Businesses May Have New Recourse in Cyber Fraud Cases
by Jason Yarashes
A recent ruling by a federal appeals court in favor of a business over a bank in a cyber fraud case underscores two critical points for closely-held businesses. First, in an increasingly digital world, it is imperative that business owners institute internal procedures to prevent hacking and “corporate account takeovers.” Second, banks have legal responsibility to create, configure, and maintain “commercially reasonable” security systems—and business owners can enforce that right.
Historically, owners of business accounts have had little legal success in bringing suit against banks for hacked accounts. Recently, however, a federal appeals court broke ground by holding a bank accountable when the bank failed to adequately configure and maintain its security system for the business account of a commercial client.
The Patco Case
In 2009, cyber thieves stole $588,000 from Patco Construction—a privately-held business in Maine—over the course of a week using malicious software (“malware”). Patco’s bank, People’s United, was able to recover about $240,000 from the cyber thieves, but Patco was expected to absorb the other $350,000 in losses. After attempts to force a bank reimbursement faltered, Patco filed a lawsuit in federal court. An appeals court found that the bank did not act in a “commercially reasonable” manner in this cyber-attack. The court reasoned that while the bank did have a security system to prevent against cyber fraud, the system itself was not being monitored properly and was not adequately configured. The case recently settled, with the bank agreeing to pay back the full amount stolen, plus interest.
Investing in Internal Security Procedures, and the Mutual Obligation of Banks and Businesses
This case is important on two levels. First, it is a prompt to businesses to set up adequate technological security measures. To be sure, the upfront capital needed to implement such systems is fiscally burdensome. Cases such as Patco, however, make it clear that an outlay in the budget to prevent cyber fraud often prevents a catastrophic loss in an account that can be crippling to a closelyheld business.Second, there is now legal precedent for a business owner to hang their hat on when a business account is hacked and there is an indication that banks did not do their part in preventing the crime. Not every instance of business account cyber fraud will fall into the Patco framework. But this case shows that business owners have enforceable rights in cyber fraud cases, and that there is a dual responsibility of banks and businesses to protect business accounts.
HLGR Sponsors PBJ’s Startup CEO Roundtable
HLGR was proud to be a sponsor for the Portland Business Journal’s CEO Roundtable event focused on start-ups in December 2012. Randy Duncan, chair of HLGR’s business law practice participated in the event and saw it as a rich opportunity to foster communication within the business community. “There is a great deal to be learned from these entrepreneurs,” said Randy, “about how the region’s leaders can better address the needs of growing and thriving businesses to help build a more vibrant business community in Portland and across the region. I was grateful to be a part of the event and look forward to working together to make Oregon an even more attractive place to develop and grow business.”
Randy Duncan is licensed to practice in Oregon, Washington, and California and has received an AV® rating from Martindale-Hubbell. You can read more on the outcomes of the event in the January 11, 2013 issue of the Portland Business Journal.
As always, if you have any questions about cyber fraud or any other issue relating to your closely-held business, feel free to contact Randy Duncan, Jason Yarashes, or another member of our Closely-Held Business Team at 503-242-0000.
Nothing in this communication creates or is intended to create an attorney-client relationship with you, constitutes the provision of legal advice, or creates any legal duty to you. If you are seeking legal advice, you should first contact a member of the Labor and Employment Team with the understanding that any attorney-client relationship would be subsequently established by a specific written agreement with Harrang Long Gary Rudnick P.C. To maintain confidentiality, you should not forward any unsolicited information you deem to be confidential until after an attorney-client relationship has been established.