First Circuit Holds Bank May Be Liable For Customer Losses from Cyber Attacks


On July 3, the U.S. Court of Appeals for the First Circuit became the first federal appellate court to address the issue of bank liability for the loss of customer funds resulting from a breach of a bank’s cyber security, reversing a district court’s holding that the bank was not liable for such losses because its security protections were commercially reasonable. Patco Const. Co., Inc. v. People’s United Bank, No. 11-2031, 2012 WL 2543057 (1st Cir. Jul. 3, 2012). Patco Construction Company, a commercial banking customer suffered losses when cyber attackers gained electronic access to its account and made a series of unauthorized withdrawals. The customer sued the bank to recover the lost funds. The district court granted summary judgment in favor of the bank, holding that the customer should bear the loss from the fraudulent transfers because the bank’s cyber security protections were commercially reasonable, and the customer agreed that the procedures were reasonable when it signed the contract to add its electronic account. On appeal the customer argued that the procedures were not commercially reasonable, that it did not agree to the procedures, and that the bank did not comply with its own procedures. Specifically, the customer argued that the bank increased the risk of compromised security when it decided to lower the threshold that triggered account verification questions from $100,000 to $1, essentially requiring that the verification questions be answered for every transaction without considering the circumstances of the customer and the transaction. The First Circuit agreed. It found that the procedure change increased the risk of fraud through unauthorized use of compromised security answers. Moreover, after it had warning that fraud was likely occurring, the bank did not monitor the transaction or provide notice to the customer. The court held that the bank’s collective security failures, when compared to the security measures employed by other financial institutions and the bank’s capacity to implement more robust protections, rendered its security procedures commercially unreasonable. The court reversed the district court’s ruling in favor of the bank and remanded for further proceedings.


Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BuckleySandler LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.