More is less: the Patco v. People’s United appeal
Last year there was an interesting ruling (PDF) in Patco Construction v. People’s United Bank. It seems that back in 2009, someone at Patco Construction managed to install Zeus malware on the computer that Patco used to initiate electronic funds transfers. This let hackers capture the answers to the challenge/response questions that Patco used to authenticate to their on-line banking system. The hackers then used this information to complete about $345,000 in fraudulent transactions. Patco sued to recover the lost money, claiming that the bank’s security measures were not "commercially reasonable." The US District Court of Maine disagreed, and Patco’s suit to recover the money lost in the fraudulent transactions was dismissed.
Patco appealed this ruling and the First Circuit of the US Court of Appeals just reversed parts the original ruling, overturning the summary judgement of the lower court against Patco. Their reasoning seems to be largely based on the fact that the bank reduced the threshold for asking challenge questions to authenticate a transaction to only $1. This required customers to answer the questions more often, which also gave malware more opportunities to intercept the answers to the challenge questions. So by trying to increase their security, the bank actually lowered it.
This case isn't resolved yet. This ruling just said that the bank's security measures weren't actually commercially reasonable, which means that further litigation will be needed to establish who's really to blame here. And the judges certainly seemed to encourage a settlement:
On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.
So if Patco and People's United are clever, they'll settle this out of court. From what I've heard, judges don't like it when you ignore advice like this.