A federal court in Missouri has rejected an escrow firm's attempt to blame its bank for a $440,000 cyberheist in March 2010.
In a ruling last week, the U.S. District Court for the Western District of Missouri held that Choice Escrow and Title LLC had essentially failed to follow its bank's recommended security procedures and therefore had only itself to blame for the loss.
Choice filed a lawsuit against BancorpSouth in November 2010 after unknown attackers stole the username and password to the company's online bank account and used the credentials to transfer $440,000 to an account in Cypress.
Choice alleged that the theft occurred only because the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC). Choice Escrow maintained that BancorpSouth should have known the wire transfer request was fraudulent because it was initiated from outside the U.S -- something that had never happened before with its account.
In a countersuit, BancorpSouth noted that the wire transfer had been initiated by someone using Choice Escrow's legitimate login in credentials and from an IP address associated with the escrow firm's bank account.
Importantly, the bank said it had specifically asked Choice to adopt a dual-control process where two individuals would be needed to sign off on all wire transfer requests. Choice officials had declined the control, despite being warned about the risk of fraudulent wire transfers, the bank noted in a motion seeking a summary dismissal of the lawsuit.
U.S. District Court Judge John Maughmer held that BancorpSouth had indeed implemented commercially reasonable security measures and acted in good faith in handling the wire transfer request.
The judge noted that Choice had been informed about the importance of the dual-control process, but declined to use it. The escrow firm also declined to place a daily transfer limit on wire transfers, despite being informed about the risk of fraud.
"The court finds that the 'Dual Control' option offered by [Bancorpsouth] and refused by Choice did indeed meet the prevailing standards for good banking practices," Maughmer wrote in a 16-page ruling.
This is the second time that BancorpSouth has tried to dismiss the case against it. Last year, the bank claimed that it should not have been sued over the incident because Choice Escrow had signed a contract that included an agreement not to hold BancorpSuth responsible for losses stemming from a failure to use the online services in a secure manner. Maughmer however < href=" http://www.computerworld.com/s/article/9230730/Judge_dismisses_BancorpSouth_defense_in_online_theft_suit">threw out that motion.
The decision is the latest involving disputes between banks and commercial customers over losses stemming from fraudulent wire transfers. Over the past few years, cybercriminals have looted tens of millions of dollars from numerous small businesses, municipalities, school districts, and other entities using the same technique.
Sign up for Computerworld eNewsletters.