How the PATCO Ruling Could Benefit BanksAppellate Court's Reversal May be Long-Term Win for Institutions
The PATCO Construction Inc. case, recently reversed by a U.S. appeals court, is seen as a victory for fraud victims. But what are the key takeaways for banking institutions? Attorney Joe Burton offers insight.
The July 3 court decision found that online fraud-detection procedures used by Ocean Bank, now People's United Bank, at the time PATCO was hit with fraudulent wire transfers were "commercially unreasonable" [See PATCO ACH Fraud Ruling Reversed].
According to Burton, an information security attorney and managing partner in the San Francisco office of law firm Duane Morris, this case is important because it "focused on what in fact was done by the bank to implement security," he says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
Burton highlights three takeaways from the appellate court reversal, including:
The Precedent: The ruling is a "fairly significant" one, Burton points out, since it's the first appellate case of this type. "It's going to have precedential value because it's an appellate court case, and as you know there really are a small number of cases that have considered the question of apportioning responsibility between a customer and the bank."
Customer's Responsibilities: Even though the court's decision favored the customer, Burton points out that one unanswered question in the case may end up favoring banks. That question, sent back to the lower court for further analysis: What is the responsibility of the customer even if bank's security procedures are commercially unreasonable? "It opens the possibility that you have a circumstance where you had a commercially unreasonable procedure that was utilized by the bank, but the liability might not be on the bank because there may be responsibility [on] the customer," he says.
Compliance Doesn't Equal Security: "It's not enough just to have a generally accepted security procedure in place if that procedure is not implemented in a way that makes sense," Burton says. "That's the conduct aspect that has to do with the actual security and not jus the check-box [mentality]." The appellate court in this case didn't take into account conformance with the FFIEC authentication guidelines, but whether the bank had implemented appropriate security.
During this interview, Burton discusses:
- How the new ruling illustrates an increasing sophistication on the part of courts to understand security obligations of banks and commercial customers;
- Why the court's focus on reasonable security, rather than compliance, is significant;
- How this case illustrates where and how security obligations noted in Article 4 of the UCC could, in the future, place more fraud-mitigation responsibility on the shoulders of commercial customers.
Burton is the managing partner of Duane Morris' San Francisco office, where, in addition to information security and cyberfraud, he also concentrates on complex civil, criminal and appellate litigation. He is nationally recognized for his legal work field of information security, and advises and represents individuals and corporations regarding their rights and responsibilities in maintaining the security of digital information. His practice includes trade secret, trademark and patent litigation, with an emphasis on cybercrime and cybersecurity.
Burton is a former Assistant U.S. Attorney and Chief of the Silicon Valley Office for the Northern District of California, where he handled several pioneering high technology investigations and prosecutions, including the first prosecution in the nation for criminal copyright infringement of computer code.
Significance of Case Reversal
TRACY KITTEN: The July 3 appellate court reversal of a lower court's ruling in the legal dispute between PATCO Construction and the former Ocean Bank, which is now People's United, is significant for a number of reasons. For one, it's the first appellate ruling handed down in a case involving ACH and wire fraud. How significant is this federal court's reversal?
JOSEPH BURTON: I think it will be fairly significant. Being the first appellate case of this type, it's going to have precedential value because it's an appellate court case, and as you know there really are a small number of cases that have considered the question of apportioning responsibility between a customer and the bank. They're probably only a handful, less than five cases. As a circuit court case, this will be very important. Also, I think because it's a case that focuses on what I think are really the right issues or the most significant issues, it's going to be a great start to other cases of this type.
Reviewing Security Practices
KITTEN: Rather than debating arguments about compliance, the court takes issue with the bank's security practices at the time PATCO's account was hit by six fraudulent wires. From a legal perspective, why's that so important?
BURTON: Because it focuses on conduct. This is a case which compared to the lower court decision on which it reviewed there was very little discussion of the FFIEC guidance and the nuances of that guidance, and the question of whether or not that guidance did or did not constitute commercially reasonable security. This is the case that focused on what in fact was done by the bank to implement security. It focused on conduct, and I think conduct is the critical issue and it's conduct which makes the difference in whether you have good security or not. And by focusing on conduct, you move toward the goal of better security and not worrying about whether or not you're just shifting liability to one individual or another. After all, what we ought to be trying to do in this area is to have the best security possible.
Comparing the Experi-Metal Case
KITTEN: How do the points argued and reviewed in the PATCO ruling compare with the court's ruling in the Experi-Metal versus Comerica case, the other significant ruling in a case involving ACH and wire fraud?
BURTON: Interestingly, they argue different aspects of the legal principles involved, but in some ways they both address the issue of conduct. In the PATCO decision, the issue in both cases, in the lower court case and in this case, was on the question of whether or not the procedures were commercially reasonable and then the impact of that determination of the case, or the outcome of the summary judgment motion. In the Experi-Metal case, the question of commercially reasonable really never came up because in that case there was an agreement between the customer and the banking institution that the security procedures that were applied were commercially reasonable. So the court in Experi-Metal never really focused on the commercially reasonable aspect, but what the court did look at was the question of good faith under the UCC and the good faith analysis involved determining whether the acceptance of the authorization by the bank was reasonable or done in good faith, and that involved an examination of the circumstances surrounding that acceptance and the conduct of the bank in doing so.
In a lot of ways, it was an equivalent analysis to the same analysis that was done in the PATCO decision but under a different rubric. Again, I think that's good because in the end what we're doing is we're looking at the conduct of the parties and how that conduct does or does not affect reasonable security.
Compliance Doesn't Equal Security
KITTEN: At the heart of the PATCO case, you say, is the appellate court's determination that compliance does not equal security. Why's that significant and what does it mean for banks?
BURTON: It's significant again because those professionals in the information security area for years have talked about the distinction between compliance and security, and there has always been and I think it's probably a question of human nature and interest or movement toward check-box mentality. If you meet the compliance requirement, if you check off the boxes, you can say you're in compliance and that's a very easy standard to meet, but it does not necessarily mean that you have good security. By focusing, as the court did in this case, on the question of the security on whether or not the security steps that were taken the implementation of the procedures was correct, we move closer to having the industry understand that this is what's important. It's not enough to just say, "I've checked off the boxes and I meet whatever the written or posted standard is," and moving in that direction I think is important. This is one of the few cases out there, both in the banking area and in other information security areas, that make that point, and I think it's a point that the industry needs to have reinforced. This case is going to help do that.
KITTEN: That is a great point and it shows that even if you're making the right types of investments, it's not enough and of course this ruling that has been passed down illustrates how courts are starting to gain a deeper understanding of what constitutes true security. I would like to get some perspective from you there. How do you think this case illustrates the fact that courts are getting a better grasp on what constitutes security?
BURTON: Just that point, I think courts understand that, or at least this case demonstrates a court which understands that the issue is the implementation. It's a case that illustrates that courts aren't going to be easily bogged down in what often times can be the minutia of discussing and analyzing the various schemes of security. That's a really, really important step I think to take. It's going to be read I think by lots of individuals, both from the customer side and on the banking side, and I think there will be a reaction to that.
Mistakes by Ocean Bank
KITTEN: Going back to the ruling that was handed down by this appellate court, in your opinion, what mistakes did Ocean Bank make?
BURTON: There are a couple of things that I think they did, and I think the court points that out. In the PATCO decision, one of the things that they did was that there was a scoring process which was put into place for each transaction that a bank did. And each transaction was looked at and was given a risk score, and risk scores above a certain value - I think in this case the value was 700 or 750 - were considered to be serious risks.
There was another thing that was done in this case. There was a threshold, a dollar threshold, for transactions which triggered a requirement that when the individual customer signed in or sought to use the account, they had to answer a challenge question in addition to submitting the normal credentials. Now one of the things that the bank did in this case was that initially that challenge threshold was set at a fairly high number, but then subsequently the bank changed that to a lower number. In fact, they changed it to a number that was one dollar, which meant that any transaction would therefore trigger the challenge's response.
That by itself - making that change - is not so bad. What was wrong and what the court pointed out were two things. One, they never notified the customer of the change. Two, in doing so the change brought about an increased risk that the challenge questions might be intercepted and used, because the frequency of the questions was going to be greater. It created a risk that those questions might be intercepted by some maleficent using a keylogger or other technology on the customer-end of the transaction, therefore, increasing the inherent risk of that transaction.
But the thing which I believe the court clearly indicates bothered it the most was that after doing that, when the particular transactions involved in this case generated a higher risk score, scores at 750 or above, nothing was done by the bank to address it. The bank did not employ any procedure to review transactions which appeared to be high risk either at the time they were done or at a subsequent time, and the bank further didn't employ any procedure to notify the customer that it had detected a high-risk transaction. Those collective activities are what made the court determine that the procedure as implemented was not a commercially reasonable procedure.
KITTEN: Then what about PATCO? What responsibilities does it bear based on the ruling?
BURTON: That's another interesting thing about this case. This is not a case that says "ballgame over" for banking institutions; that's not it. I think the case has a lot to teach us all about what the critical aspects of the equation are, what we ought to be considering and implementing, but this isn't the end of the day for banks by any means.
One interesting aspect of the case was the court raises without answering, and sends down to the lower court for potential further analysis, the question of what's the responsibility of the customer even if the bank procedure was commercially unreasonable. It opens the possibility that you could have a circumstance where you had a commercially unreasonable procedure that was utilized by the bank, but liability might not be on the bank because there may be responsibility that the customer of the bank has with respect to how it conducts itself that would either, one, act as a barred liability or, two, act in a way which might mitigate any damages that were to come out of it. That hasn't been raised before in any other case that I'm aware of, even though the court raises it without sort of deciding it.
I think it's important to note that the UCC itself has a provision which indicates that even if you had a shifting from the bank to the customer based on a finding of commercially reasonable, you could have a shifting back in a circumstance in which the breach and security was a result of some action by the customer. Certainly this case and the other cases that have preceded it, by no means, could cause anyone to come to a conclusion that the banks are in a terrible position with respect to liability.
What if you know the weak point in the system is the customer? That is, if you look at the cases, if you look at this area, the attacks are all at the customer end. It's through some breach of the customer's system that allows for the attack to be launched, and what we've been doing up until now is focus on what the bank needs to do to show-up it's end. We're going to have a commercially reasonable security procedure and process in place to repel an attack. We all know that even if you've got one in place and even if you implement it, let's say, properly, you could still have a circumstance where the attack is successful. So in that case, you've got a commercially reasonable and commercially reasonably implemented procedure, but the attack was successful. The weak point in the attack was on the customer's end.
But the question I have is, what, if any, responsibility does the bank have knowing that? Does the bank have an increased responsibility to educate its customers or even provide some sort of methodology for its customers to fortify the customer-end of the transaction, whether there's any responsibility beyond education that the banking industry would have where it knows that the weakness in the system is on the customer end?
KITTEN: What questions does the appellate court not answer in its ruling? What questions have been left unanswered?
BURTON: Well that's one, and I think that's an important one because this question of the responsibility of the customer was the question which wasn't even briefed and the court notes that in the opinion and I also remember in looking at some of the discussion of the oral arguments that the court raised in an oral argument. That question was not one that was squarely presented or presented at all in the case, but the court raised it and left it unanswered.
There are some other questions left unanswered with respect to the other non-UCC counts that were pleaded in this case. The court in the case determined that the non-UCC counts were not all necessarily preempted by the UCC, and left open the question as to whether, for example, the breach of contract and the breach of fiduciary counts left them as potential counts and sent those counts down to the lower court for further consideration. So whether or not there lie independent actions for breach of contract and or breach of fiduciary duty is something that the lower court is going to have an opportunity to wrestle with.
KITTEN: What do you think will come next for this case? Do you think a lower court will actually have an opportunity to discuss some of this, or do you think it will just be settled?
BURTON: Difficult to say. The court of appeals strongly suggested that the parties might be better served by considering settlement of the case. That's certainly a message, but it's difficult to know how the parties viewed it. Litigation is expensive and this is a case, again the first case, that has gone to the appellate level, so you've had a case that has gone through the summary judgment proceeding, it's been appealed. Now that has been expensive and we're not necessarily any closer to a trial in the merits to this matter. There's at least better than 50/50 chance that this is the kind of case that would settle.
KITTEN: Before we close, I wanted to ask what final points you would like to highlight that legal and security experts might want to focus on based on this appellate court's ruling, and also to talk a little bit about the impact this ruling might have on other bank customer disputes over fraud liability?
BURTON: The important teaching of this case is that in implementing security, banks have to take into consideration the circumstances of their customer. And it's not enough just to have a generally accepted security procedure in place if, one, that procedure is not implemented in a way that makes sense, and particularly in a way that's aware of the circumstances that surround the customer and the customer's behavior with respect to the bank and the customer's account. That's critical. That's the conduct aspect that has to do with the actual security and not just the check-box that says we have multi-factor.
In fact, if you look at the FFIEC, the FFIEC guidelines at several points talk about that exact issue. The security procedures which are put in place under the FFIEC need to take into consideration the configuration, the behavior of the customers, and again it's recognized I think in the bromide that's often repeated that compliance is not security. There are broader implications in other security areas of that exact lesson.