Bank not liable for customer's $440,000 cybertheft

BankcorpSouth can also recover attorney's fees from escrow firm, appeals court rules

A Missouri escrow firm that lost $440,000 in a 2010 cyberheist cannot hold its bank responsible, an appeals court ruled this week.

The Court of Appeals for the Eighth Circuit's decision this month affirmed a lower court ruling in the case.

The appeals court also held that the escrow firm can be held responsible for the bank's attorney fees in the case.

In a 25-page ruling, the appeals courts agreed with a Missouri district court ruling in March 2013 that blamed Choice Escrow and Title LLC for the loss because it failed to follow the bank's recommended security precautions.

Choice Escrow filed the lawsuit against BancorpSouth Bank in November 2010 after unknown attackers stole the username and password to the company's online bank account and used the credentials to transfer $440,000 to an account in Cyprus.

Choice Escrow claimed that the theft occurred because the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC). Choice Escrow maintained that BancorpSouth should have known the wire transfer request was fraudulent because it was initiated from outside the U.S -- something that had never happened before with its account.

BancorpSouth countered by saying that the loss resulted from Choice Escrow's failure to implement the bank's recommended security precautions for wire transfers.

The bank pointed to several controls it had in place for wire transfers. The bank said it had urged Choice Escrow to use the controls. For instance, the bank said it requested that Choice Escrow adopt a dual-control process that would rquire two people to sign all wire transfer requests. BancorpSouth also asked officials at Choice Escrow to put an upper limit on wire transfers.

Choice Escrow chose not to follow either recommendation, the bank said.

BankcorpSouth noted that the fraudulent wire transfer was initiated by someone using Choice Escrow's legitimate banking credentials and a computer that appeared to belong to the company. The bank claimed it had acted in good faith when it executed the wire transfer request because there was nothing to indicate it was fraudulent.

The Missouri district court agreed that BankcorpSouth had taken reasonable measures to protect against illegal wire transfers, and faulted Choice Escrow for not following the bank's recommendations. The court ruled the fraud may not have occurred if the company had followed the instructions.

The appeals court's ruling went one step further by holding that BancorpSouth can seek to recover it's attorney's fees from Choice Escrow.

Choice Escrow is one of numerous companies, municipal governments and school districts that have been victimized by similar online heists in recent years.

Almost all cases have involved hackers stealing legitimate banking credentials from and then using those credentials to initiate fraudulent wire transfers to offshore accounts.

The thefts have often pitted banks against their customers. The disputes have highlighted the issue of bank liability for commercial customer losses stemming from third-party fraud. The cases also involve agreements on commercial account security.

To date, courts have been split on the issues.

For instance, the Court of Appeals for the First Circuit faulted People's United Bank (formerly Ocean Bank) in a dispute over a similar online theft with a customer, construction company Patco.

Maine-based Patco lost $345,000 in an online cyberheist virtually identical to the one suffered by Choice Escrow. In that case, a three judge panel overturned a lower court decision, ruling that the the bank had failed to implement commercially reasonable security measures. The two parties later agreed to settle the dispute.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about legal in Computerworld's Legal Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingchoicesecuritylegal

More about Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place