Yesterday (July 5, 2102), the United States Court of Appeals for the First Circuit issued its much anticipated ruling in Patco Construction Company vs. People’s United Bank d.b.a. Ocean Bank.  The court summarized the facts as follows:

Over seven days in May 2009, Ocean Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the perpetrators correctly supplied Patco’s customized answers to security questions. Although the bank’s security system flagged each of these transactions as unusually “high-risk” because they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders, the bank’s security system did not notify its commercial customers of this information and allowed the payments to go through. Ocean Bank was able to block or recover $243,406.83, leaving a residual loss to Patco of $345,444.43.

The trial court judge had ruled that the bank had met its obligation to act in a commercially reasonable fashion because it had met the security standards of the  Federal Financial Institutions Examinations Council (FFIEC). The Court of Appeals overruled the trial court, finding that meeting the FFIEC standards did not establish that the bank had acted in a commercially reasonable manner.  The court elaborated on security measures that the bank could have implemented beyond the FFIEC guidelines to protect its customers.  The court’s discussion noted that the reasonableness of security measures had to be determined in light of the threat environment.

This failure to implement additional procedures was especially unreasonable in light of the bank’s knowledge of ongoing fraud. As early as 2008, Ocean Bank had received notification of substantial increases in internet fraud involving keylogging malware. By May 2009, Ocean Bank had itself experienced at least two incidents of fraud on the bank’s system which it attributed to either keylogging malware or internal fraud. In both instances, the perpetrators had acquired and successfully applied the customer’s passwords, IDs, and answers to challenge questions.

The keylogger used to attack Patco was Zeus.  Zeus is spread by spearphishing, a scheme in which highly targeted emails are sent to victims in order to deceive the victim into installing malware or otherwise compromising its systems.  SP Guard from Iconix defends against spearphishing attacks.

The case was sent back to the trial court for further proceedings consistent with the opinion of the Court of Appeals.