Federal Court of Appeals Sides with Bank in Online Hacking Case
By now many of you have heard about the encouraging Federal Court of Appeals ruling in the BancorpSouth case that was announced last month. In that case, internet fraudsters initiated an unauthorized wire for $440,000 out of an account Choice Escrow and Land Title LLC maintained at BancorpSouth. Choice sued BancorpSouth to recover the stolen funds. In 2013, a trial court sided with the bank and focused on the fact that BancorpSouth offered and recommended the use of dual controls to protect customer accounts. Choice expressly declined to utilize dual controls, thus allowing the thieves to access the account with a stolen user name and password. In June, the Eighth Circuit Court of Appeals in a significant ruling upheld the lower court and, notably, also held that the bank may be entitled to recover its legal fees from Choice.
BancorpSouth had originally sued to recover all of its legal fees and expenses associated with the defense. The lower court dismissed this claim, but the Court of Appeals reversed that decision and ordered further hearings on the matter. A finding that plaintiffs may have to pay the bank its legal fees if the customer loses could have a profound impact on similar cases being filed against banks in the future.
However, the ability to potentially recover legal fees from litigious customers will depend on several things, including the language in your internet banking agreements. While many agreements have indemnification provisions, not all are written as broadly as the provision cited in the BancorpSouth case. Also, Wisconsin is in the Seventh Circuit Court of Appeals jurisdiction, so the BancorpSouth decision is not binding here, but may be cited as precedent.
The decision reinforces what we have been advising banks on for years: it’s crucial to have "commercially reasonable" security procedures and strong agreements in place for their business internet banking product. Furthermore, your bank should offer enhanced methods of security, such as dual control, Positive Pay, etc., and document instances where a customer declines to utilize such measures, as in the BancorpSouth case.