Taking Responsibility for Security

If you left your car unlocked with valuables visible in the front seat, would you blame the car manufacturer if someone stole those items?  I doubt you would and I seriously doubt anyone would listen if you tried.  But a recent US  Federal Court of Appeals ruling in the case of Patco Construction. v. People’s United Bank might indicate that yes the car manufacturer, or in this case a bank, is liable.

The case revolves around the plaintiff whose credentials and account information were compromised. The cyber thieves were then able to login to the bank’s site and initiate several transfers totaling more than half a million dollars. When the fraud was reported the bank was able to recover about half of the stolen funds, but they refused to refund Patco the rest of their stolen money.

In this case the bank’s position was that Patco was negligent enough to have their passwords, account info and usernames stolen.  Why should the bank bear the cost of Patco’s mistake? The bank said that Patco should be responsible for its own losses.  It is hard to argue against the Bank’s position. Why should they bear the loss, when they had nothing to do with Patco exposing their credentials?

But Patco is understandably upset given the size of the loss and they have a valid concern that the Bank’s own internal systems flagged the transactions as suspect and yet didn’t stop them.  Patco’s argument is that regardless of why or how the fraud was initiated, the bank must provide commercially reasonable controls to prevent fraud.  The court was persuaded by this argument.

For now, the case has been sent back down for adjudication and suggested to both parties that they try to settle this before a verdict. But the case itself brings up a bigger issue:

When does an organization or individual have to take responsibility for its actions on security? If the bank were held to be liable in the Patco case what message does that send?  One could say that the message is don’t worry too much about your online banking credentials because at the end of the day if anything bad happens the bank is liable anyway.  I don’t think that is the message we should be sending. How can we expect banks to take this exposure on without figuring that risk into the fee equation?

No doubt there are many instances of negligence and poor security where consumers should hold the failing institution liable for loss of money or information.  But there must be some shared responsibility of security.