A federal appeals court in Boston ruled Tuesday that a bank may have been negligent in failing to monitor and block fraudulent transactions in 2009 that led to losses of about $345,000 from the account of the plaintiff, the Maine-based company Patco Construction.
The decision overturns a 2011 lower court ruling that said that the financial institution, Ocean Bank, which has since been acquired by People’s United Bank, could not be subjected to further litigation in an attempt to recover the funds.
Patco’s lawsuit argued that the bank’s security procedures were not “commercially reasonable” under Maine’s Uniform Commercial Code, which governs relevant contracts. In 2011, however, a district court disagreed, ruling that the bank appeared to meet current requirements for multifactor authentication that had been set forth in guidelines by the Federal Financial Institutions Examinations Council. The bank had required online banking users to answer additional security questions, for example.
The answers to these security questions, along with ID and password information, had been stolen by Zeus information-stealing malware when, in May 2009, six fraudulent transactions siphoned about $588,000 from Patco’s account. About $243,000 was recovered by the bank.
The new ruling found that, although the bank’s security system had flagged the transactions as suspicious, the bank didn't do enough to implement additional security procedures including contacting Patco. The transactions were highly irregular, according to the ruling, including in their timing and value as well as because they originated from a computer IP address that was not normally used by the construction company.
The ruling also noted that after the attacks, the bank implemented new security policies including calling customers in the case of uncharacteristic transactions to inquire about their legitimacy.
The judges also indicated that both parties might benefit from settling the matter out of court.