This op-ed post by Sean L. Harrington provides opinions that do not necessarily reflect the positions of the Minnesota State Bar Association or its other constituents.
This post concerns a First Circuit ruling where plaintiffs who had lost significant funds due to fraudulent wire transfers authorized by a Bank were permitted to assert causes of action against the Bank because the Bank's security protocols may not have been commercially reasonable.
What reminded me of this decision was an upcoming CLE on September 12th entitled, "Disclosure of Cybersecurity Risk: What You Need to Do and Say About It" Amy C. Seidel (Faegre Baker Daniels LLP) will talk about the new guidance from the SEC Division of Corporation Finance regarding company disclosures of cybersecurity risk. In the presentation, Amy will suggest what attorneys should consider to be certain that clients are in compliance. Topics include: What the SEC guidance requires companies to disclose about cybersecurity risk; procedures companies are following to assess cybersecurity risk; the kinds of disclosures companies are including in SEC reports about cybersecurity risk; and what the SEC saying about cybersecurity risk in comment letters.
Indeed, I've noticed an increasing volume of posts in the MSBA listservs in the recent year regarding fraud and attempted or successful fraudulent transfers of funds. In fact, one listserv member contacted me when it was discovered that someone has hacked into a Hotmail account and was sending requests to a personal banker to transfer funds out of the country. Fortunately, the banker was astute enough to recognize that the requests were abnormal for the client, and she sought voice verification. There was another recent post seeking referrals for a cause of action regarding the same. And I may also recall a recent post about a pending claim by a lawfirm that was duped by a phishing scam or something of the sort, and had initiated a suit against on the basis of the same.
And, I gave a couple of presentations in 2011 on "Corporate and Individual Liabilities of Releasing Vulnerable Code." In that presentation, I discussed the concept of "Negligent Enablement of Cybercrime," which is a cause of action advanced by Rustad & Koenig. See Michael L Rustad & Thomas H. Koenig, The Tort of Negligent Enablement of Cybercrime, Berkeley Technology Law Journal, Vol. 20 No.4, Fall 2005, 1553-1611, (http://www.btlj.org/data/articles/20_04_03.pdf).
Although, in the PATCO decision (discussed below), the First Circuit didn't use the "Negligent Enablement" parlance, the concept is the same.
Significantly, the PATCO case is based on the Uniform Commercial Code, adopted by most states, including Minnesota.
The Court explained that the commentary to the applicable UCC section governing electronic funds transfers does not, on its face, preclude an action for breach of contract or breach of fiduciary duty, because those common law claims are "not inherently inconsistent" with Article 4A. On the other hand, the Court perceived that a closer question is whether Article 4A, on these particular facts, precludes a negligence claims insofar as such claims might be inconsistent with the duties and liability limits set forth in Article 4A. The Court suggested that it, indeed, does.
What the Court actually said is that the UCC establishes a particular set of obligations, remedies, and limitations on liability that were intended by the drafters to provide clarity to funds transfers because the preexisting common law was uncertain, and that this provision of the UCC appears to preclude plaintiffs from bringing a common law negligence claim for losses related to the fraudulent funds transfers. However, the UCC does not restrain the parties from agreeing to more stringent provisions above and beyond the Article, which would be governed by other common law causes of action (such as contract), if the UCC Article doesn't conflict. And it does not.
The lesson here seems to be that the UCC does establish guidelines on who bears the loss in the event there is a breach of the duty to act reasonably (which duties are defined by the FFIEC, OCC, and generally accepted industry standards), but if the parties have agreed to something more robust, they can be held accountable for breach of loyalty or breach of contract.
The author, Sean L. Harrington, is a law student and digital forensics examiner, information security professional, and e-discovery, trial, and litigation consultant with the private practice firm of Attorney Client Privilege, LLC, and a risk management team lead for US Bank. Harrington holds the MCSE, CISSP, CHFI, CSOXP, and LexisNexis CaseMap support certifications, served on the board of the Minnesota Chapter of the High Technology Crime Investigation Association (http://mn-htcia.org) in 2011, is a member of Infragard, a member of Century College's Computer Forensics Advisory Board and [erstwhile] Investigative Sciences for Law Enforcement Technology (ISLET) board, and is a council member of the Minnesota State Bar Association (MSBA) Computer & Technology Law Section.