In A “Close Call”, Court Rules Customer Not Liable To Bank For Hack Attack
In a Missouri U.S. District Court decision from August 20th, counterclaims by a bank against a commercial customer have been dismissed in a case where hackers accessed the customer’s account and drained it of over $400,000. In the original action, filed in 2010, Choice Escrow and Land Title, LLC (“Choice”) brought suit against BankcorpSouth Bank (“BSB”), alleging that BSB failed to provide commercially reasonable security by having only password protection on Choice’s account. Choice alleged that this allowed hackers who had obtained its username and password to make a $440,000 wire transfer to an entity in Cyprus on March 17, 2010. In the complaint, Choice demanded damages and recovery of losses related to the attack under the “Fund Transfers Act” (the “Act”) provisions of the Uniform Commercial Code (“UCC”).
In March of 2012, BSB filed counterclaims based on indemnity obligations in agreements between the parties. BSB claimed that Choice had agreed “to indemnify BSB for any losses, costs, liabilities, or expenses.” Choice responded to the counterclaims by arguing that the Fund Transfers Act displaces BSB’s counterclaims. In addressing the question, the court noted that:
“the Fund Transfers Act “provides that common law causes of action based on allegedly unauthorized funds transfers are preempted in two specific areas: (1) where the common law claims would create rights, duties, or liabilities inconsistent with [the Act]; and (2) where the circumstances giving rise to the common law claims are specifically covered by” the Act [citations omitted].”
The court stated that this case represents a “very close call” between two distinct interpretations of the Act. First, the court noted that the provisions of the Act would seem to be drafted “to encourage uniformity and consistency.” Second, the provisions of the Act would not seem to be drafted with the intent of “discourag[ing] business entities from freely exercising their rights to contract the terms of their relationships.” As a result, the court examined the indemnity agreements to determine whether they were in conflict with the Act.
The court seemed most troubled by the potential result where the indemnity agreements at issue could require Choice to pay to BSB the very same amounts that BSB would owe to Choice under the Act. In finding for Choice, the court stated that “the Funds Transfer Act does displace the types of indemnity agreement being relied upon by BankcorpSouth in support of its counterclaims. As such, the Court dismisses such claims.”
This decision has interesting implications from a data protection perspective. Although financial institutions may negotiate broad indemnity obligations from their customers, those indemnities may not protect the financial institutions in cases where the intent of other applicable law (that is meant to bring certainty and uniformity) would be thwarted. For example, where applicable law requires security procedures (e.g., UCC 4A-201) and such procedures might include the recommendation of at least two-factor authentication (e.g., the FFIEC’s guidance on authentication from 2011), a financial institution cannot seek indemnity from its customer as a result of a breach of the system due to a failure in the authentication method used, where such authentication method conflicts with the applicable law.