U.S. Appeals Court Gives Retailers Fraud Loss VictoryWritten by Mark Rasch
Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
In a decision that has huge implications for retail chains, a Federal Court of Appeals ruled on July 3 that a contractor in Maine could successfully sue its bank for losses from a hacked bank account. The problem is that many of the “thefts” of money from retailers don’t occur at the bank itself. A hacker may attack the retailer’s computer, obtain user IDs and passwords, and then log into the bank’s computer either using the stolen credentials or even logging in from the compromised computer itself. To the bank, it sure looks like the login came from the retailer.
Once the bad guy gets in, it’s only a few keystrokes to wire transfer all of the account funds to a waiting account in Latvia, Bulgaria or wherever. The retailer only learns of the transfer later, when the funds are gone. Sometimes the bank can “clawback” all or part of the transaction; sometimes it cannot. But who eats the cost of that loss?
Many retailers maintain bank accounts that permit, or even encourage, depositors to interact with the bank electronically. This E-banking serves both the bank and the merchant, enabling fast and usually reliable transactions without having to wait in line at a teller. But who has liability if a bank account is hacked? And who has liability if a merchant’s computers are hacked and, through the compromised computers, funds are transferred? In general, the rule has been that the merchant bears the risk of loss. But that general rule is changing.
For consumer bank accounts, the risk of loss in the event of a hack or intrusion is either zero or close to that. The same rules that protect consumers from stolen or fraudulently used credit or debit cards protect them from hacked accounts. The consumer liability, under a law called Regulation E, is limited to $50 in most transactions and $250 is some other transactions, so long as the fraud is reported relatively promptly. As a practical matter, consumers rarely have to pay even the $50, because banks are willing to eat those costs to encourage more people to engage in online banking.
For commercial entities, however, Regulation E doesn’t apply. Instead, Article 4A of the Uniform Commercial Code (UCC) allows the bank to disclaim liability if the bank used “commercially reasonable” means to prevent the fraud.
The law that relates to commercial electronic banking transactions is UCC 4A, which says the bank is entitled to rely on the authenticity of a payment order if it is verified according to a security procedure that is a “commercially reasonable method of providing security against unauthorized payment orders” and the bank accepted the order in good faith.