Skip Links

Civil litigation: A better way to improve cybersecurity?

By Taylor Armerding, CSO
December 04, 2012 10:30 AM ET

CSO - A precedent-setting case in the world of electronic banking points to a better method for securing the nation's critical infrastructure from cyberattack, according to a former Department of Homeland Security (DHS) official.

Want to develop cybersecurity skills?

Paul Rosenzweig, former assistant secretary for policy at DHS and founder of Red Branch Law & Consulting, said the recent settlement in Patco Construction v. People's United Bank shows how civil litigation can force banks to improve their online security practices. And if that can happen in the financial industry, it can also happen with a critical infrastructure operator, he said, and be more effective than federal cybersecurity legislation or regulation.

"In the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly -- imposing costs on those who stint their cybersecurity efforts in an unreasonable manner," Rosenzweig wrote in a recent post on Lawfare.

In the Patco case, the company, a small property development and contractor in Sanford, Maine, sued People's United for authorizing six fraudulent withdrawals from its account in May 2009, totaling $588,851, even after the bank's security system had flagged each transaction as high-risk.

The fraudulent transactions -- six over seven days -- came from a computer that had never been used before by Patco, from an IP address not recognized as from Patco, and were for amounts greater by several magnitudes than any Patco had made to third parties before. The money was going to people Patco had never before paid. The bank was able to block or recover $243,406 of that total.

The First Circuit U.S. Court of Appeals ruling on July 3 was the first time a federal court found that a bank's electronic transaction security procedures failed to meet the standard required under the Uniform Commercial Code (UCC) as "commercially reasonable," putting the bank on the hook for losses due to fraud.

The court did not order the bank to pay damages. Instead, it remanded the case back to the district court level, but with the strong suggestion that the parties "resolve this matter by agreement."

That resolution came late last month, with the bank agreeing to pay Patco all the money it lost to the hackers, plus about $45,000 in interest. Even though it was a settlement and not a judgment, Rosenzweig told CSO Online that it "sets a pretty good precedent because it established a broad principle about what is commercially reasonable."

[See related: Heist once again highlights e-banking vulnerabilities]

"The important thing in all litigation is something you can hang your hat on," he said.

"The right way to develop cybersecurity performance standards [is] through a close, fact-bound and developmental process," he wrote earlier.

Not everyone is convinced of that. Stewart Baker, Rosenzweig's former boss when he was first assistant secretary for policy at DHS, and now of the law firm Steptoe & Johnson, said: "Civil litigation must be the slowest form of lawmaking known to man, apart from treaty negotiation," he said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News