What Makes A Bank's Information Security Procedures "Commercially Unreasonable?"

by Carlton Fields

In Patco Construction Co., Inc. v. People's United Bank, a federal court ruled that failing to review and respond to security alerts may render a bank's information security procedures commercially unreasonable. In "non-legalese," that means that if a security incident occurs due to a bank's failure to review and respond to security alerts, the bank may be liable for losses and damages. The following reviews the Patco case and discusses what may cause the information security program of a bank or financial institution to be found commercially unreasonable (at least according to one court's interpretation).

Today, most banks have well-written and thorough information security plans and procedures.  Those policies and procedures typically require an enterprise IT infrastructure that facilitates and implements rules via software and technology. Banks invest heavily in software and hardware tools, which they buy and design to implement security protocols; and they conduct behavioral and perimeter security analysis, generate alerts, flag suspicious behavior, and spot malicious activity. However, the Patco court found that these efforts, without more, are not enough. In addition to written rules and investment in technological defenses, the Patco court ruled that bank personnel must review and respond to threat alerts immediately and effectively. If they don't, their security program may be deemed commercially unreasonable.

Over seven days in May 2009, Patco's bank authorized six fraudulent withdrawals, totaling $588,851.26. The bank's security system flagged each of these transactions as unusually "high-risk" because they were for greater-than-usual amounts, and because they were inconsistent with the timing, value, and geographic location of Patco's regular payment orders. However, the bank did not notify Patco of this information and allowed the payments to go through.

Patco then sued the bank in federal court in Maine alleging that it "should bear the loss because its security system was not commercially reasonable" under Article 4A of the Uniform Commercial Code ("UCC"), which was codified under Maine law. The district court dismissed Patco's suit and Patco appealed.

Patco signed up for eBanking in 2003. In doing so, Patco entered into several agreements with its bank including the eBanking for Business Agreement. The eBanking agreement relieved the bank of most liability, and included language stating that use of the bank's "eBanking for business password constitutes authentication of all transactions performed by you or on your behalf," that the bank "did not assume any responsibilities," and that "electronic transmission of confidential business and sensitive information" was at Patco's risk. The eBanking agreement also limited the bank's total liabilities to those resulting from its gross negligence, and limited any payouts to six months of fees.

Patco used eBanking to make regular weekly payroll payments. These were made on Fridays, and always initiated from a computer at Patco's offices. Transactions always originated from a single static IP address, and were quickly followed by weekly withdrawals for tax withholding and 401(k) contributions.

Patco's bank used an adaptive monitoring system that provided a risk score to the bank for every log-in attempt and transaction based on a multitude of data, including IP address, device cookie ID, Geo location, and transaction activity. Whenever a user's activity differed from its normal profile, the bank's software reported an elevated risk score. In addition, the bank implemented a "dollar amount rule," meaning it set a dollar threshold amount above which a transaction automatically triggered challenge questions even if the user ID, password, and device cookie were all valid. The bank set the dollar amount rule at $1, which meant that almost every transaction would initiate a challenge question prompt.

In court, Patco argued that the bank's security system was not commercially reasonable because the $1 threshold the bank set meant that Patco had to answer challenge questions on every transaction it made, thereby increasing the risk that the answers to its challenge questions would be compromised (the more frequently a security question and answer are used, the greater the chance they will be exposed to hackers). Patco also argued that the bank did not incorporate its security measures adequately by failing to monitor high risk score transactions, and did not provide email alerts or other immediate notices of suspicious activity. The bank argued that its security program was reasonable, and should be binding because Patco agreed to it.

The appeals court agreed with Patco and reversed the lower court's order. In its decision, the court said, "the bank substantially increased the risk of fraud by asking for security answers for every $1 transaction, particularly from Patco, which had frequent, regular, and high dollar transfers." Additionally, the court found that bank personnel failed to monitor the risk-scoring reports and therefore failed to notify Patco of suspicious activity that resulted in a high risk that fraudulent activity would go undetected. The court said "it was foreseeable that the use of the same challenge questions for high-risk transactions as were used for ordinary transactions was ineffective as a stand-alone backstop to password/ID entry," and ruled in favor of Patco.

So, what does Patco tell us about the scrutiny on bank and financial institution information security plans and procedures? First, it makes clear that courts are willing to apply "old law" or rules written for conventional transactions to online and technology-assisted transactions. Second, it should signal to lawyers advising banks on eBanking agreements that shifting risk and liability requires more than wordplay. And third, the case demonstrates that even when banks make investments and have excellent rules in place, if the rules and procedures are poorly implemented, they could still be held liable for damages arising from fraudulent transactions.

All this leads to an obvious question: How can banks minimize risk and ensure that their eBanking agreements will be enforceable in court? One answer is to design and implement an information security program that not only has adequate security protocols and mechanisms, but one that has also been thoroughly reviewed for effectiveness. The security consequences of every step in the design and construction of the information security program should be identified and evaluated. If something increases risk, it should be eliminated. If something reduces risk, it should be incorporated and continuously evaluated to ensure it remains effective given the current threat environment. Banks should also consider deploying a "red team" to independently test and verify security options and settings to ensure that the overall effectiveness of the security program is not being undermined by results that may not be initially obvious. Red teams should include IT, legal, and other subject-matter-experts such as privacy professionals and compliance specialists. Finally, banks should employ independent third parties to conduct periodic risk assessments and penetration testing of their entire security platforms to look for gaps and areas of improvement.

Patco suggests that courts (and regulators) will be closely scrutinizing the effectiveness of bank security programs. The focus will not likely be on whether banks have implemented the latest safeguards and technology, but rather on whether they are using these tools appropriately and effectively to minimize risk. According to Patco, anything less does not meet the "commercially reasonable" threshold of an acceptable information security program.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields | Attorney Advertising

Written by:

Carlton Fields

Carlton Fields on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.