This post was also written by Frederick Lah.
The concept of “reasonableness” is found throughout the law and tends to develop slowly through the common law in a variety of geographies and commercial contexts. This uneven and unpredictable development of case-by-case rulings ultimately provides resilient standards, but at a great interim cost of uncertainty and litigation.
The First Circuit appears to have attempted to take a step toward defining what “reasonableness” means in the data security context. The court recently held that a local Maine bank failed to establish “commercially reasonable” security measures, as defined by the UCC, to prevent numerous fraudulent transactions from an account held by one of its commercial customers. Financial institutions (or any type of company for that matter) face myriad cyber threats pertaining to data security, ranging from malware to phishing schemes to data breaches. Falling prey to one of these threats can later lead to litigation, and quite often, the issue then becomes what kind of measures the company had in place to prevent such threats from being realized. The “reasonableness” of the company’s data security measures can serve as an important defense.
In this case, Ocean Bank authorized six apparently fraudulent withdrawals totaling $588,851.26 over the span of seven days, from an account held by Patco Construction Company, after the perpetrators were able to supply Patco’s answers to their challenge questions. Ocean Bank was able to recover some of the money but Patco still suffered a residual loss of approximately $345,000. These transactions were processed, without notification to Patco, even though Ocean Bank’s security system flagged these transactions as “high-risk” because of their timing, high value, and geographic locations. In addition, Ocean Bank lowered the dollar amount threshold above which a transaction would automatically trigger the challenge questions from $100,000 to $1. This meant that essentially every time Patco initiated a transaction, it would be required to answer the challenge questions. Cyber criminals equipped with keylogging capability therefore had more frequent opportunities to capture all information necessary to compromise an account. This, combined with the fact that Ocean Bank had the capacity to monitor and notify customers about suspicious activity but didn’t do so, led the court to hold that its security system was commercially unreasonable. It should be noted that the court’s finding was one of “unreasonableness” with respect to this specific set of facts, and that the court did not attempt to expressly set forth what measures would need to be in place to be considered “reasonable.”
The apparently favorable ruling for plaintiff’s attorneys raises the question of what exactly is a “commercially reasonable” security standard. In some way, the holding seems to suggest that banks should implement stronger security measures, especially if they have had recurring issues with data security. As for the use of challenge questions as a backstop, the court also placed emphasis on the fact that Ocean Bank’s security vendor previously cautioned that challenge questions are quicker and simpler to adopt, but are less secure. On the other hand, no security system can ever be completely secure, so it’s important for banks to objectively and realistically assess the entirety of their security systems to make sure they are prioritizing their efforts on the areas that pose the biggest security risks. Banks should combine both employee-driven policies and technology-based solutions for the most effective data security programs. What’s additionally important to note here is the First Circuit’s suggestion that customers also have “obligations and responsibilities” under the UCC. The court cited other sections from the UCC where a customer has a “duty of ordinary care,” but stopped short of setting forth any similar standard here, stating that, “[i]t is unclear, however, what, if any, obligations a commercial customer has when a bank’s security system is found to be commercially unreasonable.” The court left that question to be briefed on remand.
This case demonstrates that our courts are still in the early jurisprudential stages of developing a body of law around what is “reasonable” in the data security context.