Posts

Banks may be liable for negligent transfer of hacked accounts

This column was originally published in The Journal Record on March 9, 2020.


Justin G. Bates is a litigation attorney who represents individuals and both privately-held and public companies in a wide range of civil litigation matters.

By Justin G. Bates, Phillips Murrah Attorney

When asked by a reporter why he robs banks, notorious criminal “Slick Willie” Sutton replied, “Because that’s where the money is.” While banks still have the money, the nature of the crime has evolved with technology. Today’s modern bank robber is often armed with nothing more than a mouse and keyboard, and the preferred tools and techniques of their trade are phishing and malware.

Hackers infiltrate businesses and individuals alike, typically using “social engineering” tactics to gain trust and access to an employee’s email account, to cite a common example, and re-route money from the rightful owner’s bank account to their own. While there are stiff penalties for a criminal caught in the act, it may come as a surprise that a bank that authorizes a wire transfer to a hacker’s account could be liable to the rightful owner.

Article 4A of the Uniform Commercial Code was enacted in response to the growth of electronic funds transfers and the crime that evolved in its wake. Under Article 4A, a bank is liable to a customer for the full amount of a negligently processed wire received by a hacker, including interest.

In the most basic terms, a bank is liable to its customer for a negligent wire transfer when (1) the customer did not authorize the transfer and (2) the transfer cannot be enforced against the customer because either (a) the transfer was not authorized by an employee of the customer or (b) a third party (outside hacker) initiated the transfer. At first glance, this may seem to be a slam-dunk trigger for liability to an aggrieved customer. But banks can take proper steps to insulate themselves from any liability under Article 4A.

To avoid liability, the bank must first prove three things: First, that it and the customer had an “agreed security procedure,” which are steps put in place, to which both the bank and customer agree by contract, to verify that a payment order or communication is between the bank and the customer. This is most commonly accomplished in the customer and bank’s initial account agreement.

Second, the bank must prove that it complied with the agreed security procedure and that such procedure is “commercially reasonable.” In other words, the procedures are to be in line with that which someone familiar with the industry would regard as sufficient and realistic. Examples of what constitutes “commercially reasonable” are explored below.

Finally, the bank must prove that it not only followed the security procedure, but that it initiated the wire transfer in “good faith.” In other words, the bank must prove that it acted with honesty in fact and observance of reasonable commercial standards of fair dealing.

So how does a bank best avoid liability?

In practice, cases under Article 4A often hinge on whether the bank’s security procedure is commercially reasonable. In order to meet this threshold, a bank is expected to have better than single-factor identification. The wire transfer should require the customer to input at least two of the following: (1) something the customer knows, such as a password; (2) something the customer has, such as an IP address; or (3) something the customer is, such as a fingerprint or voice scan.

With cybercrime on the rise, it is crucial for any bank to both protect its customers and insulate itself from potential liability. Requiring multi-factor identification is no guarantee for a bank to avoid liability under Section 4A, but it is one relatively easy way for a bank to better protect itself and its customers.

Justin G. Bates is a civil litigation attorney at the law firm of Phillips Murrah in Oklahoma City.

Security and data protection procedures are everyone’s concern

Q: With the recent breach of Equifax, it seems that vulnerability to identity fraud is everywhere. Are there measures I can take on behalf of my company and employees to minimize risk?

Fred A. Leibrock is an experienced trial lawyer who has tried dozens of jury trials and has served as lead counsel in a number of significant cases involving complex, multi-jurisdiction issues.

A: Act now and seek professional technical assistance. Hire the right technical person or firm to help you test your systems, assess your vulnerabilities and implement your security and data protection procedures and recovery plans. The question isn’t whether someone will try to steal your data, but when. You need to be ready.

Q: From a legal standpoint, if my company’s data is breached, can my company be held liable for harm to employees or customers whose information may have been compromised?

A: Yes. Although this is a rapidly emerging area of the law, as a general rule an entity that is negligent in safeguarding confidential customer or employee data can be held liable as a result of a breach, or as a result of disregarding legal notice requirements after the breach. The principal question on the issue of liability is whether the entity took reasonable steps before the breach to protect the data, and after the breach to protect and notify the customers or employees. What’s reasonable is a moving target that must be determined on a case-by-case basis. However, there are few legitimate excuses in this day and age for a company to not take significant affirmative steps to safeguard electronic data.

Q: What are some of the bigger mistakes that companies make when it comes to protecting their data?

A: According to the Federal Trade Commission, the principal unreasonable practices that result in data breaches include weak password policies, lack of encryption, broad dissemination of administrative passwords, and lack of security between systems with sensitive data and other computers inside and outside the network.

Q: What measures can I take to protect my company from a data breach?

A: Engage in advance planning. To reduce the risks of a data breach, follow the recommendations of the National Institute for Standards & Technology by planning ahead of a breach to: identify the components of your systems and their vulnerabilities; protect the components from penetration; detect latent threats that may have already penetrated your systems; respond to a breach and recover from a breach. Also, train your employees to be alert to cybersecurity risks.

Q: It seems like all businesses rely on digital data transfer, whether it’s using file transfer services or sending sensitive documents through email. How do I continue to take advantage of these conveniences and still secure my information?

A: Avoid unnecessary risks. There are a million affordable products on the market that allow you to encrypt stored data and data in transmission. Use them and be willing to pay for security and data protection. If you must transmit sensitive data over an unsecure network, at a minimum encrypt it with a strong password before transmitting it.

From NewsOK / by Paula Burkes
Published: September 20, 2017
Click to see full story – Data security, cyber threats are everyone’s concern

Click to see Fred Leibrock’s attorney profile

Roth: Energy cybersecurity

By Jim Roth, Director and Chair of the Firm’s Clean Energy Practice Group. This column was originally published in The Journal Record on April 24, 2017.


Jim Roth is a Director and Chair of the firm’s Clean Energy Practice.

Energy cybersecurity

This past week was the 22nd anniversary of the Murrah Federal Building bombing on April 19 and as is the solemn custom each year Oklahomans gathered and memorialized those lives lost and those lives changed forever.

In addition, for the third year, the Judge Alfred P. Murrah Center for Homeland Security Law & Policy at the Oklahoma City University School of Law gathered people to study and examine the threats in our world today. As the center says in describing the tragic events of April 19, 1995, “It opened our eyes to the reality that terrorism could strike anywhere, at any time.”

This sad reality has required that we Americans keep our eyes wide open and with the help of experts at the Murrah Center and around the country, vigilance, insight and knowledge are necessary constants today.

At this year’s conference, the issues of cybersecurity in banking, gaming and energy, with the helpful sponsorship from the law firm of Crowe & Dunlevy, brought into focus for a reality check of the threats around us. And in the event you aren’t aware of how often attacks are actually occurring here and abroad, be sure to check out Norse Corp.’s real-time visibility into global cyberattacks website and you too might be shocked at the frequency: map.norsecorp.com/#/.

Like a modern-day version of Missile Command, this site shows and live tracks the attack origins, the attack types, attack targets and countries involved in real time. And it is very freaky, because cyber risks and attacks do not sleep, they do not take weekends off and they certainly don’t quit.

In the energy sector, much is being done to safeguard every step, from production to midstream delivery, to customer consumption and engagement, as every link is a vulnerability. At last week’s seminar, experts from Devon Energy, Continental Resources and Oklahoma Gas & Electric described their own real-world efforts and safeguards in what appears to be a constant evolution of learning, reacting and working to stay safe and a step ahead of these risks.

The U.S. Department of Energy is the pre-eminent national guide for cybersecurity for critical energy infrastructure and energy delivery systems. As DOE says: “…the nation’s security, economic prosperity, and the well-being of our citizens depend on reliable energy infrastructure.” And they work to accomplish these needs through three key areas:

• Strengthening energy sector cybersecurity preparedness.

• Coordinating cyber incident response and recovery.

• Accelerating research, development and demonstration of game-changing and resilient energy delivery systems.

Oklahoma is certainly an energy state, with blessings above and below our red dirt. Our production and delivery of these resources now include once-unimaginable threats of attack from sophisticated computer hackers and attacks from nation-states and rogue actors looking to create havoc in our economy and across the world. Our energy companies are helping to keep our energy systems safe and they need our vigilance too.

So the next time you get a strange email offering you riches from a never-known dead relative in a foreign country, please do not click on the link or forward it to others to check it out, as it may just be the attack that takes out your town’s electricity or the oil and gas well nearby.

As my mother used to say, “if it sounds too good to be true, it probably is.” In today’s world of cyber risks, the new mantra may need to be “If it sounds too good to be true, it’s probably a malicious malware virus launched from an anonymous attacker to bring down your household or country.”

But then again, it could just be “a guy sitting on their bed who weighs 400 pounds,” as a candidate for president once scoffed. Either way, it’s past time to take it serious, especially for the energy sector in America.

Jim Roth, a former Oklahoma corporation commissioner, is an attorney with Phillips Murrah P.C. in Oklahoma City, where his practice focuses on clean, green energy for Oklahoma.