Judge dismisses BancorpSouth defense in online theft suit

Bank contended that Choice Escrow's failure to secure online credentials caused $440,000 online heist

A federal judge has rejected BancorpSouth's plan to use contractual agreements with customers as a shield against liability claims stemming from an online heist of some $440,000 that was illegally wire-transferred from the account of one of the bank's commercial customers in March 2010.

The customer, Choice Escrow and Title LLC in Springfield, Mo., filed a lawsuit Tupelo, Miss,-based BancorpSouth in November 2010 alleging that the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC).

BancorpSouth countersued earlier this year arguing that Choice Escrow was solely responsible for the breach because it allowed hackers to gain access to legitimate login credentials.

The bank contended that Choice Escrow signed a contract that included an agreement not to hold BancorpSuth responsible for losses stemming from the a failure to use the online services in a secure manner.

In its lawsuit, BankcorpSouth said Choice Escrow should be held liable for legal costs and other expenses for breaching the terms of the contract by filing claims against the bank.

In a four-page ruling last week, Judge John Maughmer of the U.S. District Court for the Western District of Missouri rejected the bank's claims, ruling that Funds Transfer Act provisions preempted any other agreement between Choice Escrow and Bancorp South.

The judge did note that both sides in the dispute had made convincing arguments to support their case. "The Court having read the briefing of the parties finds this to be a very close call," Maughmer said.

"On one hand, it seems obvious that the drafters of the UCC wanted banking sector parties to be protected from common law negligence claims and to encourage uniformity and consistency," Maughmer said. "On the other hand, it seems unlikely that the drafters of the UCC wanted to discourage business entities from freely exercising their rights to contract the terms of their relationships."

To accept BancorpSouth's arguments would effectively mean that Choice would have to pay back to the bank what the bank would otherwise owe to Choice under the Funds Transfer Act, the judge wrote. "Such a result seems at odds with the purpose of the Act."

The ruling means that the case between BancorpSouth and Choice Escrow could soon head to trial.

In an email to Computerworld, Jim Payne, director of business development at Choice Escrow, expressed satisfaction over the ruling.

"We are ready to get this nightmare over and maybe we are now a little closer," Payne said.

BancorpSouth officials could not be reached for comment.

The case is one of several asking courts to decide who is responsible for online account takeovers where attackers use legitimate access credentials to initiate illegal wire transfers from commercial accounts.

Hundreds of small businesses have had their accounts drained in such attacks in recent years.

Many victims have blamed banks for not taking adequate measures to detect and stop such illegal transfers.

Choice Escrow, for instance, said that BancorpSouth should have known the wire transfer request was fraudulent because it was the first time it had asked to transfer funds outside of the U.S.

Many of the banks, meanwhile, contend they are not responsible for attacks caused by a customer's failure to control access to their account.

BancorpSouth said Choice Escrow's account was raided only because the company allowed someone to gain access to a legitimate username and password. It also contended that Choice Escrow was aware that BancorpSouth offered stronger protection against illegal wire transfers, but chose not to use them.

In recent months, courts have shown a tendency to side with customers on the issue.

In July, a federal appeals court ruled against Ocean Bank in a dispute involving Patco Construction Company of Maine, which lost $345,000 in fraudulent wire transfers.

In its decision the appeals court ruled that Ocean Bank had not implemented commercially reasonable measures. The court added that further hearings would be needed to determine what Patco could have done to prevent the theft.

Last June, a Michigan court found Comerica Bank liable for a $560,000 theft from the account of Experi-Metal, a maker of auto parts based in Sterling Heights, MI.

In its ruling the court found that the bank should have done a better job of detecting and stopping the theft.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about legal in Computerworld's Legal Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place