A Missouri escrow firm that lost $440,000 in a 2010 cyberheist cannot hold its bank responsible, an appeals court ruled this week.
The Court of Appeals for the Eighth Circuit's decision this month affirmed a lower court ruling in the case.
The appeals court also held that the escrow firm can be held responsible for the bank's attorney fees in the case.
In a 25-page ruling, the appeals courts agreed with a Missouri district court ruling in March 2013 that blamed Choice Escrow and Title LLC for the loss because it failed to follow the bank's recommended security precautions.
Choice Escrow filed the lawsuit against BancorpSouth Bank in November 2010 after unknown attackers stole the username and password to the company's online bank account and used the credentials to transfer $440,000 to an account in Cyprus.
Choice Escrow claimed that the theft occurred because the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC). Choice Escrow maintained that BancorpSouth should have known the wire transfer request was fraudulent because it was initiated from outside the U.S -- something that had never happened before with its account.
BancorpSouth countered by saying that the loss resulted from Choice Escrow's failure to implement the bank's recommended security precautions for wire transfers.
The bank pointed to several controls it had in place for wire transfers. The bank said it had urged Choice Escrow to use the controls. For instance, the bank said it requested that Choice Escrow adopt a dual-control process that would rquire two people to sign all wire transfer requests. BancorpSouth also asked officials at Choice Escrow to put an upper limit on wire transfers.
Choice Escrow chose not to follow either recommendation, the bank said.
BankcorpSouth noted that the fraudulent wire transfer was initiated by someone using Choice Escrow's legitimate banking credentials and a computer that appeared to belong to the company. The bank claimed it had acted in good faith when it executed the wire transfer request because there was nothing to indicate it was fraudulent.
The Missouri district court agreed that BankcorpSouth had taken reasonable measures to protect against illegal wire transfers, and faulted Choice Escrow for not following the bank's recommendations. The court ruled the fraud may not have occurred if the company had followed the instructions.
The appeals court's ruling went one step further by holding that BancorpSouth can seek to recover it's attorney's fees from Choice Escrow.
Choice Escrow is one of numerous companies, municipal governments and school districts that have been victimized by similar online heists in recent years.
Almost all cases have involved hackers stealing legitimate banking credentials from and then using those credentials to initiate fraudulent wire transfers to offshore accounts.
The thefts have often pitted banks against their customers. The disputes have highlighted the issue of bank liability for commercial customer losses stemming from third-party fraud. The cases also involve agreements on commercial account security.
To date, courts have been split on the issues.
For instance, the Court of Appeals for the First Circuit faulted People's United Bank (formerly Ocean Bank) in a dispute over a similar online theft with a customer, construction company Patco.
Maine-based Patco lost $345,000 in an online cyberheist virtually identical to the one suffered by Choice Escrow. In that case, a three judge panel overturned a lower court decision, ruling that the the bank had failed to implement commercially reasonable security measures. The two parties later agreed to settle the dispute.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about legal in Computerworld's Legal Topic Center.
This story, "Bank not liable for customer's $440,000 cybertheft" was originally published by Computerworld.