Bank Sued For Violating Its Own Security Rules

A Tennessee bank is being sued by a corporate customer following a $327,000 cyberheist involving the company’s payroll. The twist is that the bank is accused of bypassing its own security procedure—involving a recorded phonecall from the bank to the customer confirming large transfers—a move that the plaintiffs argue amount to responsibility for the theft.

In late 2011, the Trisummit Bank initiated a security procedure where it would phone customers to verify large cash movements. The customer, the Tennessee Electric Company, said that during a cyber attack on the company’s account, company employees were unable to log into the bank’s site. Bank employees told the company “that updates or maintenance of Defendant’s website were likely causing the problems with Plaintiffs attempted login,” according to the lawsuit.

That’s when the con started. “On May 9, 2012, Plaintiff received two telephone calls during the lunch hour from a ‘Jim,’ who identified himself as being with Defendant’s IT Department and who stated that he wanted Plaintiff to log onto Defendant’s website for on-line banking to determine if the website was fixed.” Of course, that was when the password and other login details were captured by the thieves.

The KrebsOnSecurity site reported that the bank then got involved. “On May 9, Tennessee Electric alleges, TriSummit Bank called to confirm the $202,664.47 payroll batch — as per an agreement the bank and the utility had which called for the bank to verbally verify all payment orders by phone,” the story said. “But according to Tennessee Electric, the bank for some reason had already approved a payroll draft of $327,804 to be sent to 55 different accounts across the United States — even though the bank allegedly never called to get verification of that payment order.”

This case has the potential to change the rules for banks dealing with cyberthieves by addressing—and perhaps closing—a legal security liability loophole. “Consumers who bank online are protected by Regulation E, which dramatically limits the liability for consumers who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement),” the story said. “Businesses, however, do not enjoy such protections. States across the country have adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is ‘effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.’ Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen. That means that it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen.”