Gartner Blog Network

Court rules against bank in business account cyber-heist but who’s to blame?

by Avivah Litan  |  July 10, 2012  |  Comments Off on Court rules against bank in business account cyber-heist but who’s to blame?

Last week, a federal appeals court reversed a May 2011 lower court ruling that held PATCO Construction Inc. responsible for ACH fraud committed by hackers who used the Zeus Trojan to pilfer $588,000 out of PATCO’s account at Ocean Bank in 2009. The appeals court deemed the bank’s security procedures ‘commercially unreasonable’ and recommended that the two parties settle the matter out of court. For more information on the court case, see

Similar to the 2008 financial crisis and the subprime mortgage market meltdown, everyone has an opinion on who is responsible for preventing business account heists, i.e. the bank, the business, or the government. I happen to think that while every party shares a piece of the culpability, the ultimate responsibility for preventing this type of fraud lies with our Congress who is all too heavily influenced by the almighty financial services lobby.

After all, the role of government is to look after and protect consumer and business interests that are not necessarily protected if the entities consumers and businesses trust (e.g. the banks) fail to protect them themselves.

Ocean Bank relied on a third party online banking processor for its security and was asleep at the wheel when the fraud took place. They had the means to filter and monitor high risk transactions but didn’t make good use of what they had. No doubt Ocean Bank assumed they were covered contractually with PATCO and had no liability for any business account losses, as there is no Reg E (that protects consumer accounts) equivalent on the business account side.

Further, our nation’s banking regulators – stretched as they may have been – also failed to ensure small banks like Ocean were doing their part in protecting customer assets. (The FFIEC banking regulators finally came out with an update to their Guidance on Internet Banking security in June 2011, or about three years too late).

This specific ruling will likely only have incremental impact. Other small businesses with the resources to sue their bank over similar incidents can now point to this ruling as they make their own case. But this battle will have to be fought one case at a time.

PATCO’s and many similar small business account takeover cases have been well publicized and already have had their major immediate impact with the 2011 update of FFIEC guidance, which frankly isn’t enough. It’s only guidance, not regulation. And it’s definitely not a federal law.

The federal appeals court judge was right to say the bank did not employ reasonable security. But what the judge did not say, for whatever reason, was that the U.S. laws that apply to banks safeguarding of business accounts (found in the Uniform Commercial Code) are not anywhere near as clear as they are when it comes to protecting consumer accounts (ala Regulation E). If they were, I doubt Ocean Bank would have ignored the signs that a theft of nearly $600,000 from one of its business customer accounts was going down.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.