Why is it a stretch? The bank is liable for funds stolen through a bank robbery, a much more aggressive criminal action. Why is the bank supposed to protect your funds in one instance but not another?
From reading over the court filings, it looks like Ocean Bank's defense was built around the ACH/eBanking agreements that Patco signed before they commenced the service.
In these agreements, Patco "agreed to, among other things,
assume all liability and responsibility to monitor its commercial checking account (“Account”) on a daily basis. See Modified eBanking Agreement § XIII.B; ACH Agreement §§ 11 and 12(a). Patco further agreed that it would indemnify Ocean Bank from any suits arising from its failure to abide by the terms of the Modified eBanking Agreement and the ACH Agreement"
This is one of those situations where the many pages of fine print came back to bite an innocent victim. The bank did not have adequate security, but they came armed with abundant proof that Patco violated its terms of service. I am Canadian, so I don't know a huge amount about US civil law, but I'm pretty sure that the US has a mitigation requirement on any torts. Patco would have violated this.
I've got to tell you, reading that .pdf makes me want to keep my money under my mattress.
Contract clauses that waive a bank's standard of due care for online security should not be enforceable. All sorts of other clauses are declared unenforceable all the time. This clearly should be one of them. It is practically the whole charter of a bank to protect funds from unauthorized access. If your contract waives that responsibility, you shouldn't be allowed to have the word "Bank" in your name.
I agree with you completely - I would give you +1000 if I could.
The part I find the funniest is that the judge actually agreed that the bank's security was lax, yet still dismissed because Patco was in violation of the agreements.
I wonder how many new business customers Ocean Bank has signed up since this suit went public? The good old free market is (hopefully) doing its thing.
No, because even using countermeasures that meet or exceed industry best practices, a malicious employee could be expected to gain access to the account. Unlike this case, the internal fraud would be entirely outside the bank's control.
There is a difference in the fact that the bank is fully aware that the robbery is not a normal transaction.
The bank cannot be expected to be aware of normal transactions conducted with a fraudulent intent. Assuming they take some precautions (like they do if the suddenly see 15 quick purchases from Russia when you live in Oregon), there's only so much liability they can be expected to shoulder.
All major banks have systems whose job is to have a notion of normal and abnormal transactions. Any bank operating at the level of the majors should be able to pick out the $100k electronic funds transfer, which is probably the only customer-not-present paperless ACH transaction of that size in the history of the relationship for a regional construction firm, and require callback authorization for it. That's all they had to do.
The point isn't that the bank should be universally responsible for fraud. It's that the responsibility for fraud does not end exactly at the login prompt.
Agreed and this is something that you can't say you are aware of because banks do not communicate of internal security measure checks.
As an example : I paid 1c on my own website via paypal while doing paiement integration test, and the transaction was blocked. I received a text message that told me to call the bank to authorize the paiement. I asked if it would block again for another test, but they have consigns to not answering that kinds of questions and I'm glad they did ;)
In this case, the plaintiff is asking the bank to assume liability because he got hacked. That's a bit of a stretch.