However, the judge conceded that Ocean Bank could have done a better job detecting the fraud. He also ruled that the bank had provided clear notice to Patco of its online authentication measures and security controls as well as the extent to which it could be held liable for any mishaps.
On appeal, the First Circuit Court of Appeals in Boston earlier this year overturned that ruling and held that the theft resulted because of Ocean Bank's poor security measures. A three-judge panel at the appellate court ruled that the bank failed to implement commercially reasonable measures to properly authenticate users during ACH transactions. The court also faulted the bank for failing to monitor for suspicious transactions or for altering customers about such transactions.
At the same time, the court held that more hearings were needed to determine how much responsibility Patco should bear for failing to protect its login credentials and urged the two sides to work out a compromise.
The case is important because it was one of the first to raise questions about a bank's responsibility to protect customers against fraudulent ACH transfers. Over the past few years hundreds of small businesses, school districts and municipalities have been victims of the same kind of theft that hit Patco. Both the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have repeatedly warned small businesses about the problem and noted that hundreds of millions of dollars have been siphoned out of the country in the past few years in this way.
The settlement still leaves unanswered the question of who should be responsibility for such breaches, said Avivah Litan, an analyst at Gartner. It does not throw light on how much protection companies have under the UCC in such circumstances, she said.
"I think the settlement proves that it's worth the banks' while to prevent these breaches and account takeovers in the first place," Litan said via email.
"No one really wins in a lawsuit involving account takeover. The banks are better equipped to prevent account takeover than their customers are, although certainly customers should institute whatever security measures they have access to," she added.
Sign up for CIO Asia eNewsletters.