May 9, 2013
It seems that not a week goes by without a major online data breach making headlines. Passwords stolen; accounts hacked; financial information taken. And that’s on top of the everyday identity theft regularly experienced by individuals. These kinds of data breaches present a double-edged sword to businesses. On the one hand, data breaches are problematic for because they expose a company’s electronic data—and, particularly, the private data of its customers—to illicit uses by criminals. On the other hand, cybersecurity breaches may expose companies to heightened litigation risk if they fail to properly monitor and protect their online assets.
For example: Over the course of one week in 2009, a community bank in Maine authorized a series of electronic withdrawals from an account held by one of its customers. Because of inconsistencies with the timing, location, and value of the withdrawals—as compared to the customer’s typical habits—the bank’s online security system flagged the transactions as “high-risk.” But by providing correct answers to the customer’s security questions—questions that were presented for every electronic transaction—the offenders were able to breach the bank’s system.
The customer—Patco Construction—brought suit against the bank, alleging, among other claims, that the bank’s online security system was not “commercially reasonable” under Article 4A of the Uniform Commercial Code, which governs the rights, duties, and liabilities of banks and their commercial customers concerning electronic funds transfers. On summary judgment, a federal district court in Maine dismissed the count, finding the bank’s system “commercially reasonable” and in compliance with Article 4A.
In Patco Constr. Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), however, the First Circuit Court of Appeals reversed that decision, finding it was commercially unreasonable to require its customers to submit answers to security questions for every electronic transaction. By doing so, the bank exposed its customers to increased risk that malicious software or other computer viruses could log frequent keystrokes and report them back to unauthorized users. The appellate court also found the bank’s security system commercially unreasonable because it failed to monitor the suspect transactions after they had been flagged as high-risk and failed to give notice to the customer.
While the Patco case focused on the obligations of banks to secure electronic transactions, the Securities and Exchange Commission (SEC) issued guidelines and disclosure requirements for publicly traded companies concerning their cybersecurity risks in October 2011. Those guidelines are widely seen as a precursor to federal regulation or legislation that could require companies to disclose information related to cybersecurity risks and instances of data breaches. Inherent in any such disclosures is increased litigation risk for companies regarding the adequacy of their cybersecurity measures and damages from any data breaches.
The lessons from the Patco case and the SEC’s cybersecurity guidelines are that companies must ascertain and address their online security vulnerabilities in order to understand their risks. While no online security system is hacker-proof, and companies may have robust security measures in place, cybersecurity protections may still be found inadequate if they are not monitored and executed in a way that safeguards electronic data. And with the anticipated future prevalence of electronic purchases and transfers moving into the mobile space, cybersecurity is an issue that will only grow in prominence. Companies need to be proactive not only in meeting their customers where they are, but in ensuring security of their electronic data when they get there. By understanding the risks of vulnerabilities related to cybersecurity, companies can position themselves to limit litigation risk if—and when—data breaches occur.