A Fresno bank is settling a lawsuit filed by a Kern County oil company over the loss of almost $300,000 to a form of cybertheft called "corporate account takeover."
TRC Operating Co. originally sued United Security Bank in 2012 in Kern County Superior Court, alleging that the bank's security features for online banking were inadequate to prevent Ukrainian hackers from using fraudulent electronic wire transfers to steal money from the company's account.
Attorneys for TRC said hackers attempted 12 electronic payment orders, totaling almost $3.5 million, over a five-day span in November 2011.
Under the terms of the settlement announced this month by TRC, United Security will pay TRC $350,000 -- an amount that equals the amount hackers actually stole from the company plus accumulated interest and the maximum amount that TRC could recover if it had won the lawsuit, said Julie Rogers, a San Jose attorney representing TRC.
"Under the California Commercial Code, that's all we're entitled to," Rogers said. "The law (governing business banking) is written to the advantage of financial institutions. If there's an incident of cybertheft or corporate account takeover and a business losses money, the most a company can get is what was lost plus interest -- no punitive damages, no attorney fees."
United Security president/CEO Dennis Woods said the settlement is being paid by the bank's insurance company. The settlement terms also mean neither side admitted liability in the case, but in the suit and in comments last week, each side continued to blame the other for not taking sufficient care to prevent the fraudulent wire transfers.
Rogers asserted that while United Security Bank encouraged the company to use its electronic banking services, the bank should have had a more robust process for ensuring authenticity of the wire transfers to prevent fraud. "All they offered their customers was a user name and a password, nothing more than you'd give a junior high student to have an email account," Rogers said.
The legal question in the lawsuit was "whether the security features that a bank or financial institution have were 'commercially reasonable,' " she added. "We argued that it was not commercially reasonable."
Woods said the bank's position is that the bank's security was adequate, but that TRC's owner was an unwitting victim of a "phishing" scheme, in which hackers use email or a fraudulent website to obtain someone's personal and financial account information. "He gave away his ID to a third party, they got into his computer and stole his identity," Woods said. "They never hacked the bank, but they assumed his identity and processed about a dozen wire transfers."
As part of its electronic banking agreements, Woods said, customers assume the liability for keeping their passwords and other information confidential. "There are conditions that customers agree to abide by, and he didn't," Woods said. "If you don't give away your confidential info and identity, you don't get hacked. ... None of our other customers were hacked."
Neither side was completely happy with the outcome, as the central question of liability for the theft from TRC remains unanswered.
The only firm ruling from a judge in the two years since the lawsuit was filed involved a fraud allegation by TRC against the bank itself -- the only way to try to get around the law's limitation of liability to actual losses. Rogers said that allegation stemmed from an investigation of the wire transfers by a computer security analyst hired by the bank, who concluded that the breach was not the bank's fault. "We believe that report contained many, many omissions," Rogers said. But, she added, that allegation "was rejected by the judge."
Rogers said United Security Bank used what is called "single-factor authentication" -- a secure password -- to make sure that whoever was ordering the wire transfers was, in fact, the customer. She added that in 2005, banking regulators advised banks that single-factor security was "ill-advised" and recommending additional layers to authenticate transactions, "but all that costs a lot of money for banks to offer."
Regardless of how the breach occurred, Rogers said, "when a company is hit by cybertheft and believes the bank let them down, it's financially unfeasible to sue a bank because the bank is a formidable opponent."
"But it's the principle of the matter," she added. "TRC was mad, and as an oil company, it's one of the few businesses who could afford to try to hold the bank accountable."
Woods in turn expressed disappointment that the bank's insurance company chose to settle the case instead of going to trial. "From our perspective, it's not a good solution, but there's no harm to the bank" because the settlement was paid by the insurance company.
Woods said the settlement leaves open the question of whether a bank is liable for breaches like this or if institutions can rely on agreements requiring customers to keep their banking information confidential. "Neither one of us got an answer," he said.
Since the suit was filed in 2012, Woods added, the bank has added layers of security beyond passwords, including individualized on-screen images so customers can verify they're on the bank's authentic website instead of a counterfeit page, and security questions so that the banking system can verify the identity of the customer.
"We don't have that many customers using e-banking," he said. "But what's really happened out of this, since the court didn't rule, is that the automation of electronic banking isn't so automatic anymore."
Rogers said the case represents a lesson to commercial banking customers to question what types of security a bank has in place to protect its e-banking customers.
"Electronic banking is a partnership between the bank and the customer,"she said. "But the customer isn't a security expert, so if a bank is going to push customers to do online banking, they have a responsibility to educate the customer ... and offer a variety of security features."
The reporter can be reached at (559) 441-6319, email@example.com or @TimSheehanNews on Twitter.