discovered in October 2012 that a hacker had breached its systems and stolen personal details of roughly one million people, for example, it put the internal probe in the hands of a law firm, rather than a forensic computer specialist.[35] Mediators can afford the same level of confidentiality by mutual agreement or by statute in states like Maryland with strong mediator confidentiality laws.
  • Mediation affords the parties the chance to craft a solution that meets their needs, rather than having a solution imposed on them by a third party like a judge. Court cases strain the relationship between the bank and its customer, which benefits neither. In addition, a skilled mediator with extensive subject matter expertise may be able to help the parties find creative solutions and common ground they were not able to reach themselves.

 

 

This paper was prepared by John N. Greer, owner of Patuxent Mediation Services (patuxentmediation.com), in association with Amicus Mediation & Arbitration Group (amicusadr.com ).  Patuxent Mediation Services is a business dispute resolution practice specializing in corporate cyber theft and workplace conflicts.  John has held a number of senior positions in the Office of General Counsel of the National Security Agency, including Associate General Counsel (Information Security/Cybersecurity) and then Senior Counsel.  Amicus is a national provider of mediation and arbitration services.  Amicus designs and manages internal ADR programs for companies seeking to reduce their litigation exposure and costs.

This paper is copyrighted and may not be reproduced or distributed in any form without the advance written permission of the author.

[2] Perlroth, Nicole, “Some Victims of Online Hacking Edge Into the Light,” New York Times, 20 February 2013.

[3]Id.

[4] Nakashima, Ellen, and Douglas, Danielle, “More Companies Reporting Cybersecurity Incidents,” Washington Post, 1 March 2013.

[5]Id.

[6] Alarms have been raised in other quarters as well.  Congress held a hearing in June 2012 on cyber threats to capital markets and corporate accounts, finding a serious threat. (http://financialservices.house.gov/calendar/eventsingle.aspx?EventID=296813)

On the Executive Branch side, the FBI, the Financial Services-Information Sharing and AnalysisCenter, and the InternetCrimeComplaintCenter issued a fraud alert in September 2012 on cyber criminals targeting financial institution credentials to conduct wire transfer fraud (http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf, 17 September 2012).  Earlier, these organizations along with the U.S. Secret Service issued a Fraud Advisory for businesses on corporate account takeover, concluding that cyber criminals are targeting the financial accounts of owners and employees of small and medium-sized business and that the effort has resulted in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts (http://www.ic3.gov/media/2010/corporateaccounttakeover.pdf, 26 October 2010).  Numerous business organizations have described the threat and outlined preventive measures.  Warnings have come from the American Bankers Association (“The Small Business Guide to Corporate Account Takeover,” http://www.aba.com/solutions/fraud/pages/corporateaccounttakeoversmallbusiness.aspx),

U.S. Chamber of Commerce (www.uschamber.com/issues/technology/internet-security-essentials-business), and National Automated Clearing House Association (“Corporate Account Takeover Resource Center, https://www.nacha.org/CorporateAccountTakeoverResourceCenter).  See also http://www.businessidtheft.org/.

[7]Ryckman, Pamela, “Owners May Not Be Covered When Hackers Wipe Out a Business Account,” New York Times, 13 June 2012.

[8] Id.

[9] Nicas, Jack, “Crime That No Longer Pays,” Wall Street Journal, 5 February 2013.

[10] “DDOS Attack on Bank Hid $900,000 Cyberheist,” http://krebsonsecurity.com/category/smallbizvictims, 19 February 2013.

[11] “Big Bank Mules Target Small Bank Businesses,” http://krebsonsecurity.com/category/smallbizvictims, 13 January 2013.

[12] “Uptick in Cyber Attacks on Small Businesses,” http://krebsonsecurity.com/category/smallbizvictims, 12 August 2012.

[13] Engleman, Eric, and Robertson, Jordan, “Threatened Cyber Attack on Banks ‘Credible,’ McAfee Says,” http://www.bloomberg.com/news/2012-12-13/threatened-cyber-attack-on-banks-credible-mcafee-says.html, 13 December 2012.

[14] Huston, Warner Todd, “Cyber-Theft from our Nation’s Banks a Growing Threat,” http://wizbangblog.com/2012/11/12/cyber-theft-from-our-nations-banks-a-growing-threat/, 12 November 2012.

[15] Barrett, Devlin, “U.S. Outgunned in Hacker War,” Wall Street Journal, 28 March 2012.

[16] Id.

[17] Id.

[18] Id.

[19] Neil, Martha, “In-house counsel ‘woefully unprepared’ to deal with cybersecurity issues,” http://www.abajournal.com/news/article/in-house_counsel_woefully_unprepared_to_deal_with_cybersecurity_issues/, 13 February 2013.

[20] Id.

[21] Id.

[22] Kitten, Tracy, “ACH Fraud Solutions:  A Bank’s Story; How Regulatory Guidance Could Assist Banks,” www.bankinfosecurity.com/ach-fraud-solutions-banks-story-a-3358/op-1, 17 February 2011.  (Interview with the president of a $100 million community bank that experienced an incident of corporate account takeover in 2009.)

[23] Fowler, Geoffrey, “What RSA Learned From its Security Breaches,” Wall Street Journal, 26 February 2013.

[24] Kitten, Tracy, “FFIEC Authentication Confuses Banks, CUs; Survey Report Shows Institutions Struggle With Conformance,” http://www.bankinfosecurity.com/blogs/ffiec-authentication-confuses-banks-cus-p-1301, 22 June 2012.

[25] For an in-depth analysis of liability issues for cyber fraud under the Uniform Commercial Code, see Scanio, Salvatore, and Ludwig, Robert, “Surging, Swift and Liable?  Cybercrime and Electronic Payments Fraud Involving Commercial Bank Accounts:  Who Bears the Loss?” Journal of Internet Law, April 2013, available at http://www.ludwigrobinson.com/pdf/JIL_0413_Scanio.pdfSee also, Ludwig, Robert; Scanio, Salvatore; and Szary, Joseph, “Malware and Fraudulent Electronic Funds Transfers:  Who Bears the Loss?” Fidelity Law Journal, vol. xvi, (October 2010), available at http://www.ludwigrobinson.com/pdf/Ludwig%20-%20Scanio%20Article%20for%20Journal.pdf.

[26] Keylogger malware captures all the keystrokes made on the infected computer and relays the information to the hacker.

[27]http://www.prnewswire.com/news-releases/silicon-valley-law-group-prevails-bank-settles-wire-transfer-fraud-litigation-160315775.html, 25 June 2012.  See also  http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim, 12 June 2012.

[28] Kitten, Tracy, “Patco Settlement:  What it Means; Fraud Case Raises Questions About Customer Responsibilities,” http://www.bankinfosecurity.com/patco-settlement-what-means-a-5373/op-1, 24 December 2012.

[29] Id.

[30] Id.

[31] Id.

[32] Id.

[33] Kitten, Tracy, “ACH Fraud Solutions:  A Bank’s Story; How Regulatory Guidance Could Assist Banks,” www.bankinfosecurity.com/ach-fraud-solutions-banks-story-a-3358/op-1, 17 February 2011.

[34] Id.

[35] Matthews, Christopher, “Law Firms Tout Cybersecurity Cred,” Wall Street Journal, 31 March 2013.