Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

“Reasonable” security does not necessarily equal “best” security – even if ACH fraud involved

Posted in Uncategorized

Written by Stu Eaton

Bank Info Security reports that a magistrate for the U.S. District Court  in Maine  issued an Order that further defines what constitutes “reasonable” security practices.  The Order, which must be approved by the judge, recommends dismissal of a complaint filed by PATCO Construction Company against Ocean Bank regarding more than $500,000 in fraudulent Automated Clearing House (ACH) Network transactions.   The magistrate found that Ocean Bank was not required by law to adopt “cutting edge” security practices — it fulfilled its contractual obligations for security and multifactor authentication through its use of simple log-in and password credentials. 

In May 2009, PATCO had its login and password credentials hijacked by cyberthieves, who used those credentials to make over $500,000 in unauthorized transactions from PATCO’s account.  PATCO sued Ocean Bank for failing to detect and prevent the theft, arguing the bank did not comply with the Federal Financial Institutions Examination Counsel’s requirement for multifactor authentication when it relied on simple password and log-in credentials.  The Magistrate disagreed, finding that althought the bank’s authentication was not “optimal,” it was multifactor, and that the law does not require banks to implement the “best” security practices.   “Patco in effect demands that Ocean Bank have adopted the best security procedures then available . . .[a]s the Bank observes, that is not the law.”