*NEWS*TONER CO SUES B.OF A. OVER VIRUSES

Toner News Mobile Forums Latest Industry News *NEWS*TONER CO SUES B.OF A. OVER VIRUSES

Date: Tuesday March 1, 2005 10:11:00 am
Viewing 1 post (of 1 total)
  • Author
    Posts

  • Anonymous
    Inactive

    Do Banks Have a Legal Duty to Notify Customers About Specific
    Computer Viruses?

    A Miami Suit Raises the
    Question

    In early February,Miami businessman Joe Lopez sued Bank of America to
    recover $90,000 that vanished from his online bank account. Lopez says the money
    was stolen after someone hacked into his personal computer and accessed his
    account information.And he says that Bank of America was negligent in failing
    to notify him of the computer virus that allowed the hacker easy access to his
    confidential banking information.

    This lawsuit appears to be the first suit by a customer against a U.S. bank
    to recover money apparently stolen by cyber criminals. It highlights an
    interesting question: Are personal computer users solely responsible for the
    security of their own PCs?Or might others-such as companies of which they are
    customers-be responsible too

    <>The Facts of the Lopez Case
    In April 2004, Lopez logged on to check on a wire transfer he was expecting.
    (As head of Ahlo Inc., a five-person business that buys and sells printer ink
    and toner, Lopez often wires money to, and receives wire transfers from, U.S.
    and Latin America)

    But when he checked his account, Lopez found that over $90,000 had been wired
    to Parex Bank in Riga, Latvia — without his approval. He alleges that about
    $20,000 had already been withdrawn, while the remaining $70,000 was subsequently
    frozen by Parex Bank, where the money remains.

    The U.S. Secret Service, which investigates computer-based attacks on banks,
    looked into the situation. In November, it sent Lopez a letter saying its
    “initial examination” had determined that a variant of a virus called
    “coreflood” had existed on his computer systems – but did not opine as to
    whether the virus had caused Lopez’s money loss.

    Still, it may be likely that coreflood did cause the loss: It is malicious
    software code that can give an attacker remote access to the infected system. As
    of now, it is unclear whether Bank of America was aware of the risks the virus
    posed.

    According to news reports, Bank of America’s assistant general counsel wrote
    to Mr. Lopez and his counsel, taking the position that the bank was not
    responsible for the loss because no one had hacked into the bank’s own system to
    initiate the funds transfer.

    Reportedly, the bank advised Mr. Lopez to contact Parex Bank and the Latvia
    Prosecutor’s office himself, to try and recover the money.

    Lopez decided to sue. He brought a variety of claims against the bank based
    on the theory that the bank was responsible for his loss because it failed to
    warn him about the coreflood virus.

    (Lopez also separately claimed that a large wire transfer to Latvia, which is
    known in financial and law enforcement circles for its problems with cyber
    criminals, should have raised a red flag – an issue that is beyond this column’s
    scope. A very specific body of law governs wires transfers. Banks, in many
    cases, are justified in accepting a wire transfer as valid as long as certain
    security procedures are followed.)

    Banks Should Be – and Are – Responsible for Their Own Computer
    Systems

    Should Bank of America be responsible for Lopez’s loss?

    Of course, banks should be legally responsible for maintaining appropriate
    security measures for their own networks. If a customer entrusts a bank with his
    money and his personal data, the bank should take reasonable precautions to keep
    the data safe. And if the bank provides a customer with software – something
    which did not happen in the Lopez case – that software should include
    proper security measures, too.

    And obviously, banks should have to notify customers of breaches to the
    banks’ own systems – especially when customer information may have been stolen.
    For instance, a 2003 California law requires businesses to promptly notify
    customers residing in California if a computer security breach may have resulted
    in the theft of their personal information.

    Moreover, warning customers of known risks to their PCs will always be a
    smart business practice on the bank’s part – regardless of whether it is legally
    mandated.

    But should banks have what, in effect, would be a legal duty to protect
    customers’ PCs?

    Banks Should Not Also Be Responsible for Protecting Customers’ Personal
    Computers

    In my view, the answer is no: The responsibility should remain solely with
    the PC user. Lopez, as well as other computer users, need to install anti-virus
    software, and keep this software current.

    To hold banks legally responsible, I believe, is an unworkable solution.
    Analogously, while banks provide us with checkbooks, they are not – and should
    not be — responsible for monitoring our mailboxes to guard against the
    checkbooks’ theft.

    If banks were legally required to notify customers about any possible virus
    or threat, it’s likely a flood of notifications would follow. Would the
    notifications have to tell customers how to fix the problem or remove the virus?
    If not, they would be of little use. If so, they would be unduly burdensome for
    the bank.

    Different viruses impact different computers and operating systems in
    different ways. Would a given bank have to identify solutions for each of its
    customers? It seems much more efficient for each customer to have a relationship
    with a computer manufacturer or software company, which ought to be keeping
    track of the vulnerabilities of its product anyway.

    If banks have a duty to notify us of viruses, will they also have a duty to
    notify us of any possible financial scam? Many consumers, for example, are
    currently receiving phony emails that appear to come from their banks, asking
    them to update their account information online. This technique is known as
    “phishing”;.

    These emails are hoaxes – they look real – but are generated by fraudsters
    who trick customers into providing confidential information online – leading to
    loss of money and identify theft. Yet, we cannot expect banks to notify their
    customers of every situation where someone sends out a fake email.

    In the end, the notion that banks and companies should have a legal duty to
    ensure that their customers take adequate precautions when it comes to their own
    PCs is not a practical approach. Tort law imposes a reasonable duty of care;
    asking banks to become experts in security issues for every computer on the
    market is unreasonable.The legal duty of banks to protect against hacking
    should be limited to their own networks-about which they are knowledgeable,
    and over which they have control.

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.