Cybersecurity incidents routinely grab headlines, and for good reason. These incidents often lead to exposure of large volumes of sensitive data, or significant monetary losses. For example, this blog previously discussed how fraudster access to online banking platforms could lead to lawsuits between banks and customers over who is ultimately liable for unauthorized transfers.
There is no doubt that the internet has made it easier for fraudsters to target organizations from afar. However, even though digital fraudsters pose an increasing threat, organizations still face a significant risk from unauthorized transactions initiated by their own employees and insiders.
That fact was made clear to James Binns, owner of James Binns, P.L.C., when from 2013 to 2017 his daughter engaged in 267 unauthorized ACH transactions from his business account. He first noticed some unusual transactions from his account in 2013, but waited until 2017 to clearly report to the bank that he thought some account transactions were unauthorized. After the bank declined to reimburse the account, Mr. Binns sued his bank in the United States District Court for the Eastern District of Pennsylvania. Mr. Binns claimed the bank should have detected and halted the unauthorized transactions.
The lawsuit is a useful case study for the liability rules that govern unauthorized transactions after a cybersecurity incident, even though this case involved insider fraud. In this case, the Court looked at the fund transfer agreement between the bank and the business, as well as the Uniform Commercial Code (“UCC”) to determine who was liable for the unauthorized transactions.
The Court ultimately decided that Mr. Binns, not the bank, was liable for the transactions. There were several provisions of the bank’s fund transfer agreement with Mr. Binns that were important to the analysis. First, the contract had a “same wrongdoer” clause. That clause shifted liability to Mr. Binns for all transfers by the “same wrongdoer” if he failed to identify the first unauthorized transaction within 60 days of receiving a statement. Second, the contract required Mr. Binns to notify the bank of unauthorized transactions within 30 days of receiving his statement. Third, the agreement required Mr. Binns to file a lawsuit within one year of the date of the first statement that showed an unauthorized transaction. Fourth, the agreement required Mr. Binns to use ordinary care in protecting access to his account by regularly reviewing and reconciling bank statements. In this case, Mr. Binns waited too long to identify the unauthorized transactions.
Many of the contractual protections the bank relied on in this case were based on language from the UCC. Banks should not, however, simply rely on the UCC alone. While the UCC gives banks options for dealing with liability for unauthorized transactions, it is often necessary for a bank and customer to have agreed to a certain set of rules in order for the bank to shift liability to the customer for unauthorized transactions.
This blog has discussed the need for banks and customers to utilize commercially reasonable security procedures to verify payment requests. This case is a cautionary tale for banks and customers alike. Depositors should recognize that their banks are not an insurance company that protects them against any losses. Banks should also review their treasury, deposit, and electronic fund transfer agreements to make sure they are maximizing protection against unauthorized transactions. Whether the fraudster is sitting overseas or in the office next door, liability for unauthorized transactions often depends on the contract between the depositor and the bank.