Attorneys for TRC said hackers attempted 12 electronic payment orders, totaling almost
Under the terms of the settlement announced this month by TRC, United Security will pay TRC
"Under the California Commercial Code, that's all we're entitled to," Rogers said. "The law (governing business banking) is written to the advantage of financial institutions. If there's an incident of cybertheft or corporate account takeover and a business losses money, the most a company can get is what was lost plus interest -- no punitive damages, no attorney fees."
United Security president/CEO
Rogers asserted that while
The legal question in the lawsuit was "whether the security features that a bank or financial institution have were 'commercially reasonable,' " she added. "We argued that it was not commercially reasonable."
Woods said the bank's position is that the bank's security was adequate, but that TRC's owner was an unwitting victim of a "phishing" scheme, in which hackers use email or a fraudulent website to obtain someone's personal and financial account information. "He gave away his ID to a third party, they got into his computer and stole his identity," Woods said. "They never hacked the bank, but they assumed his identity and processed about a dozen wire transfers."
As part of its electronic banking agreements, Woods said, customers assume the liability for keeping their passwords and other information confidential. "There are conditions that customers agree to abide by, and he didn't," Woods said. "If you don't give away your confidential info and identity, you don't get hacked. ... None of our other customers were hacked."
Neither side was completely happy with the outcome, as the central question of liability for the theft from TRC remains unanswered.
The only firm ruling from a judge in the two years since the lawsuit was filed involved a fraud allegation by TRC against the bank itself -- the only way to try to get around the law's limitation of liability to actual losses. Rogers said that allegation stemmed from an investigation of the wire transfers by a computer security analyst hired by the bank, who concluded that the breach was not the bank's fault. "We believe that report contained many, many omissions," Rogers said. But, she added, that allegation "was rejected by the judge."
Regardless of how the breach occurred, Rogers said, "when a company is hit by cybertheft and believes the bank let them down, it's financially unfeasible to sue a bank because the bank is a formidable opponent."
"But it's the principle of the matter," she added. "TRC was mad, and as an oil company, it's one of the few businesses who could afford to try to hold the bank accountable."
Woods in turn expressed disappointment that the bank's insurance company chose to settle the case instead of going to trial. "From our perspective, it's not a good solution, but there's no harm to the bank" because the settlement was paid by the insurance company.
Woods said the settlement leaves open the question of whether a bank is liable for breaches like this or if institutions can rely on agreements requiring customers to keep their banking information confidential. "Neither one of us got an answer," he said.
Since the suit was filed in 2012, Woods added, the bank has added layers of security beyond passwords, including individualized on-screen images so customers can verify they're on the bank's authentic website instead of a counterfeit page, and security questions so that the banking system can verify the identity of the customer.
"We don't have that many customers using e-banking," he said. "But what's really happened out of this, since the court didn't rule, is that the automation of electronic banking isn't so automatic anymore."
Rogers said the case represents a lesson to commercial banking customers to question what types of security a bank has in place to protect its e-banking customers.
"Electronic banking is a partnership between the bank and the customer,"she said. "But the customer isn't a security expert, so if a bank is going to push customers to do online banking, they have a responsibility to educate the customer ... and offer a variety of security features."
The reporter can be reached at (559) 441-6319, firstname.lastname@example.org or @TimSheehanNews on Twitter.
(c)2014 The Fresno Bee (Fresno, Calif.)
Visit The Fresno Bee (Fresno, Calif.) at www.fresnobee.com
Distributed by MCT Information Services