On Further Review, Bank Gets $300,000 Bill

Here’s a piece from Wired that should make all of my banker friends just a little nervous. People’s United Bank, a regional bank headquartered in Connecticut, recently got socked for over $300,000 in damages to a customer whose electronic fund transfers got hacked over the course of a week in May of 2009. The bank had won a summary judgment at the trial level, but the federal Court of Appeals for the First Circuit disagreed. The question was whether the bank handled the data in a “commercially reasonable” fashion. The trial court apparently thought that since the bank spent big bucks on security system, that was sufficient. The appellate court, though, took issue with some things the bank did as well as some things it didn’t do. One of the troublesome things the bank did was requiring that bank employees answer security questions for every transaction over $1. Not a typo. $1. In other words, on every transaction, some bank employee had to answer those questions. While that might seem like moresecurity than necessary, that system actually put the data at risk. Why? Because hackers using “keyloggers” had more opportunity to capture the data. If the security questions had been reserved for more high risk transactions, it would have shrunk the pool of hackable (is that a word?) data. And what the bank didn’t do was to notify the customer when the security system flagged those unusual May, 2009 transactions. Sort of a tree falling in an electronic forest. So what’s the lesson here? There are several. First, don’t necessarily assume that installing a data security system eliminates the risk of liability in a breach. Second, check your insurance coverage. And finally, try to get an agreement from the security company to indemnify you in the event of a breach. It’s important to protect your customers, but don’t forget to protect yourself.