Cyber security litigation signals real financial risk to SMB customers

Lawsuits between banks and small businesses over cyber security incidents are on the rise more than ever. These cases are poised to address - Who’s really at fault? What are appropriate standards? Who should bear the financial losses? These are just some of the questions being tossed back and forth in recent legal battles that could shape security and professional standards for small and medium businesses and the IT professionals that serve them.

This rise in cyber security litigation is a clear signal for IT professionals that serve the SMB market. It’s time to understand the real business risks for an internet security incident as banks near a breaking point for absorbing increased expenses from customer losses, lawsuits and technology investments. With banks eager to draw the line of financial responsibility for cyber security incidents to stem their losses, SMB customers may be at greater risk today than ever before for a real financial loss from a cyber security incident.

In Texas Bank Sues Customer Hit by $800,00 Cyber Heist, Brian Krebs, noted security blogger (Krebs-on-Security) and former reporter for The Washington Post, has recently highlighted an unusual case where a bank has actually sued its customer as a preventative measure to avoid liability for customer losses. Organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year from bank accounts of Hillary Machinery Inc., a machine equipment company in Texas at its bank, Plains Capital. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.
Plains Capital sued Hillary on Dec. 31, 2009 to certify that Plains Capital’s security was in fact reasonable, and that it processed the wire transfers to the crooks in good faith. According to Krebs, the bank’s president Jerry Schaffner said in an e-mailed statement that “It is evident that the loss incurred by Hillary Machinery, Inc., although regrettable, was not the result of a cyber attack on Plains Capital Bank.” More information is available in Kreb’s article.

In Maine Firm Sues Bank After $588,000 Cyber Heist, Krebs outlines the more typical case which involves customers suing banks. Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank, after cyber thieves stole more than a $500,000 from the company in a sophisticated online bank heist. The customer has alleged that Ocean Bank did not do enough to prevent cyber crooks from transferring the funds.

These cases highlight the growing risks to small businesses engaged in online banking transactions, especially as businesses do not enjoy the same legal protections against online banking fraud that consumers enjoy. Consumers generally have 60 days from receiving a bank statement to dispute any fraudulent charges, but terms for business account are much more narrow and usually outlined in bill paying or ACH transfer agreements. According to Krebs, Ocean Bank's ebanking and bill payment agreement imposes liability for automated clearinghouse (ACH) transactions on their commercial accounts its customers providing only a one day notice period.