TONER CO SUES B.OF A. OVER ONLINE VIRUSES
TONER CO SUES B.OF A. OVER ONLINE VIRUSES
2005-03-01 at 10:07:00 am #10589
Do Banks Have a Legal Duty to Notify Customers About Specific
A Miami Suit Raises the
In early February, Miami businessman Joe Lopez sued Bank of America to
recover $90,000 that vanished from his online bank account. Lopez says the money
was stolen after someone hacked into his personal computer and accessed his
account information. And he says that Bank of America was negligent in failing
to notify him of the computer virus that allowed the hacker easy access to his
confidential banking information.
This lawsuit appears to be the first suit by a customer against a U.S. bank
to recover money apparently stolen by cyber criminals. It highlights an
interesting question: Are personal computer users solely responsible for the
security of their own PCs? Or might others – such as companies of which they are
customers – be responsible too
The Facts of the Lopez Case
In April 2004, Lopez logged on to check on a wire transfer he was expecting.
(As head of Ahlo Inc., a five-person business that buys and sells printer ink
and toner, Lopez often wires money to, and receives wire transfers from, U.S.
and Latin America)
But when he checked his account, Lopez found that over $90,000 had been wired
to Parex Bank in Riga, Latvia — without his approval. He alleges that about
$20,000 had already been withdrawn, while the remaining $70,000 was subsequently
frozen by Parex Bank, where the money remains.
The U.S. Secret Service, which investigates computer-based attacks on banks,
looked into the situation. In November, it sent Lopez a letter saying its
“initial examination” had determined that a variant of a virus called
“coreflood” had existed on his computer systems – but did not opine as to
whether the virus had caused Lopez’s money loss.
Still, it may be likely that coreflood did cause the loss: It is malicious
software code that can give an attacker remote access to the infected system. As
of now, it is unclear whether Bank of America was aware of the risks the virus
According to news reports, Bank of America’s assistant general counsel wrote
to Mr. Lopez and his counsel, taking the position that the bank was not
responsible for the loss because no one had hacked into the bank’s own system to
initiate the funds transfer.
Reportedly, the bank advised Mr. Lopez to contact Parex Bank and the Latvia
Prosecutor’s office himself, to try and recover the money.
Lopez decided to sue. He brought a variety of claims against the bank based
on the theory that the bank was responsible for his loss because it failed to
warn him about the coreflood virus.
(Lopez also separately claimed that a large wire transfer to Latvia, which is
known in financial and law enforcement circles for its problems with cyber
criminals, should have raised a red flag – an issue that is beyond this column’s
scope. A very specific body of law governs wires transfers. Banks, in many
cases, are justified in accepting a wire transfer as valid as long as certain
security procedures are followed.)
Banks Should Be – and Are – Responsible for Their Own Computer
Should Bank of America be responsible for Lopez’s loss?
Of course, banks should be legally responsible for maintaining appropriate
security measures for their own networks. If a customer entrusts a bank with his
money and his personal data, the bank should take reasonable precautions to keep
the data safe. And if the bank provides a customer with software – something
which did not happen in the Lopez case – that software should include
proper security measures, too.
And obviously, banks should have to notify customers of breaches to the
banks’ own systems – especially when customer information may have been stolen.
For instance, a 2003 California law requires businesses to promptly notify
customers residing in California if a computer security breach may have resulted
in the theft of their personal information.
Moreover, warning customers of known risks to their PCs will always be a
smart business practice on the bank’s part – regardless of whether it is legally
But should banks have what, in effect, would be a legal duty to protect
Banks Should Not Also Be Responsible for Protecting Customers’ Personal
In my view, the answer is no: The responsibility should remain solely with
the PC user. Lopez, as well as other computer users, need to install anti-virus
software, and keep this software current.
To hold banks legally responsible, I believe, is an unworkable solution.
Analogously, while banks provide us with checkbooks, they are not – and should
not be — responsible for monitoring our mailboxes to guard against the
If banks were legally required to notify customers about any possible virus
or threat, it’s likely a flood of notifications would follow. Would the
notifications have to tell customers how to fix the problem or remove the virus?
If not, they would be of little use. If so, they would be unduly burdensome for
Different viruses impact different computers and operating systems in
different ways. Would a given bank have to identify solutions for each of its
customers? It seems much more efficient for each customer to have a relationship
with a computer manufacturer or software company, which ought to be keeping
track of the vulnerabilities of its product anyway.
If banks have a duty to notify us of viruses, will they also have a duty to
notify us of any possible financial scam? Many consumers, for example, are
currently receiving phony emails that appear to come from their banks, asking
them to update their account information online. This technique is known as
These emails are hoaxes – they look real – but are generated by fraudsters
who trick customers into providing confidential information online – leading to
loss of money and identify theft. Yet, we cannot expect banks to notify their
customers of every situation where someone sends out a fake email.
In the end, the notion that banks and companies should have a legal duty to
ensure that their customers take adequate precautions when it comes to their own
PCs is not a practical approach. Tort law imposes a reasonable duty of care;
asking banks to become experts in security issues for every computer on the
market is unreasonable. The legal duty of banks to protect against hacking
should be limited to their own networks – about which they are knowledgeable,
and over which they have control.